By Nick Scheidies Posted February 16, 2019
Zero Trust Security (ZTS) is an idea that has been gaining steam for a few years, but it really hasn’t been able to take off. The reason? ZTS requires totally rethinking the historical, perimeter approach to network security (exemplified by Microsoft® Active Directory® and the domain controller). In this article we’ll discuss this friction between the domain and zero trust, and explain how to take a Zero Trust Security approach to network security.
Understanding Zero Trust Security
At a high level, the Zero Trust Security model says that everything should be untrusted by default. Just because a user has access to your network, that doesn’t mean they should automatically be granted access to IT resources. Instead, trust must be verified.
Trust can be earned through a variety of methods—passwords, SSH keys, TOTP (time-based one-time password) tokens, certificates, and more—and the overarching term for all of these approaches is identity and access management (IAM). Each of these approaches can be a way to securely authorize access to resources at the moment of access. Keep in mind though, not all IAM tools are designed for this, which we’ll discuss more in the next section.
Taking a wider view, IAM alone isn’t enough. Additional methods for achieving ZTS include ensuring that your systems are safe, connections are from where they are supposed to originate, and other methods.
Zero Trust Security vs. The Domain
There are a million reasons that good security initiatives don’t take hold. But in the case of Zero Trust Security, the single biggest reason is the historical concept of the domain. While a domain controller is foundational to Microsoft® Active Directory®, it’s largely orthogonal to ZTS. The very premise of having a protected domain is contrary to the foundational tenets of ZTS.
With a domain-centric model of security, a user logs in once and then immediately has access to whatever else they need. In a Zero Trust Model, each IT resources and connection is treated atomically, ensuring that the access is validated at every step along the way.
This contrast has resulted in a lot of cognitive dissonance for IT admins who are also running AD or otherwise managing a conventional domain. While the Director of IT or CEO may be asking for you to implement Zero Trust Security, until you find an alternative solution to AD, it’s probably not going to happen.
How to Take a Zero Trust Approach to Network Security
“As we’ve come to realize, the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided.”
Senior Vice President, Business Technology Network
The implementation of Zero Trust Security starts with the assumption that all networks are untrusted. There is no domain. So each interaction needs to be atomically authenticated and verified. That means that the first step is to create an identity and access management layer to each IT resource. It starts with the person’s laptop and desktop and then extends to each of the IT resources they access to ensure that trust is being created with each interaction.
For the system itself, the security model is critical. Windows®, macOS®, and Linux® systems are the gateway to a user’s work environment. That system must itself be secure through initiatives such as anti-malware/anti-phishing, full disk encryption, and more. And, then the person’s access to that machine must be verified ideally through two factors – a username/password and then a second factor such as MFA, biometric, or other method of verification.
Once that person’s access has been authenticated, then that trust needs to be created with everything that they are entitled to access. That too is done through the authentication services of an identity and access management provider. Generally, access to external cloud infrastructure and web applications occurs over a secure connection, and that same concept should flow through to internal applications.
IAM Solution for ZTS Network Security
The Zero Trust Security model can be game changing for IT organizations, especially for those with a heterogeneous environment. But while the concept of ZTS is gaining steam, it has needed the right IAM solution to make it viable. Now, a next generation cloud identity management solution is embedding these concepts into the modern directory service.
JumpCloud®’s cloud-based directory eschews the historical concept of the domain entirely. Instead, it follows the Zero Trust Security model laid out above. JumpCloud’s core features include:
- User & system management (Mac/Windows/Linux)
- WiFi network management (Cloud RADIUS)
- SAML 2.0 SSO (see list of apps)
- Directory-level integrations with G Suite™ and Office 365™
- Samba file server and NAS authentication
That’s just the high level overview. For instance, JumpCloud’s user and system management includes MFA and full disk encryption. JumpCloud’s network management allows VLAN network segmentation. To dive deeper, visit our product page or test drive the platform for yourself when you sign up for a free account.