Okta recently announced the acquisition of ScaleFT as part of its vision to bring Zero Trust Security to the Okta cloud Identity and Access Management (IAM) platform. Centrify has also been promoting this model for a while now with its integrated suite of IAM solutions. But what exactly is “Zero Trust”? This article provides an overview of Zero Trust Security and how it can be used to strengthen your information security.
Why You Should Embrace Zero Trust Security
Companies have traditionally followed the Perimeter Security Model, where they create a protective barrier around IT systems using firewalls, VPNs, and threat detection systems to keep the bad stuff out. With the focus — and most of the IT security budget — concentrated on this perimeter, companies then take a softer approach to interior security: Once you are inside the network, you are trusted and can easily access the resources that you desire.
A well-designed and -configured IT perimeter can serve as a powerful first-line defense against cyber threats. However, there are 3 key problems with perimeter security that render it highly vulnerable:
No perimeter is foolproof, and bad actors can find their way inside with a little persistence. An excellent example of this is Operation Aurora where, in mid 2009, hackers associated with the Chinese People’s Liberation Army launched a series of sophisticated cyber attacks to steal intellectual property and other sensitive information from Google, McAfee, Rackspace, and other large US companies.
Trying to keep bad actors out of your network may not work because… sometimes the bad actors are already inside your network. According to Bomgar’s 2018 Privileged Access Threat Report, 62% of survey respondents “think it’s possible or definite they have suffered a breach through insider actions”. This can be a disgruntled employee (or ex-employee who hasn’t had their access revoked yet) seeking retribution or even rogue contractors poking around where they shouldn’t.
Due to increased adoption of the Cloud and mobile technologies and the prevalence of remote workers and bring your own device (BYOD) policies, corporate IT now extends well beyond the traditional perimeter. Microsoft Exchange and other on-premises infrastructure are being replaced with Office 365/G Suite, Workday, and AWS. And a greater number of employees are working from home as well as working on their laptops, tablets, and mobile devices.
How Zero Trust Security Works
The Zero Trust Security model, developed by John Kindervag during his time at Forrester, is a response to these inherent weaknesses in the enterprise perimeter and the extension of IT beyond that perimeter.
At a high level, Zero Trust can be summarized as:
Always verify the identity of the user and device before granting access.
How does Zero Trust work?
Whenever someone requests access to an application, workstation, server, database, or other corporate IT asset — whether that person is inside OR outside the network — their identity must be verified with something beyond a username/password.
Verify the User:
The first step is to verify the identity of the individual making the request. For most companies, this typically means checking the user against an identity provider (IdP) such as Active Directory (AD) and confirming their access entitlements in an IAM solution like Centrify, Okta, or SailPoint. The latter is crucial to ensure that only the right people access the right resources and to help prevent over-extension of privileged access.
Verify the Device:
The next step is to verify the identity and security posture of the device. Trusted devices must carry a digital certificate confirming their identity, and they should also be scanned for malware, security misconfigurations, and other vulnerabilities before establishing a connection. Connections should be encrypted, especially since many remote workers may be dialing in from public WiFi.
Zero Trust also calls for adaptive multi-factor authentication (MFA). Additional authentication factors that are commonly used for this include:
- Day and Time
- Status (e.g. away on PTO or sick leave)
- Biometric Factors
For instance, say that a user attempts to login from a trusted device (his company-issued laptop) but appears to be trying to access the system outside of his typical work hours (say, at 3AM on a Saturday).
With adaptive MFA in place, that person can be presented with a security challenge (such as a temporary SMS code) before being granted access. Or perhaps you may want to deny access altogether if he shouldn’t be accessing corporate assets at 3AM on a weekend.
Lastly, any good Zero Trust Security architecture should include continuous monitoring, auditing, and reporting. A big benefit of this is that it makes compliance with GDPR, PCI, SOX, and other regulations much easier. However, it’s not enough to merely log security events. You must actively leverage those logs to catch problematic behavior in real time before it escalates into a full blown security breach.
Implementing Zero Trust Security At Your Company
Zero Trust implementation is one of the best ways to protect your information systems against security breaches.
If you need help implementing Zero Trust at your company, get in touch with us. Sennovate is a managed security services provider (MSSP) that specializes in Identity and Access Management (IAM). We are your trusted security advisors and can help design, implement, and manage your Zero Trust security architecture.