Rome wasn’t built in a day … but it was nearly ruined in a night. That’s the thing about empires, they’re fragile. Just like trust. We can further extend this analogy to our enterprise architecture; it takes a long time and massive effort to build a successful organization and gain customer trust, but one security mishap can reduce all your efforts rubble. 

In 2022, we all heard about the GTA 6 game leak just before its release date. This leak was big enough to put the game’s publisher in trouble financially, and there were speculations that an insider, like an employee, was involved. So the question is: “Whom should we trust with security?” Security is as strong as the weakest link.

And the answer is: “Trust no one,” and that’s what leads us to Zero Trust Security (ZTS).

ZTS is an architectural framework that aims to protect organizations from security threats, attacks, and data breaches by complying with security protocols at each access point.

Prior to ZTS, perimeter-based security was the popular approach. In perimeter-based security, we authenticate and authorize the entity only at the peripheral level using firewalls, virtual private networks, and so on. Once the entity gains access, it can access all the resources. Unauthorized lateral movement has been one of the major concerns in perimeter-based security.

By contrast, ZTS enforces authentication and authorization at every entry point. In general, we can apply ZTS to enterprise applications, cloud-native apps, APIs, and so on.  In this blog post, we’ll mainly focus on implementing ZTS for APIs and exploring what MuleSoft has to offer when it comes to Zero Trust Security.

Core principles of ZTS

The entire concept of ZTS is based on the following four core principles:

• Trust no one and always verify: Regardless of the persona — customer, CEO, developer, and so on — we authenticate and authorize their access at every stage. If there are multiple entry points to gain access to a particular resource, we need to enforce validation at every entry point. We use Identity and Access Management (IAM) and multi-factor authentication (MFA), and we apply security policies.
• Least privileges and default deny: By default, access will be denied to all the resources. Once the entity is authenticated and authorized, based on the credential, we can grant access with the least privileges. We need to ensure that we’re authorizing only essential resources. We can control the access for different roles using the role-based access model and modify the privileges accordingly.
• Full inspection and visibility into the flow of data: We need to ensure there is transparency in the flow of data. We should be careful with logging the payload as it could involve sensitive information. If there are multiple end systems and APIs involved, we should have a 360-degree overview of the system’s architecture and flow of data. In this way, we can control the misuse of sensitive information and information leakage.
• Centralized control management: In order to implement strong security measures, we need a centralized management center. This will enable us to apply security measures across all entities. It also gives us complete control over the organization’s infrastructure from a security perspective. API Manager is one place to stop managing APIs, Mule, and Non-MuleSoft applications. You can manage, secure, and govern apps with the help of API Manager.

Implementing Zero Trust Security

Your existing infrastructure very likely has some security measures already implemented. In order to implement ZTS, you don’t have to start building everything from scratch or rebuild your existing security infrastructure. All you need to do is plan out security measures well and identify the loopholes. You can achieve this by taking a micro-segmentation or layered security approach.

Microsegmentation or layered security approach

This is a technique in which we divide the infrastructure into levels or segments and then apply security measures. We can also consider it as “divide and conquer,” where we are dividing the large infrastructure into smaller fragments for better security and control. This approach gives us security at a granular level.

We can implement the core principles of ZTS in the following manner:

1. List all the assets, end systems, applications, data, and API endpoints. Check device and system health. Implement end-to-end authentication and do not allow lateral access.
2. Outline the data flow and connections. Architect your current infrastructure.
3. Based on the criticality of information, identify the security policies to be applied at each entry point. Implement role- and policy-based access.
4. Enforce security implementation via a central management system and monitor your infrastructure. 

ZTS with MuleSoft

You may already familiar with the integration capabilities of MuleSoft and how to leverage API-led connectivity to build a composable infrastructure.  The following will help you understand how to implement ZTS using the security capabilities of MuleSoft. 

Let’s take into consideration a composable architecture built using API-led connectivity (see the image below). The outer, red-dotted line denotes perimeter-based security as we’re applying security at a peripheral level. In order to apply ZTS, we will apply security measures at every API layer and across the entire API endpoint. The inner red-dotted lines at the process layer indicate that we’ve applied a Basic Authentication and Header Removal policy at the entry point from the experience layer to the process layer.

How do we achieve ZTS with MuleSoft?

1. Applying out-of-box security policies: MuleSoft offers several out-of-box security policies right from Basic Authentication to OAuth and JWT. We can easily apply these policies at our API gateway level using Anypoint API Manager. We can also customize these policies to meet our organization’s standards and regulations.
2. Building secure environments: We can enforce threat protection at each edge perimeter automatically using Anypoint Security on a platform with ISO 27001, SOC 1 & 2, HIPAA, PCI DSS, and GDPR compliance.
3. Effective logging and monitoring: We can achieve transparency using the logging and monitoring capabilities of MuleSoft, and use API Catalog CLI to discover and catalog our APIs.
4. Continuous governance: We use Anypoint API Governance to identify, validate, and enforce security best practices for APIs, such as the OWASP Top 10, from design to implementation.

Conclusion 

In this blog, we’ve learned about Zero Trust Security and its core principles. We are also aware of the difference between perimeter-based security and ZTS, and why ZTS is important. Furthermore, we’ve learned how we can implement ZTS using MuleSoft and the security capabilities that MuleSoft has to offer.

Resources

• Zero Trust Maturity Model v2.0 
• Anypoint platform security (product page)
• MuleSoft Top 5 Security Best Practices (whitepaper)
• Get Started with Zero Trust Security (Trailhead trail) 
• Identity and Access Management with Anypoint (blog post) 

About the author

Akshata Sawant is a Senior Developer Advocate at Salesforce. She is an author, blogger, and speaker, and the co-author of the title, MuleSoft for Salesforce Developers. Akshata is an active member of the MuleSoft Community and a former MuleSoft Ambassador. She loves reading, dancing, traveling, and photography, and is a big-time foodie. Follow her on Twitter and LinkedIn.