iWelcome is now OneWelcome. Visit us at onewelcome.com

Zero Trust and Identity & Access Management

Mar 6, 2020 12:00:00 AM

In this article, we are going to discuss the main ideas of the Zero Trust security concept and how an Identity and Access Management solution can support the implementation of this approach when building interaction between users and applications in your network.

A changing security landscape

We hear about data breaches or ransomware attacks every day. IBM recently released the new edition of the Cost of a Data Breach report for 2019. This report states that the average cost of the data breach is near $4M and organisations need 279 days on average to identify and contain a breach. The average cost of lost business for organisations in the 2019 study was $1,4 million which represents 35% of the total average cost. Healthcare has the highest average industry cost of $6,45 million. At the same time, Emsisoft company released a report that ransomware attacks potentially cost $7,5 billion in the US in 2019. Impacted organisations included 113 state agencies, 764 healthcare providers and 89 educational organisations.

Companies try to react to these numbers by increasing security budgets. But it is not sufficient, as we see the number of data breaches and attacks grow from year to year. It can mean that the reasons behind these attacks are not only in the amount of money invested in the security solutions but in the general approach to defend corporate resources.

A traditional approach to build a corporate network is to construct a castle with a moat between corporate resources and the Internet. Firewalls are the walls and guardians of the castle who inspect new guests at the gates. Remote workers can use VPN to access the gate and get internal resources. But if you manage to get into the castle you are free to go everywhere, you have the full trust in the network. This approach worked well at the beginning of the Internet when we had a few Internet-facing servers and static workplaces for the employees. It worked because users and applications were inside and threats remained outside.

This situation changed dramatically because users are working more and more from their own devices and server infrastructure is moving to the cloud. Nowadays corporate infrastructure cannot be assumed as a safe environment. Threats can evolve from phishing attacks, infected personal devices or an evil insider. And once they’re in, often disguised in a stolen identity, the attacker is free to move inside. This is what our castle looks like:

Reasons for Zero Trust - a vulnarable security infrastructure

At the same time, IT and security teams have a major overhead with central firewall management and VPN connectivity issues.

The introduction of Zero Trust

To address these issues with fully trusted corporate networks, principal security analyst John Kindervag from Forrester suggested the Zero Trust concept, already in 2010. The main idea of Zero Trust is that we should remove the privileged status from the internal network and treat requests from the internal and external networks equally. This idea is not totally new because we all have experience with a Zero Trust network: the Internet. We, as users, are aware of the threats on the Internet and we should be cautious with our credentials and give them only to verified servers. And servers cannot trust all requests, they should first identify and verify the user and then give access to sensitive information.

Key principles of a Zero Trust Architecture

6 key principles of the Zero Trust approach are:

  • every device, user and network flow is authenticated and authorised;
  • network locality is not sufficient for deciding trust;
  • the network is always assumed hostile;
  • external and internal threats exist on the network all the time;
  • policies must be dynamic and calculated from as many sources of data as possible;
  • all traffic should be logged and monitored.

Let’s examine these principles in detail.

Authenticate and authorise every device, user and network
Why should we authenticate three components: device, user and network instead of the traditional approach with user-only authentication? Because the user can work on the compromised device or this device can have unpatched software and it will be an easy target for the attackers. So we can add TLS certificates to the devices in order to be sure that it is a corporate device and it can access sensitive information.

Modern devices have TPM chips and certificate private keys can be encrypted by the TPM key. Device operating system patch level and installed software can be taken into account too. If important patches are missing, access can be restricted to general information only. Users should be authenticated via multiple channels and as much as possible contextual information about the user and his behavior must be taken into account. In case of identity theft or social engineering attack, it should be more difficult for the attacker to authenticate to the system.

Network traffic authentication should include 2 parts: authenticate both sides of the authentication and encrypt the traffic.

Mutual TLS authentication can help with identifying not only the server but the client of the communication. Network encryption is the requirement because in the big cloud infrastructures one region can be physically located in multiple data centers with fiber channels between them. This subtlety is usually hidden from the customer but Edward Snowden showed that NSA targeted precisely these links in 2013.

Network locality is not sufficient for deciding trust
If we remove network locality as the reason for providing access we do not need VPN anymore. VPN was designed to give access to the privileged internal network. If we assume the network is always hostile then VPN doesn’t bring any advantages.

The network is always hostile and external and internal threats exist all the time
The central component of a Zero Trust network is an Access Proxy or Control Plane which enforces access policies. Access Proxy can have a variable trust based on score-based policies. For example, if a laptop is present in the inventory database, patched with all available updates and it connects from the corporate network it has a higher score than a personal mobile phone. A user can connect from this laptop to the corporate repository and view the source code, but the same user can connect only to the HR system from her mobile phone. User IP can be scored but it should not be the only reason to decide if access is allowed or not.

Inspection of all traffic flows
Inspection of all traffic flows can help during migration from the traditional approach to Zero Trust. All interactions that exist in the network should be identified. In the first stage, these flows can be monitored by Access Proxy and when users, devices, and applications can be authenticated Access Proxy can enforce access policies.

How Zero Trust supports a better user experience

The new approach does not only bring security improvements but also a better user experience. Users have the same interaction with applications in the office and remotely. And VPN connectivity issues are not interfering and distracting users. There is no need for IT teams to make constant changes in firewall rules because access decisions are made based on the connection context.

Next step for Zero Trust: Authentication

Zero Trust concepts sound very attractive but it is not an overnight change. Some of the first adopters were Google with BeyondCorp and PagerDuty with a cloud-agnostic network. It took Google four years to implement Zero Trust ideas and PagerDuty implemented it in one year.

The first steps are identifying and authenticating devices and users. Strong user authentication must include multiple factors via different channels:

  • something you know: passwords;
  • something you have: one time passwords (TOTP), certificates or hardware tokens;
  • something you are: fingerprint, retina.

These methods can effectively mitigate many threats in the virtual world, but users can be forced to give their credentials on the border controls or to criminals like on the picture:

Security threaths

Checklist for authentication in a Zero Trust Model

For these situations, a well-designed authentication system can use a risk-based approach. Lower user score due to unusual behaviour will lead to limited access to the system and decrease the possible impact. The following factors can be analysed:

  • How many failed authentication failures since the last successful login?
  • What is known about the client IP?
  • Is this IP from the list of known bad traffic sources? Is there a sudden change of IP geolocation or if a user’s multiple devices report a conflicting location? Did the user successfully log in from this IP before?
  • Did the user login from this browser and device before?
  • Is the time since login less than the predefined value? If the system didn’t see the user for a long time, his first login can be treated with caution.

If user behavior is extremely unusual and many factors from the list before are new, the access system will require additional authentication from the user.

Zero Trust requires Strong Authentication within your IAM framework

The Zero Trust approach can help mitigate modern threats by removing implicit trust from the corporate network. If every network flow will be explicitely authenticated it will be much harder for attackers and malware to enter the system and harm sensitive resources. To achieve this, users, devices and applications should only be allowed access if they are trusted. The first step is to authenticate a user with Multi-Factor Authentication and take into account as much information and context as possible before making a decision to grant access. This means that you need a powerful Authentication tool at the heart of your Identity & Access Management Strategy.

Learn more about Authentication here.

Feel free to repost this blog on your website or social channels! But when you do so, please be so kind as to mention the source and give us a notice via marketing@iwelcome.com.

You May Also Like

These Stories on Security

No Comments Yet

Let us know what you think