A Complex Problem
About 7 years ago, my family and I moved into our new home in Mumbai. It was a pleasant change from the previous one – more space, better amenities, and a lot of conveniences that are part of most modern apartment complexes today. However, within the first few days, we learned of a certain practice was to become a source of irritation.
Our old home was in a standalone building – and visitors had open access to walk up to any door and ring the bell. In the new complex, we had layers of security – one at the main gate, another at the entrance lobby to the building and the third in the lift. At each step, the security guard would call up on the intercom to check and verify that we were expecting that certain guest. This meant answering up to 3 phone calls for every visitor! Certainly irritating – but a low price to pay for higher security. This ensured that we had no unwanted visitors, and that every visitor to the complex was tracked to his/her destination.
This is the basic principle of Zero Trust – never trust, always verify. Another analogy is the way in which access is granted to your room in modern hotels – the only way you can operate the lift is by swiping your key card – and that too, to only enter the floor that your room is on.
John Kindervag at Forrester Research initially coined the term “Zero Trust” around 2009 to propose a specific framework. Google implemented it internally and called their architecture “BeyondCorp”. However, it is only recently that availability of commercial technology has made it feasible for Enterprises to adopt it.
Breaking it Down
Implementing Zero Trust security is fundamentally about not taking Trust for granted and containing access on a “least privilege” basis – thereby reducing your attack surface. In the new IT landscape, three primary targets have emerged:
1. IDENTITY – as many as 81% of breaches involve compromised credentials through techniques like spear-phishing. Stolen passwords are the most effective way to get around traditional perimeter defenses.
2. APPLICATIONS – 54% of web app vulnerabilities have public exploits available to hackers, meaning if left unpatched, servers and applications can be exploited to gain access to critical systems.
3. DEVICES – Kaspersky Labs found a 300% increase in new IoT malware variants from 2017 to 2018 – proving that attackers are targeting smart devices to get access to your network.
To effectively deal with these variables, it helps to think about Zero Trust Security in terms of the following 3 pillars:
1. ZERO TRUST FOR THE WORKFORCE: to ensure that only the right users on secure devices can access applications, regardless of location
2. ZERO TRUST FOR THE WORKLOADS: to implement secure access for applications, whether it be users or an API, microservice or container accessing a database within an application.
3. ZERO TRUST FOR THE WORKPLACE: to secure access for any devices that connect to Enterprise networks.
Implementing Zero Trust for the Workforce
This pillar ensures that only validated users using validated endpoints can access corporate resources. Security can be further enhanced by implementing end-to-end encryption. Finally, users are allowed to access only the bare minimum resources that are needed for their roles.
Multi-Factor Authentication (MFA) is highly recommended, and probably the most effective technology to establish user trust. Establishing device trust requires the organization to register the devices (personal or corporate owned) which it expects to be associated with a particular user and establish their security posture – typically through a device management platform. Lastly, you need to enforce contextual access policies in real time, based on attributes like location, user role, device type, etc. – and ensure secure access to all applications, services and platforms – whether multi‑cloud, on-prem, custom, remote access or VPN.
The Way Ahead
A few years after we moved in, our Apartment Complex implemented a mobile app to pre-authorize and approve users without a phone-call – that eased our lives a little bit. That is akin to implementing security automation – which we will cover later in the series. In the next blog, we will focus on Implementing Zero Trust for the Workload and the Workforce.