Digital transformation and the adoption of hybrid multicloud are changing the way we do business. Users, data and resources are spread across different locations and it is getting more and more challenging to connect them quickly and securely. But focusing primarily on perimeter security and firewalls is no longer enough. That is why organizations start implementing zero trust security solutions to help protect their data and resources by making them accessible only on a limited basis and under the right circumstances.
- What is Zero Trust and how it works?
Zero Trust is a security model and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. Zero trust can be defined under the following approach: “never trust, always verify.” This security approach treats every access attempt as if it originates from an untrusted network — so access will be denied, until trust is demonstrated. Once users and devices have been regarded as trustworthy, zero trust ensures that they have access only to the resources they need, to prevent any unauthorized lateral movement through an environment.
Zero Trust embeds comprehensive security monitoring, granular risk-based access controls and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.
Adoption of zero trust can help address common security challenges in the workforce, such as phishing, malware, credential theft, remote access, and device security (BYOD). This is done by securing the three primary factors that make up the workforce: users, their devices, and the applications they access.
- Identity and Authentication
Identity authentication is the foundation of a zero-trust security strategy. To continuously evaluate access to resources, you must first centralize user management and establish strong authentication processes. In order to track and manage all users across your systems, user identity must be centralized in a user and group directory. Ideally this database system integrates with your HR processes that manage job categorization, usernames, and group memberships for all users. As employees join the company, change roles or responsibilities, or leave the company, these databases should update automatically to reflect those changes. The user and group database acts as the single source of truth to validate all users that need to access your systems.
A single sign-on (SSO) system, or centralized user authentication portal, can validate primary and secondary credentials for users requesting access to any given resource or application. After validating against the user and group directory, the SSO system generates a time-sensitive token to authorize access to specific resources. A centralized user database supporting a single sign-on system is essential. Data in a SaaS application environment must be assumed vulnerable unless access is limited to an endpoint that you control. Once that database is in place, you can introduce an authentication process such as 2FA (two-factor authentication) or MFA (multi-factor authentication) to harden your system and ensure that the users accessing your applications are who they say they are.
There are several ways to ensure that an employee’s access is restricted to the tools and assets required for their job. The first is granular, role based access and permission levels. These should be defined for each role within your organization, with cross-functional input agreement. Your organization’s appetite for risk and the breadth of access needed to effectively collaborate across teams will determine the level of granularity needed for team and individual role-based access levels. Once these role-based access levels have been defined, you can begin to map out the controls needed for each system and vendor in your organization. While your SSO or identity provider may be able to support some of your access control needs, you may find that not all applications provide the level of granularity needed to limit access in this way. Access controls are an important part of any vendor risk management assessment and integral to the long-term implementation of Zero Trust.
The COVID-19 pandemic has changed the way we work and has increased the threat landscape, with more targeted attacks on organisations from cybercriminals and nation-state groups. As well as remote work, the Internet of Things (IoT), operational technology (OT), and network-enabled smart devices introduce areas of potential compromise for enterprise networks. In such uncertain times, the best thing companies can do is to implement technology that can be scaled and adapted to meet unpredictable challenges. Beginning to implement the foundational elements of Zero Trust Security is the key to securing your sensitive company data in the midst of the proliferation of cloud applications, devices, and user identities.
For more information about Zero Trust Network Access, watch PATECCO video here: