Breaking the Perimeter: Building a Zero Trust Security Model with JumpCloud

Written by Kate Lake on July 26, 2021

Share This Article

While remote work is no longer a novel concept, it developed rather quickly as the cloud was introduced into the modern business model. Just 20 years ago, offices were fully tethered to their physical spaces with ethernet-connected desktop computers and server rooms that hosted everything needed to run the organization. The term “the cloud” didn’t even hit mainstream vocabulary until around 2006, but by 2015, 70% of companies were already using some type of open-office plan. 

After the coronavirus pandemic forced much of the world into remote work, many companies found that it saved them money, and many employees found that it made them more productive. With this, businesses started rethinking the on-prem structure that many had already begun reassigning to the cloud. This transition to cloud-based, flexible work has reconfigured — or, perhaps, eliminated — our idea of the “perimeter.” 

What was once a defined brick-and-mortar space lined with wired desktops and controlled by a physical domain controller in the closet is now an unrestricted area where employees can work where they want, communicating virtually, and relying on access to just about everything in the cloud. We call this new perimeterless workplace the “domainless enterprise.” 

JumpCloud, a cloud directory platform, powers the domainless enterprise by eliminating the need for an on-prem directory (or domain controller) and securely delivering users the IT resources they need wherever they are. Because this new “work from anywhere” model and IT resources in the cloud pose new security challenges, the JumpCloud platform’s security model is based on Zero Trust security principles: trust nothing; verify everything.

In a recent webinar, JumpCloud CTO Greg Keller, joined JumpCloud product experts Amy Krishnamohan and Dave Madrid to discuss these changes to the business landscape and how JumpCloud uses Zero Trust security principles to establish trusted identities, devices, and networks in the cloud. Watch the full webinar here.

Zero Trust Security 

As companies break the perimeter, they face fewer constraints and need to connect their teams to an ever-increasing set of resources. Zero Trust relieves the security pressure this poses by taking a rigorous security approach where nothing is assumed, and access is only granted after the user has proven they meet certain security criteria: that they are the right individual, with the right device, in the right location, and logging in under the right security parameters. 

To establish this level of security, JumpCloud has created paradigms around trusted identities, trusted devices, and trusted locations/networks to help the platform understand when to authorize and when to deny access. The platform empowers companies to further hone in on their security policies with conditional access, which allows for an additional security step when an identity, device, or location registers as outside the norm. 

In this blog, we’ll dive into conditional access, cover the three main elements the JumpCloud platform uses to establish trust using a Zero Trust model, and demonstrate how we configure security policies — including conditional security — around those three main elements. Discussion of each element is accompanied with a video demo from the webinar to illustrate the configuration within the JumpCloud platform UI.

How Conditional Access Works

Conditional access both heightens security and improves the user experience by allowing for alternative, additional, or waived steps based on certain login criteria. For example, a user logging on with their correct credentials on their assigned device and on an approved network may not be prompted to complete multi-factor authentication (MFA) to get them to their resources faster. Conversely, a user logging on with coffee shop Wi-Fi may be prompted to complete MFA, login using a VPN, or be immediately denied, based on the settings the IT administrator chooses. 

1. Trusted Identities

Trusted identities are users that are hosted within the JumpCloud directory, which can store additional attributes associated with the user, including passwords and SSH keys, user group membership, assigned devices, assigned policies, and more. JumpCloud can use these attributes to authenticate users, with the option of using multiple factors for MFA. 

The platform also allows administrators to create password requirements to ensure strong credentials, and user groups and policies help streamline access authorization, including automatic access provisioning by group and requiring MFA by group. Conditional access policies can then use these group memberships and attributes to increase or decrease security.

Dive into the JumpCloud identity creation and verification process in a quick demo — we’ll show you what user attributes the platform can store, how to associate the user with different groups, and how to create access restrictions based on those groups. 

2. Trusted Devices 

JumpCloud’s directory platform uses PKI certificates to establish and verify trusted devices by installing an X.509 certificate on the machine and checking that certificate to authenticate the device. The platform stores real-time granular insights on the device, including battery life, operating system, software/operating system status, and whether or not disk encryption is turned on. IT admins can assign devices to users and device groups, and the JumpCloud agent can automatically apply policies to devices based on their group membership to make sure devices are correctly configured and secure.

To improve the user experience, JumpCloud administrators could create a conditional policy that uses a successful certificate as a trigger to relax MFA requirements, making it easy for employees to get right to work from their company-issued device. To increase security, they could block access when a user logs in from any device other than their trusted, assigned one.

In the following demo, we’ll dive into a device in the JumpCloud platform to get a full view of the device properties, state, and memberships that the platform stores. We’ll also show you how to configure and apply device policies and apply conditional access policies to block access through a non-trusted device.

3. Trusted Networks

Trusted networks are critical to data security and often overlooked in the traditional username/password security model; an unsecured network can still compromise data, even if the user uses their trusted device and follows all other best practices. 

JumpCloud creates and verifies trusted networks with IP address lists. These lists can be used in conditional policies in conjunction with devices and/or users. For example, users with low-level access may be allowed to access their allocated resources via an unsecured device while high-level managers with privileged access may be denied unless accessing resources via an approved network. 

In a demo from the webinar, we’ll show you how to create a conditional list of networks and a list of policies that instructs the directory how to respond to different IP address lists, including denying access or requiring a VPN connection.

Breaking the Perimeter with a Cloud-Based Directory 

With a cloud-based directory platform that can establish and verify trusted identities, devices, and networks, JumpCloud offers companies the ability to bring Zero Trust security to their perimeter-less organization without binding it to any physical space or on-prem equipment. 

In addition to offering directory and conditional access services, the JumpCloud platform comes with its own MFA and secure SSO solutions, providing your users the resources they need to Make Remote Work Happen®. For a more in-depth look at JumpCloud’s security offerings, watch the full webinar here.

Continue Learning with our Newsletter