While most of us never think much about the Domain Name Service (DNS) in our everyday routines, or we just dismiss it as network “plumbing” that converts the domain names we enter into IPv4/v6 addresses, the fact is that every Internet and enterprise IP network connection starts with a DNS lookup.
Unfortunately, that often includes those connections that are security traps set by hackers and bad actors:
· Unauthorized users gaining access to enterprise web sites/resources
· Legitimate users inadvertently accessing known phishing and malware sites
· IoT devices becoming part of command and control botnets.
Just imagine if we could improve enterprise DNS by leveraging the identity (of a user, or device) to determine whether a DNS resolution request from it is answered at all? That would mean if we don’t know who you are, e.g. we don’t understand your identity, you get no answer to your DNS resolution request. Or if a device (read: IoT) tries to resolve a destination domain name that looks suspicious – as if it may pose a threat, or that request is to an unauthorized destination – that DNS request goes unresolved or is “steered” to an acceptable, allowed destination.
Those are basic “zero-trust” security principles – capabilities that could be offered within the DNS negotiation that every connection starts with.
The concept of zero-trust security emerged in the early 2000s in the wake of recognized limitations of perimeter security and was further popularized by Forrester Research. Analyst John Kindervag presented the idea that an organization should replace implicit trust with explicit trust and adopt a policy of least-privilege for resources and network access, whether inside or outside its perimeter.
For many organizations, the ability to attach this type of zero-trust capability to DNS may prove to be “just enough zero-trust” for many/most of their use cases. For others, it may provide a significant up-leveling of their zero-trust capabilities – essentially another layer of zero-trust security – in partnership with an enterprise class zero trust network access (ZTNA) model.
Our IBM NS1 engineering and product teams have been working on just such a capability. We are now engaging members of our NS1 community, enterprise customers and other interested parties from the mobile device management, zero trust network access, threat intelligence, recursive DNS community and other service providers who are interested in becoming design partners to work with the NS1 engineering team for access to a private-preview of these capabilities.
If you’re interested in finding out how you can become a design partner, reach out to me directly.
Reggie Best (reggie.best@ibm.com)
Head, NS1 Product Management
#TechnicalBlog