The New Security Mandate: Never Trust, Always Verify
The concept of Zero Trust is as profound in cybersecurity as the sweeping transformation generated by the arrival of cloud, mobility, agility, and availability. Gartner projects that worldwide security spending will reach $96 billion this year, yet we continue to read headlines validating that companies can’t address the threats fast enough, regardless of the growing list of vendors and solutions available. What’s even more surprising is that less than 10 percent of that spend is allocated for identity and access management. Repeated mega breaches in cybersecurity have forced experts and vendors to relook at the basic underlying best practices and assumptions that have been adopted in the past and question their viability.
The revolutionary concept of Zero Trust Security assumes that the threat actor may be already within an organization and is posing as an employee of the organization. Or alternatively, has assumed the credentials of an employee of the organization. The concept of Zero Trust seeks to limit the opportunity of such an internal threat actor to use the assumed employee credentials and breach other parts of the organization.
Previous cyber security practices assumed the integrity of a user’s credentials at face value and chose to verify them subsequently. In the new paradigm, any user is never trusted till both their credentials and device are rigorously verified. Identity access management solutions further grant the user access to the organization’s resources, but only as much to complete their task, mandated by their job role.
In this scenario, the employee or user is never trusted to access resources of an organization that he/she is entitled to. It is assumed that a threat actor can assume the credentials of any user, at any time, and must therefore be limited in their access to an organization’s assets and resources. In short, the user is never trusted and always verified during their access to an organization’s assets.
The Zero Trust security best practice is applied to all types of users including end-user of IT, privileged user, supplier, customer or partner. It also applies to all types of resources and assets whether through an application or compute infrastructure resource.
The Zero Trust security best practice uses a four-step approach.
The first step is to verify the legitimacy of the user beyond the credentials of their username and password. Multi-factor authentication using personal information or another known device of the employee is the usual add-on practice.
The second step is to validate the end point or the device being used by the end user. Once an end-user’s device has been enrolled and validated, the same device is associated with some the user to validate an element of trust the next time it is used. However, if the end-user chooses to use another device, from another location, then the credentials of that device will need to be authenticated and enrolled before the end-user can gain access into the organization using that particular endpoint device.
Once the user and his/her device has been authenticated, the third step grants access to an organization’s assets, but only as much as required for the task specified by their role. Users can therefore access multiple applications and compute resources only if it is required for their role. The more critical an application or a compute resource, the less access granted to an end user.
The same controls exist for all types of users including administrators, who are usually the prime targets for any threat actor because they usually have the “keys to the kingdom.” The underlying control here is to limit lateral access of end users into multiple applications and compute resources, unless required for any specified task.
The last step is to make internal systems self-learning and adaptive through machine learning. While organizations need to be increasingly-secure, continuously hindering employee productivity can lead to an anarchical internal work environment. Hence, it is critical that internal cybersecurity applications learn from user behavior and actually enable their productivity in near normal situations, but raise red flags whenever there is a deviation from the normal.
Other learnings that emerge could help chief security officers to moderate and adjust security policies to balance organizational concerns and employee productivity. Organizations adopting a Zero Trust approach will increasingly find that it is the right path forward to rebuild their user and resource access policies.