Zero trust security. It’s a term that’s actually been around IT for a while, but is just now reaching “buzzword” status. Even the one of the biggest of tech companies, Google®, has adopted the practice. While some may simply scoff at zero trust security, the concepts behind it are practically becoming a requirement in today’s IT landscape. Here’s why your organization needs zero trust.
Why Zero Trust?
Before we talk about why your organization needs zero trust, however, let’s talk about zero trust itself.
What is Zero Trust Security?
As a concept, zero trust security (ZTS) originated with John Kindervag and Forrester Research Inc. in 2009. At its heart, zero trust security is just that: no one, be them inside the organization or out, can be trusted, and all users must go through certain lengths to prove their ‘trustworthiness’. As security stances go, zero trust is diametrically opposed to traditional security models, which relied on a security perimeter, much like a castle’s moat and fortifications, to keep the bad actors out. Kindervag likens it to “. . . an M&M, with a hard, crunchy outside and a soft, chewy center’” (Forrester).
Of course, with the perimeter security model, you could have a malicious actor who has wormed their way inside the network. Posing as an employee, they could be enjoying and exploiting the soft, chewy center of data and other information. With zero trust, there is no perimeter. Everything is “sacred” and must be guarded with the utmost vigilance, even from employees inside the network.
The Core of ZTS
Because of the potential of insider attackers, employees, contractors, and other staff (as well as all of their computers/devices) need to build trust on the network to be permitted access to network resources. This includes resources outside the network as well, such as SaaS apps, cloud infrastructure, and remote access via VPN.
In practice, zero trust security is reliant on good identity and access management (IAM) posture. As such, the dual processes of IAM, authentication and authorization (AuthN and AuthZ), are key to ZTS. By authenticating that a user is who they say they are, and subsequently authorizing the resources which that user can access, IT organizations can start down the path of zero trust.
AuthN and AuthZ for ZTS can be broken down into three core steps. An identity, as well as the device leveraging that identity need to be verified. Then, that device (and subsequently the identity) and its access to the network and other IT resources needs to be secured and controlled, providing only what access is required—no more, no less.
“Trust” is then built over time as this access is monitored. IT organizations need to be paying close attention to when and from what location said access takes place. If an access request comes from a source that seems irregular or untrustworthy in any way, sysadmins, IT admins, and network ops engineers need to be vigilant to respond to these potential threats.
Why Your Organization Needs Zero Trust
So why do you need ZTS? If your organization is anything like thousands of others across the globe, than you are probably concerned about identity security. Your concerns are not unreasonable. For 2018 alone, Verizon analyzed 41,686 security incidents, 2,103 of which resulted in full-on data breaches. Of course, a data breach is not an individual-focused event; the information of hundreds, if not thousands (or millions in extreme cases), of people were compromised in each breach. Add those numbers up, and you have billions of people affected by nefarious deeds in cyberspace.
As more cloud-based resources enter the enterprise, IT organizations need to be especially careful about protecting access to them. After all, these resources, unlike the ones of old that were confined within the “perimeter” guarding the network, can be out of IT’s control. Granting access to them, however, is very much within IT’s control (or DevOps), so they need to be guarded using zero trust principles.
With ZTS, organizations proactively leverage resources, taking the necessary precautions to ensure that they are always being accessed properly. For this to be possible, IT admins need to be properly equipped.
Authenticating and Authorizing for ZTS
AuthN and AuthZ require the correct tooling to be used effectively in an organization. One solution commonly used for AuthN and AuthZ is the directory service. A directory service serves as the identity provider (IdP) in an organization, essentially creating and storing an employee’s work identity, granting said identity access to certain resources, and leveraging that identity to access those resources.
Using MFA for ZTS
Unfortunately, a directory service isn’t simply a panacea solution for zero trust security posture. After all, employee credentials can be compromised via phishing or another targeted attack. That’s why the use of multi-factor authentication (MFA, also called two-factor authentication, or 2FA) is also critical to zero trust security.
MFA uses an additional factor beyond a set of credentials for user authentication (hence the name). Unlike the username and password, MFA uses a token that is either physical and belonging to the user (i.e. a USB authenticator or biometrics) or a time-sensitive code generated via a phone application or SMS.
The addition of a secondary authentication factor, although potentially annoying to employees, is incredibly effective in regards to maintaining identity security. Symantec found that 80% of past breaches in recent years could have been eliminated with the use of 2FA/MFA.
ZTS Network Security
Controlling network access is another key part of zero trust. For starters, the use of RADIUS to ensure that the network can only be accessed by authorized identities and devices is critical. Otherwise, using traditional WiFi security methods, practically anyone with the shared WPA password can hop on to the network and start accessing resources from inside. By adding 2FA/MFA, IT admins can also better control access to the network via VPN.
VLAN tagging is another great way to implement controls to support strong zero trust posture. With VLAN tagging, IT admins/network engineers have the ability to segment network access, so even if it’s detected that an identity is compromised, its access can be limited to prevent any further catastrophe.
Implementing Zero Trust in the Cloud
JumpCloud® Directory-as-a-Service® is the world’s first cloud directory service. IT admins can use JumpCloud to authenticate identities and authorize their access to virtually all IT resources, whether they are tied to the on-prem network or in the cloud. JumpCloud gives organizations the ability to keep a close eye on this in order to monitor access with vigilance as ZTS calls for.
JumpCloud also allows IT admins to enforce MFA across systems, applications, and VPN connections. With JumpCloud RADIUS-as-a-Service, network engineers can tighten up their WiFi security, including segmenting their WiFi access with VLAN tagging.
Learn More about ZTS with JumpCloud
If you are interested in finding a comprehensive IAM solution to implement zero trust in your organization, consider contacting us. As experts in the identity security and IAM spaces for the past seven years, we’d be happy to share our insights with you. You can implement JumpCloud for IAM, MFA, RADIUS-as-a-Service, and so much more, absolutely free. Just sign up for JumpCloud, start using your ten free users in the platform today, and begin your path towards zero trust security.Contact JumpCloud