DNSSEC - The Key to Zero Trust Architectures

"Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets..." (From NIST SP 800-207 [1]). Zero trust architecture (ZTA) requires authentication and authorization for all such assets (also from [1]). The one common infrastructure that all these devices and assets connect to is the DNS. This makes DNS secured with DNSSEC the perfect source for the enterprise owned and controlled key material used to authenticate and authorize all cloud-based assets and BYODs or be the basis for them.

Existing DNSSEC examples include secure email (server and end-to-end), remote access (e.g., SSH), in addition to protecting application data communicated via the DNS (e.g., MX, SPF, DKIM, DMARC, outlook server configs, asset identification, ownership proof, web sites). DNSSEC is mature and globally well established and ensures no one can modify data secured by it, not even a compromised cloud-based asset.
DNS security is key in zero trust architecture

Example: Lessons learned from the 4 Oct 2021 Facebook BGP/DNS Catastrophe



[1] NIST SP 800-207 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Copyright © 2021 ZX Communications Incorporated. info@zxcominc.com