With the Zero Trust Myths out of the way, where do you start?
Zero Trust is a philosophy, a set of guiding principles that can be used to improve the security posture of an organization and reduce the risk of a breach by limiting lateral movement. Implementing Zero Trust is more than simply implementing a “Zero Trust” technology. It will require a different way of looking at security and how access to data is granted. It will require new policies and controls related to access. Getting past the notion that the internal network is a safe place and the same controls are not needed once you are on the internal network is a challenge for many customers. Customers will need to consider where they are starting from and their risk posture, which may vary depending on the line of business, in order to establish the priorities for this journey. What to tackle first is a key question that needs to be answered.
As an example, we are in the process of working with one of our customers on the implementation of a micro-segmentation product. This will provide granular visibility of network traffic flows and the ability to further limit who can access what before application entitlements even enter the picture. This is possible because the customer already has a mature Identity and Access Management (IAM) infrastructure and program. The foundation is already in place, for example:
- Identity lifecycle of employees and contractors is managed
- Access governance processes are strictly followed, and access is regularly reviewed
- Key roles are already defined and maintained and available for use
- Multi-factor authentication is mandatory, even inside the corporate network
Customers without a mature IAM foundation in place will need to address these issues first for a solution such as micro-segmentation to be successful, as the policies will be based on an identity repository that may not be well-maintained. In this case, the end-result would be a set of policies that grant the wrong people access to the wrong resources.
Therefore, for some organizations, the most important step to start on a Zero Trust journey will be to implement a solid IAM foundation first. This can be a combination of tooling as well as manual processes to provide reliable identity lifecycle management as well as governance over identities and what they have access to.
There is more than one way to realize the tenets of Zero Trust and the same design pattern may not be used from one organization to the next. See the stories from Adobe and LogRhythm. The Identity Defined Security Outcomes and Approaches from the Identity Defined Security Alliance (IDSA) provides guidance on various approaches for implementing the necessary controls. One point is clear – a solid IAM foundation is critical to the success of a Zero Trust initiative and must be addressed early in this journey.
The drivers for why a customer is thinking about Zero Trust will vary from digital transformation, moving a few applications to the cloud, to a response to an event such as a breach or COVID-19. The recommendation on where to start is the same. Start with the fundamentals. To use a sports analogy focus on blocking, tackling, and catching the ball before you jump straight into a spread offense and RPOs.
- Implement identity and access governance processes so you know who has valid identities and what they have access to. Review this access periodically, especially privileged access. Quarterly reviews of privileged access should be the minimum, monthly is even better. Don’t be that customer that finds out too late that the reason for a breach is because your Domain Admins group has not been cleaned up in 2 years.
- Implement a multi-factor authentication solution and minimize the reliance on passwords. This should be for application access from the internal network as well as for external access. Stop thinking of the internal network as a safe space. Where MFA may not be possible, e.g. for service accounts, prohibit interactive logins, use robust passwords, restrict who knows these passwords, and rotate them periodically. Service account passwords are a common target for lateral movement. It is amazing how frequently we find in an assessment that the SQL Server installed 10 years ago with a default password was never changed and the account is in the Domain Admins group. Standing something up quickly and getting back to it later rarely works out.
- Implement an access control solution that will verify the device in addition to the user. Is the device a known or corporate owned device? What is the health and compliance state of the device? Anomaly detection and machine learning should also be supported to determine the real-time risk associated with the access.
- Implement a Privilege Access Security solution to control and monitor the use of privileged accounts. Someone in the organization is going to click on that link in a phishing e-mail and you want to make it as difficult as possible to get to the keys to the kingdom.
There are more sophisticated solutions that can continue to add controls to this list but, without these fundamentals, you will find it hard to fully realize the benefits of the more advanced solutions. For more guidance on establishing a sound foundation refer to the IDSA’s IAM best practices and blog series.
About the Author: Allen Moffett is the Deputy Head of Cybersecurity and IAM CTO, NA for Atos, which is a global leader in digital transformation with 110,000 employees in 73 countries and annual revenue of € 12 billion. Allen is the global lead for the IAM and Biometrics sub-domain of the Atos Expert Community, helping to steer business strategy and building the technology roadmap by anticipating the products and services that will be needed by the market. He also is a member of the Identity Defined Security Alliance Zero Trust Technical Working Group. Prior to Atos, Allen has led the delivery of innovative IAM and security solutions globally for CTI Global, Unisys, Siemens, and Banyan Systems.