With so many breaches occurring worldwide and so many organizations and consumers being impacted, IT admins are shifting their attention to a Zero Trust Security model. This concept has been around for a few years, but as digital assets become increasingly difficult to protect, the zero trust security approach is picking up serious traction.
Layered Security is Protection of the Past
Fundamentally, dramatic changes in the IT network are driving this new approach to security. In the past, IT organizations worked with digital assets from the core of their network and then placed rings of security around those assets. This approach was often termed “defense in depth” or “layered security,” and the basic premise was that an attacker would need to penetrate through multiple layers of security—network, application, host, and data for example—in order to gain access to the most critical digital assets. For authorized users, they would simply bypass all of the security because they would be inside of the perimeter and would log in to their machine which would grant them access to their IT resources.
This defense-in-depth approach made sense when the network was on-prem and largely Windows-based. The first (innermost) ring of defense was usually focused on the identity; in short, a user needed to have access to the domain. From there, the next layer was ensuring that the system had anti-malware solutions or host-based intrusion detection systems. The third layer usually focused on applications and data. Users need to have rights to those and often the data would be encrypted. Finally, the outermost layer would be the network perimeter, containing firewalls, intrusion detection systems, VPNs, and more. These layers would need to be penetrated at each step in order to gain control over digital resources or assets.
The Need for a Zero Trust Security Model
Nowadays, networks are no longer on-prem nor Windows®-based, and the security model is shifting to reflect this. With the elimination of the network perimeter and critical digital assets living in a wide variety of systems hosted by various providers, the concept of security must change. Top that off with the Internet café-style WiFi model and a mobile workforce – greatly accelerated due to a global pandemic – and it makes a lot of sense that the zero trust security model is “poised to transform enterprise networking.”
This new approach takes the zero trust model and applies that to all interactions. Applications, systems, data, networks and more are no longer accessible by a user without a detailed authentication process where the access transaction is verified at every step of the process. Even machine-to-machine communications need to be validated through a trust model, so there’s no need to take it personally. This concept creates a higher likelihood that malicious users are left out in the cold when trying to access critical digital assets.
Principles Of A Zero Trust Model
In order to ensure a strong security posture in the identity management space, this concept is absolutely critical; secure access is fundamental to the zero trust security model. As a result, identity providers, such as JumpCloud Directory Platform, are at the epicenter of this movement by securely managing and controlling access to IT resources, be it devices, applications, file servers, and networks regardless of platform, protocol, provider, and location. Key principles of this model include:
- Users should be required to adhere to strict password complexity policies, leverage SSH keys where possible, and implement multi-factor authentication on critical systems, applications and even their day-to-day workstations
- Each device should be a corporate (managed) device to ensure a full understanding of its posture
- Networks and locations should be understood as trusted or denied access
- Least privilege access should be managed through authorization rights
These steps help to ensure that IT admins can take a zero trust approach and force users to validate their identity before access.
Zero Trust In Practice: Conditional Access
JumpCloud’s Conditional Access functionality puts practical Zero Trust capabilities into IT’s hands. Admins can prevent access from non-corporate devices as well as control locations/networks that are trusted. Further, step-up security approaches via multi-factor authentication can be enforced as well.
Identity Provider Leveraging Zero Trust Security
Want to know more about how the zero trust security model is harnessed by JumpCloud to protect core digital assets for enterprises worldwide? You can drop us a note, and one of our product experts will be happy to answer all of your questions.
The platform is also available to explore for free. Sign up for a JumpCloud Free account here, and the first 10 users and 10 systems you register are free of charge—forever. If you need any help, use the premium in-app chat function inside of the JumpCloud console.