Organisations are coming to realise that a user name and password are not enough to secure their cyber existence. And as Kamel Heus, Regional Manager – MEA at Centrify explains, a ‘zero trust security approach’ is increasingly gaining acceptance.
The concept of zero trust is as profound in cybersecurity as the sweeping transformation generated by the arrival of cloud, mobility agility and availability.
Gartner projects that worldwide security spending will reach US$96 billion this year, yet we continue to read headlines validating that companies can’t address the threats fast enough, regardless of the growing list of vendors and solutions available. What’s even more surprising is that less than 10% of that spend is allocated for identity and access management.
Repeated mega breaches in cybersecurity have forced experts and vendors to relook at the basic underlying best practices and assumptions that have been adopted in the past and question their viability.
The revolutionary concept of zero trust security assumes that the threat actor may be already within an organisation and is posing as an employee. Or alternatively, has assumed the credentials of an employee. The concept of zero trust seeks to limit the opportunity of such an internal threat actor to use the assumed employee credentials and breach other parts of the organisation.
Previous cybersecurity practices assumed the integrity of a user’s credentials at face value and chose to verify them subsequently. In the new paradigm, any user is never trusted until both their credentials and device are rigorously verified. Identity access management solutions further grant the user access to the organisation’s resources, but only as much to complete their task, mandated by their job role.
In this scenario, the employee or user is never trusted to access resources of an organisation that he or she is entitled to. It is assumed that a threat actor can assume the credentials of any user, at any time, and must therefore be limited in their access to an organisation’s assets and resources. In short, the user is never trusted and always verified during their access to an organisation’s assets.
The zero trust security best practice is applied to all types of users including end-user of IT, privileged user, supplier, customer or partner. It also applies to all types of resources and assets whether through an application or compute infrastructure resource.
The zero trust security best practice uses a four-step approach
The first step is to verify the legitimacy of the user beyond the credentials of their username and password. Multi-factor authentication using personal information, or another known device of the employee is the usual add-on practice.
The second step is to validate the endpoint, or the device being used by the end user. Once an end user’s device has been enrolled and validated, the same device is associated with some the user to validate an element of trust the next time it is used. However, if the end user chooses to use another device, from another location, then the credentials of that device will need to be authenticated and enrolled before the end user can gain access into the organisation using that endpoint device.
Once the user and his or her device has been authenticated, the third step grants access to an organisation’s assets, but only as much as required for the task specified by their role. Users can therefore access multiple applications and compute resources only if it is required for their role. The more critical an application or a compute resource, the less access granted to an end user.
The same controls exist for all types of users including administrators, who are usually the prime targets for any threat actor because they usually have the ‘keys to the kingdom.’ The underlying control here is to limit lateral access of end users into multiple applications and compute resources, unless required for any specified task.
The last step is to make internal systems self-learning and adaptive through machine learning. While organisations need to be increasingly-secure, continuously hindering employee productivity can lead to an anarchical internal work environment. Hence, it is critical that internal cybersecurity applications learn from user behavior and enable their productivity in near normal situations but raise red flags whenever there is a deviation from the normal.
Other learnings that emerge could help chief security officers to moderate and adjust security policies to balance organisational concerns and employee productivity. Organisations adopting a zero trust approach will increasingly find that it is the right path forward to rebuild their user and resource access policies.