What is Zero Trust?
The fundamental belief of Zero Trust is that organisations should not automatically trust anything inside or outside the organisation’s IT boundaries, implicit trust should be removed, and use risk-appropriate explicit trust before allowing that user (or Identity) any form of access to the organisation. Zero Trust can be a bit of a misnomer because it doesn’t mean necessarily “no trust” but the basis of establishing trust first.
As we’re all too familiar with today, existing IT architectures in organisations are rife with implicit trusts. Historically, architectures have been built with products and solutions that provide hardened perimeters at physical locations, that wrapped around a fleshy and chewy interior – think “prickly pear” or a “castle and moat” scenario. Zero Trust presents a change in mentality that defence shouldn’t just extend to the perimeter of our network, but also challenge what is already inside. Analysis of the most egregious security breaches shows us they were successful because after penetrating the firewalls, attackers were able to laterally move around undetected and unchallenged by exploiting implicit trusts. Therefore, implicit trusts are unsuitable for preventing modern treats, and now more than ever in 2021, especially with the change in modern working environments.
The number of people working from home during 2020 doubled in the UK as a result of the pandemic. This has not suddenly caused people to become untrustworthy, it is just now their environments and equipment are not so secure. Organizations, rightly, extended their VPNs, but this created a large and easy target for attackers. The network, still supporting implicit trust, cannot adapt to the new working environment.
Combine the possibility of users bringing their own unmanaged devices, and the data that the user is accessing being outside of a physical office or network perimeter, the risks associated have greatly increased. When working remotely, Users have been seen to be less security aware and more susceptible to click on suspicious links or files. According to Cyber Crime Magazine, global Ransomware damages is expected to reach $20bn by 2021!
For an organisation set out to achieve Zero Trust, this will require systemically removing the existing implicit trusts within the environment. There are also challenges in changing mentalities to implementing technologies and resources. It’s not an overnight transformation and there is no single silver bullet to apply, it is as much about technology as much as business processes. Some starting points are:
- Assume compromise, and the attacker is currently active.
- Use context and Identity (“Contextual Identity”) as foundation for access decisions
- Location isn’t a key trust factor, but may be one attribute to develop trust
- Encrypt your Data at rest and in transfer
- Monitor everything to identify and investigate anomalies
Building an architecture that “never trusts, always verifies” leads to a highly resilient and flexible environment, which is more capable of meeting modern working demands and makes potential attackers lives more difficult. If an anomaly were to be detected, staff have more time to react and isolate and manage the incident, whether network breach, ransomware outbreak or data compromise.
How can SecurEnvoy products contribute to a Zero Trust model?
SecurEnvoy offerings in IAM (Identity and Access Management), MFA (Multi Factor Authentication) and DLP (Data Loss Prevention) can help build foundations of a Zero Trust architecture model.
Modern authentication is the combination of access polices and MFA. SecurEnvoy introduces adaptive, conditional access to determine if access will be allowed and/or MFA enforced.
Based on the signals SecurEnvoy receives, we’re able to automatically (or on a configured basis) control whether a User can access and if they’re prompted for MFA or not. Based on these signals, we’re able to verify again, before trusting. Least Privilege is also a methodology that compliments Zero Trust – that Users will only be allowed the least amount of access required to complete their task or the job at hand.
A rule-based access policy can also be configured, too:
MFA responses can be delivered in real time (or preloaded) using SMS, email, PUSH or a Soft token via the SecurEnvoy Authenticator App. Also, integration with Biometrics and the use of Hardware Tokens means MFA is always available, even if the User is offline.
SecurEnvoy’s MFA can also be implemented right at the very start of the User’s interaction with the environment – by applying MFA at the point of authentication into the environment with the Windows Login Agent (WLA). We can be certain that the User is who say they are by prompting the User for an MFA response. WLA can support Windows Endpoints and Servers both console and remote connections.
In addition, MFA can also be applied against VPNs, IIS applications, RDS and ADFS enabled applications. This ensures that remote connectivity is secured and access to applications is protected against unauthorized access with just username and passwords. We know that username and passwords just aren’t enough anymore.
SecurEnvoy’s IAM product synchronizes across multiple directories (Azure AD, Microsoft AD, Google Workspace) to become the single source of truth for User directory membership and management. Bi-directional synchronisation means if a change is made in either SecurEnvoy or directory, the change is synched everywhere. At the directory level, we are clearly able to detect if anyone is attempting to elevate permissions through directory.
Secondly, SecurEnvoy IAM also serves as a portal for Users to access their cloud applications and resources. Leveraging SAML, SecurEnvoy can provide SSO onto these applications, such as Salesforce, Workday, O365, etc. Once federated with these applications, access is only possible via SecurEnvoy.
SecurEnvoy’s DLP product can go towards securing access to critical data. We’re able to classify data and control the movement of that data. By using stringent email sender and recipient controls, inadvertent data leaks are prevented.
SecurEnvoy DLP can discover where data resides, monitor and detect access to data. One data protection policy can provide a single pane of glass view into the visibility of your data. Knowing in real time exactly where data resides, who has access to that data and protecting the transfer methods of that data can go towards achieving Zero Trust by ensuring that only verified users can access the data. Automated controls are in place to prevent activities occurring which are outside of the level of trust.
To summarise, the future of work will be hybrid, so a modern working environment must be flexible and adaptive. It must support remote workers, remote data and remote applications (such as SaaS). The architecture may restrict access, but it must be flexible enough to support an increasingly interconnected business. It must adapt to the needs of the business while allowing that business to thrive despite the threats enabled by being so connected.
Zero Trust supports all these goals by using context and identity as the control plane and minimizing access to the least required to do the job at hand. This allows the business to work as required, and not to be inappropriately constrained by security controls. Users can have risk-appropriate access to resources from any device, any time and any location, and with the same security controls in place regardless of the situation. It enables the secure use of cloud computing and secure access to on-premises resources and facilitates the migration from the latter to the former.
Category: Industry News