By Cassa Niedringhaus Posted October 22, 2019
IT admins looking to strengthen their company’s security posture and increase protection of company resources should consider the “zero trust security” methodology.
The concept is in the name. Nothing, down to any single employee, is trusted by default. At its core, zero trust security requires a central identity provider to authenticate and authorize users, but other features can increase security beyond that alone.
Following this concept, IT admins can fortify each layer and connection — between employees and resources, across networks, and more — and reduce the potential attack surface. It is a growing methodology, and currently one of the most researched security solutions.
As the Department of Defense examined its own security policies and the implementation of zero trust security policies, it outlined three fundamental steps in a white paper: verify the user, verify the device, and verify access privileges. The report compared today’s enterprise networks to an apartment building: There are more access points and more people seeking access than in a house, so you wouldn’t give the same key to each resident of an apartment building.
Each apartment is individually locked, and access is segmented. So, even if a non-resident gets into the building, they still must pass through more layers before gaining access to an apartment.
IT admins hoping to implement zero trust practices should start with employees. Note, we realize that contractors, vendors, and others might also be supporting the organization, and we are using “employees” as shorthand to include those folks as well.
In a past era, employees came to the office, used their credentials to log into Windows® workstations, and gained access to authorized resources through the Windows machines, all of which were on-prem.
Now, employees open their laptops (which could be macOS®– or Linux®-based as well) — sometimes in the office, sometimes remote — and use their credentials to log into their systems, web applications, cloud infrastructure, virtual file servers, and other remote resources. IT admins want to ensure people are who they say they are and can confirm that through a mix of factors, including a password (something they know) and a multi-factor authentication (MFA) token (something they have).
To strengthen employee passwords, IT admins can require they use password vaults to generate long, more complex passwords, which employees might not necessarily remember without their prompting.
Additionally, whether it’s a generated time-based one-time password (TOTP) or a physical security key, some form of MFA is crucial for verifying an employee’s identity. During a Google investigation of its security policies, the company found that its hardware token, Titan, helped users guard against attempted phishing attacks. None of the users “that exclusively use security keys fell victim to targeted phishing,” Google noted.
IT admins can use other factors, like geography and historical patterns, to further validate that the person is who they say they are and to ward off bad actors leveraging stolen credentials. However, MFA is the leading tactic here and could prevent an estimated 80% of data breaches.
With a central identity provider, IT admins can also quickly revoke credentials, whether they are stolen, the employee leaves the company, or for other security reasons.
Employees are an organization’s most vulnerable attack vector, so these practices are a critical piece of implementing zero trust security.
In the next layer of zero trust security, IT admins then need to ensure that the validated employees use clean systems to which they have rightful access, including confirming that the user and/or the organization owns each device.
IT admins can implement a variety of procedures to better secure systems, beyond requiring MFA for employees, which is a key first step. They also need to ensure the machine has the correct security and policy settings.
There are various avenues to do this, including using anti-malware systems; full-disk encryption to protect the hard drive in the case that a system is lost or stolen; policies, like disabling access for USB devices or requiring screen lock after a minute or two; and monitoring software to analyze devices.
From a central identity provider, IT admins can enforce policies quickly on their fleet of machines. They can also monitor each machine’s functions, data, and files and flag suspicious activity that might signal a bad actor.
Applications and Other Resources
After validating an employee and their machine, IT admins then want to ensure that both the user and the system have rights to the applications (or networks on which the applications sit) that they are accessing.
MFA comes into play again for application access. That access also needs to come from a secure connection, which employees can execute through a VPN or secure tunnel to the application. Or, they might be limited to a certain network where access is enabled.
IT admins can also implement a variety of procedures to ensure secure employee access to applications and other resources, including authentication mechanisms such as SAML, LDAP, RADIUS, and single sign-on.
They can use dynamic VLAN assignment, too, which allows them to segment employee access to applications by VLANs. Although this is not an authentication mechanism, they can, for example, allow one department to access an application that contains sensitive information while restricting access for another department that doesn’t need it.
Lastly, IT admins want to ensure that the networks their employees use are as secure as possible, or at least protected through a VPN when employees are working remotely.
Although monitoring tools — event logging, system event logging, etc. — can give IT admins a better picture of network traffic and help pinpoint an attempted breach, their primary focus should be ensuring employees authenticate to a VPN or other secure connection with their credentials and MFA.
As Forrester, the firm that pioneered zero trust security, noted in a 2016 report, “Employees that have administrative access to sensitive applications and systems can wreak havoc for a firm if they have malicious intent.” These types of zero trust procedures help lock down sensitive information and control access to it.
Although implementing zero trust security procedures throughout the enterprise requires ongoing work, it’s a good avenue for IT admins looking to ensure that employees are who they say they are and have the rightful access to the resources they’re accessing. In an era where the moat-and-castle approach to security no longer works, zero trust security offers an interesting, more powerful security approach.
Interested in learning more about zero trust security and improving your organization’s security posture? Give us a shout, and our security experts will help you implement zero trust security tactics in your own organization.