First impressions die hard. When the concept of Zero Trust was first introduced, the focus was on segmenting, isolating, and controlling network traffic. Today, however, those ideas represent only one fraction of a Zero Trust strategy.
On my list of Zero Trust myths, the second fallacy I noted was the idea that Zero Trust focuses solely on networks. The truth is far more complex. Implementing a Zero Trust strategy requires accounting for not only the network but also data, workloads, devices, and identity management, as well as all of their associated processes.
Where to Start
As it turns out, digital transformation is changing more than just application development cycles and business operations. It is also fundamentally altering the attack surface of today’s organizations. Every step companies take towards DevOps, for example, is another step they are making towards an environment with a larger number of permissions and credentials to manage. As the attack surface grows and the traditional network perimeter dissolves, the need for adaptive security policies and controls increases.
In this new reality, the path to Zero Trust must begin with identity. Cyber criminals no longer hack into enterprise networks; they target the weakest links and simply log in using stolen or otherwise compromised credentials. A survey of IT decision-makers released by Centrify in February 2019 found 74 percent of data breaches involved access to a privileged account. The study underscores the importance of operating under the principle of least privilege. Being stingy with user permissions makes it more difficult for attackers to move laterally throughout the network once they are inside the perimeter.
A larger digital ecosystem has created an additional challenge though – to unify identity management across a much more complex environment. To truly embrace Zero Trust, organizations must limit the number of shared accounts with root access, centralize identity management, and rethink the handling of privileges to reduce the attack surface.
Privileged Access Management Must Adapt
Traditional privileged access management (PAM) worked fine when it only involved administrators protecting a shared root account, they checked out of a password vault. This legacy approach, however, does not function as well when dealing with an increasingly complex environment that not only involves more users but also access requests coming from a variety of machines and APIs. Today, PAM must go beyond network devices and databases and integrate with everything from cloud platforms to container technologies.
IT can verify identity by leveraging services like Microsoft Active Directory – at least in part. A more comprehensive approach should also involve the use of multi-factor authentication – not just during the login process or requests for additional access privileges, but also any time when the context of the user’s action warrants further scrutiny.
Context is Critical
Understanding the context of an access request is critical to making a smart security decision. Does this person need access to this resource as part of his or her regular job function? Is the requester making the request from their usual device and geographic location?
If a request comes from a suspicious location, more verification should be required. Likewise, if the request and/or the user’s recent activity before the request is out of the norm, an alert can be triggered to notify the security operations team. Machine-learning algorithms have made this process more automated and for the riskiness of a user to be determined in real-time.
Technologies such as Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA), and Cloud Access Security Broker (CASB) solutions provide insight into risk posture as well. With the right tools, security teams can query critical information about users and devices and use that information to inform their decisions.
Audit, Audit, Audit
Every organization should routinely assess its cybersecurity posture and the attack surface of its IT operation. A recommended IAM best practice is for security teams to adopt technologies that enable them to identify privileged accounts across their environment. After taking stock of those accounts, IT decision-makers can begin to categorize those accounts according to risk and criticality.
As new services, applications, and devices are added to a company’s digital ecosystem, their impact on security must be front and center. Auditing permissions and user accounts should be part of this process. Ideally, there should be only a limited number of shared accounts, if any. Eliminating those accounts reduces the attack surface and increases accountability, as admin users are now using their Active Directory credentials rather than a generic password.
Organizations should also consider implementing lifecycle provisioning and de-provisioning of privileged access by integrating PAM systems with Identity Governance and Administration to empower new privileged users faster and eliminate inappropriate privileges proactively.
Even as the adoption of new technologies grows, with an identity-centric Zero Trust approach that focuses not just on the network, but on protecting all identities, privileged or otherwise, security risks can be mitigated even as the attack surface expands.
About the Author: Dr. Torsten George is a cyber security evangelist at Centrify, which delivers Zero Trust Privilege to secure modern enterprises and stop the leading cause of breaches — privileged access abuse. He also is a member of the Identity Defined Security Alliance Zero Trust Technical Working Group and serves as a strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Dr. George has been part of the global IT security community for more than 25 years and regularly provides commentary and publishes articles on data breaches, insider threats, cyber warfare, incident response, and IT security best practices, as well as other cyber security topics in media outlets. He is also the co-author of the Zero Trust Privilege For Dummies book.