Today’s IT administrators have a lot on their plates. The start of 2020 brought on a complete adjustment to the way we work, forcing many admins to mobilize fully remote workforces and then deal with enabling those remote users to do their jobs effectively. Now that a majority of organizations have adapted to this new paradigm, the challenge for admins shifts to securing remote employees and controlling their access to critical resources.
Unfortunately, traditional approaches to security that rely on network perimeter defenses struggle to effectively secure employees working outside the office. Traditional access controls also require on-premises connectivity — a difficult ask when employees are entirely remote. Moreover, studies like the Verizon Data Breach Investigation Report have found that user identities are the most targeted attack vector by hackers. That’s why many are instead focusing on developing identity trust to serve as the basis of their security approach. Let’s dive into what identity trust means, specifically in a Zero Trust context, and how organizations can implement it remotely and at scale.
What is Zero Trust?
Zero Trust is a security concept built around the idea that no one should be trusted by default as well as their device and the method/type of access. As a whole, the concept poses a radical shift in security compared to how it has been done for many years.
Traditional Perimeter-based Security
For many decades, physical perimeters like the office building and network served as the core bastion against external attacks. The corporate firewall was an essential part of the network, as it kept unauthorized users from accessing corporate resources by stopping them at the edge. Although that strategy worked somewhat well, changes in IT posed significant issues to the perimeter-based security model.
With more end users on a variety of devices and needing a way to access corporate resources when away from the office, perimeter-centric security approaches proved too rigid and isolated to accommodate. From 2007 to 2020, companies had to slowly transition from “internal access only” organizations to organizations that embraced mobility. The key switch here was that, instead of the location being a key factor in security, identity took its rightful place in the security hierarchy — at the top.
Developing Identity Trust
When admins realized that ensuring the right identity was perhaps the most critical part of securing access, it came with its own set of problems for information security professionals. The first and foremost of these is the fact that identities can be stolen. Digital identities, namely passwords, can be compromised through multiple avenues.
Besides brute force attempts, tricks like phishing, spear phishing, and other web-based ploys fool unwitting end users into supplying their username and password for a service. A phony webpage captures the data, which is then used to log into the user’s account and wreak havoc. According to the 2020 Verizon Data Breach Investigation Report (DBIR), 80% of password breaches involve compromised passwords. To make matters worse, employees have been known to use passwords that are easy to guess and rarely changed, making them all the more easy for an attacker to exploit.
A core part of building identity trust is to ensure that end user passwords are strong enough to prevent brute force attacks. This goes hand in hand with the fact that end users need to be trained to spot potential attacks that arise from phishing attacks or false webpages. Even then, an end user identity may still be compromised. This looming threat is why managing security for identities requires more than just controlling passwords. It also requires an entire strategy around all the resources that identity is connected to.
MFA for Identity Trust
Multi-factor authentication (MFA), also known as two-factor authentication, is vital in securing corporate resources in a Zero Trust environment. MFA requires both something the user knows (password) and something the user has (another trusted device) in order to log into a device, tool, or service (and even cutting edge implementations of MFA include what somebody is — i.e. retinal scans, fingerprints, and more). Even if a password were compromised, a hacker wouldn’t have the ability to generate a one-time passcode using the user’s MFA tool, such as a physical hardware device or mobile phone application. Since these tools generally rotate MFA tokens every 30 seconds to a minute, it’s an ideal solution for ensuring that easy-to-guess passwords or ones reused from another account cannot be the source of a major corporate data breach.
Although incredibly effective, multi-factor authentication at every sign-in causes frustration for end-users, so a better strategy is implementing an adaptive multi-factor authentication approach. In an adaptive environment, intelligent policies are leveraged based on login context — such as requiring MFA by Group for access to a particularly sensitive resource (i.e. financial system) — to reduce MFA challenges when appropriate while risky login attempts receive additional challenges.
Admins can even implement MFA by role or user group, allowing specific users like warehouse workers or even C-Suite executives to forgo inputting MFA tokens unless their access comes from an untrusted source. With a properly implemented adaptive multi-factor authentication solution, organizations will reduce IT costs associated with password login failures.
Finding an Identity Trust Solution
Zero trust security is a requirement for forward-thinking organizations as the days of tying an identity to a single device are long gone. Employees use their identities to access their corporate resources on all their devices regardless of whether they are in the office, working from home, in a hotel, or in between meetings at a local coffee shop. The ability to do work is no longer about where you are, but more about what you need to do. A single secure identity that is connected to all resources whether it is an application, on-prem server, file, network, device and verified with MFA for secure authorization is the approach that organizations must take.
Organizations can leverage the JumpCloud Directory Platform to implement identity trust in a Zero Trust context. JumpCloud is a full-suite identity, access, and device management tool leveraged entirely from the cloud. With JumpCloud, end users only need one identity to access their devices as well as their other IT resources through their JumpCloud User Portal.
JumpCloud offers multi-factor authentication solutions that work remotely, both at the User Portal and cross-platform (Mac®, Windows®, and Linux®) device level so employees can access all resources in a secure manner regardless of location. For expedient onboarding and management processes, admins can even implement MFA by group membership, ensuring that all critical roles are protected. JumpCloud’s MFA is an easy-to-implement security standard to keep your data safer and a core tenet of the central user identity services provided by the JumpCloud platform.
Using JumpCloud, you can also implement Conditional Access policies to require that end users work from a trusted identity, an authorized device, and known network, relaxing MFA requirements for those that do, and enforcing MFA for untrusted attempts.
Try JumpCloud Free
You can see what all the JumpCloud platform has to offer absolutely free. Try JumpCloud today with 10 users and devices with 10 days for premium support to get you started.