Trust is a foundational part of personal relationships, and it is a foundational part of the digital relationships between employees, their devices, and the enterprise.
However, the sad fact facing security professionals is that there are some insiders – whether they are disgruntled employees or external threat actors acting as legit users that penetrated the network – who cannot be trusted. This truth is at the heart of Zero Trust, but contrary to what some believe, this does not mean that security teams and IT decision-makers don’t trust their fellow users.
This misunderstanding is the fourth myth I noted around Zero Trust. In actuality, Zero Trust enhances the confidence level associated with decisions to grant access. It requires users and devices to prove they are who or what they seem – to verify their identity based on factors ranging from usernames to user activity. Unfortunately, postmortem analysis of data breaches continues to show that compromised credentials are regularly abused by threat actors to move laterally throughout the network. This reality is what makes integrating identity access management (IAM) infrastructure with cybersecurity technologies a vital component of protecting the enterprise.
The key is the ability to assess risk and enforce access rules in real time; a need enterprises are addressing by leveraging risk-based analysis to support their security architecture. Risk-based solutions work by examining factors such as IP addresses and user behavior, enabling organizations to make fast and accurate decisions about access. As I noted in previous blogs, understanding the context of an access request is critical. Who is this user? Are they performing this action from their typical machine? Is the request coming from an unfamiliar geographic location? The answers to these questions form a trail of evidence that can be used to verify a user’s identity and security posture.
Developing the best algorithms to help this process is the work of security vendors. While still maturing, User Entity and Behavioral Analytics (UEBA) tools are ripe to help businesses identify anomalous activity by users on a network. Traditionally, UEBA solutions were viewed as a sort of a standalone, next-generation version of Data Loss Prevention (DLP) because of their ability to detect risky behavior. Today, however, UEBA tools can be judged in part by the breadth of their APIs and integrations. In particular, this should include integrations into the IAM infrastructure, but also Security Information and Event Management (SIEM) systems, the enterprise’s incident response system, and governance, risk, and compliance (GRC) tools. By combining machine learning and behavioral analytics, organizations can leverage the information they need to make access decisions more quickly as described in the Identity Defined Security Framework.
Naturally, the emphasis on making real-time, risk-based decisions extends from the data center to the cloud to the user’s endpoint. As part of a Zero Trust architecture, unified endpoint management tools need to be integrated with risk-based engines as well, be they from Cloud Security Access Brokers (CASB), UEBA tools, or others. It is this holistic approach to access control that allows businesses to enforce security policies comprehensively and increases the accuracy of security decisions. In the case of CASBs, for example, enterprises can apply multiple types of policies on cloud users, ranging from single sign-on to encryption to malware detection.
In the end, Zero Trust is not a statement about workplace culture. It is an architecture built upon the idea that perimeter security and a protected intranet are insufficient to defend critical systems and data. Instead of focusing on large perimeters, Zero Trust is focused on layered security controls that safeguard micro-perimeters around not only the network but sensitive data stores, applications, and systems as well. Over the years, the concept has expanded from the model conceived by Forrester Research to apply to a more complex ecosystem that includes everything from cloud environments to containers to microservices.
An identity-defined security strategy makes this come to life by forcing users and devices to verify their legitimacy and prove their security posture. It does not demonstrate distrust, only the importance of maintaining strong security in a precarious and diverse threat landscape.
About the Author: Dr. Torsten George is a cyber security evangelist at Centrify, which delivers Zero Trust Privilege to secure modern enterprises and stop the leading cause of breaches — privileged access abuse. He also is a member of the Identity Defined Security Alliance Zero Trust Technical Working Group and serves as a strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Dr. George has been part of the global IT security community for more than 25 years and regularly provides commentary and publishes articles on data breaches, insider threats, cyber warfare, incident response, and IT security best practices, as well as other cyber security topics in media outlets. He is also the co-author of the Zero Trust Privilege For Dummies book.