Say the term Zero Trust, and there will be those that take the word zero to mean exactly that－zero, as in no trust at all. In reality, Zero Trust is about acknowledging that bad actors will make their way into an organization’s environment and building defenses with that idea in mind.
This confusion is the source of the third myth I noted about Zero Trust－that it means starting with zero access. There are some functions employees at all levels will need permission to perform, such as email and logging onto the company’s intranet. Other privileges may be assigned according to roles or identities. Rather than blocking access, Zero Trust is best thought of as facilitating access securely through the use of policies and technical controls. It is about recognizing that attackers will get into the environment, and ensuring that once they do, there are checks and balances to prevent them from moving laterally.
In my previous blog, I discussed the need to account for not only the network but also data, workloads, devices, and identity management, as well as all of their associated processes. Approaching the problem with the assumption that credentials have been or will be compromised, security teams should start with a focus on identity and make access decisions based on identity verification, the context of access requests, and an understanding of the criticality of the environment.
User roles and entitlements should be defined with the principle of least privilege in mind. Shared accounts with administrator privileges should be eliminated or reduced in number. Depending on the user’s profile, organizations can enforce different levels of authentication. For example, a database administrator could require hardware backed multifactor authentication (MFA) via assurance level 3, while an IT administrator that primarily serves Windows workstations may only require authentication via software-based one-time passwords.
Basic identification verification and assurance begin with services like Microsoft Active Directory. However, decisions about access must also factor in context. The assets that are most valuable to the business are the most damaging if compromised. Access to these resources should require additional layers of security and authentication. Likewise, factors such as user behavior should influence access decisions as well. If a particular user, for example, is attempting to access a system or database that they normally would not, it should immediately trigger additional scrutiny.
In this way, security controls must be adaptive. Security tools armed with machine-learning algorithms can analyze user activity and spot unusual behaviors in real-time. From there, automated security responses can disconnect sessions, flag suspicious activity, or prompt for more authentication measures. Enabling all this is the continuous monitoring of actions by users. Integrating the audit trail with Security Information and Event Management (SIEM) tools ensures the proper alerts are triggered.
Using technologies such as Unified Endpoint Management (UEM) and Access Management (AM) together, organizations can query the status of devices and determine if the user is making access requests from a compromised system. Similarly, fraud detection tools can work alongside Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) solutions to apply data encryption according to policy or risk. These types of integrations are critical parts of building a comprehensive security framework that addresses the growing number of breaches triggered by stolen user credentials.
For a Zero Trust implementation to be successful, however, these adaptive security controls must not have a disruptive effect on the business. Machine-learning technology also means that as a user continues to go about his or her job, the person’s typical behavior becomes recognizable, preventing security from negatively impacting productivity. In that sense, Zero Trust is not about zero access, but making security a business enabler.
Empower the Enterprise with Zero Trust
Many businesses begin the path toward Zero Trust after experiencing a breach or failing an audit. A common cause of data breaches is compromised credentials. With its emphasis on identity management and access control, Zero Trust is a natural answer to many of the requirements of compliance regulations as well as cybersecurity.
There may be a negative connotation to the use of the word zero, but with the right tools and approach, Zero Trust solves one of the biggest challenges facing enterprise IT teams today. As the number of user and system accounts managed by enterprises continues to grow in the face of DevOps and cloud adoption, IT decision-makers need to embrace identity as a core part of security.
About the Author: Dr. Torsten George is a cyber security evangelist at Centrify, which delivers Zero Trust Privilege to secure modern enterprises and stop the leading cause of breaches — privileged access abuse. He also is a member of the Identity Defined Security Alliance Zero Trust Technical Working Group and serves as a strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Dr. George has been part of the global IT security community for more than 25 years and regularly provides commentary and publishes articles on data breaches, insider threats, cyber warfare, incident response, and IT security best practices, as well as other cyber security topics in media outlets. He is also the co-author of the Zero Trust Privilege For Dummies book.