Our EMEAR Advisory CISO, Duo Security’s Richard Archdeacon explains why we’ll soon be hearing a lot more about zero trust – and why new definitions seem to appear almost every day.
In the beginning
The concept of zero trust is far from new. Its origins go back to a group known as the Jericho Forum, a group of experienced CISOs, mainly from the UK, who realised that the idea of defence around the perimeter was crumbling. In our ever-changing business world, driven by IT transformations, a new way to think about security developed.
Zero trust for the entire IT ecosystem
The zero-trust concept starts with establishing trust. Then it grants access based on certain indicators of trust. Finally, continuous verification throughout the interaction ensures ongoing trust. These principles of trust apply across an organisations’ entire IT ecosystem – the workforce, workloads and workplace.
-
- Zero trust for the workforce ensures only the right users and secure devices can access applications.
- Zero trust for workloads ensures secure connections within your apps, across multi-cloud or data centres.
- Zero trust for the workplace ensures secure user and device connections across your network, including for Internet of Things (IoT).
Right user
To secure the workplace, zero trust starts with establishing a level of trust around the identity of the user and what they can access to work within the organisation’s environment. Having checked the device and authenticated the user, the next fundamental element is controlling what doors to what applications they can enter, and what is considered out of bounds. This is not a new idea. As Hamlet once said all those years ago:
“Let the doors be shut upon him, that he may play the fool nowhere but in’s own house.”
This is not to suggest that chief information security officers (CISOs) should start getting worked up about familial or romantic issues. It didn’t appear to work out too well for poor old Hamlet. But the idea of restricting a user so that they can only enter an area which is approved and relevant to their duties is a necessary control.
Virtual private networks (VPNs) ensure that the user is connected within the virtual corporate network. But once the credentials are accepted, the user is through the main door into the organisation.
This is all well and good in a world where all users are completely honest and are who they say they are. Unfortunately, compromising credentials, where user logins and passwords are known to hackers, is all too common an occurrence. For example, the ease with which phishing has become an attack tool of choice has made relying on controlling the main door with a username and password a limited security control. As a CISO for one of the world’s biggest technology companies said recently:
“Hackers don’t break in anymore, they just login”.
In the UK there is an increasing focus on this area of vulnerability. The National Cyber Security Centre (NCSC) which provides advice on all matters to do with cyber security, has focused on the difficulty of using passwords and the need to use multi-factor authentication (“MFA”) as an additional control to confirm user identity. Authentication is now becoming standard and may well become mandatory. It will almost be like running any anti-virus. An assumed and built in requirement. So, it makes sense to start looking at solutions now.
The right door
The Duo solution starts to address this level of control over users at the entry point. The use of a reverse proxy enables the mapping of users to applications. This means that each application has a door which the user must open. It is a house on its own with one way in, and that is under lock and key. This provides a triple layer in the defence structure:
-
- The user is known and authenticated.
- The device is checked and found to be adequate.
- The user is limited to where they can go.
Security made simple
This all needs to be done with minimal impact on the end user. Introducing difficulty into any security control area just breeds avoidance. By integrating with established single sign-on (SSO) capabilities, the users’ rights can be identified without the need for any duplication of effort. The ease of adaptive authentication at the device level makes this a non-disruptive activity on the user side, and a natural part of the workflow of logging in to do some work.
Meanwhile, the ability to block non-approved devices leverages the awareness of endpoint security. Wrapping this around a browser-based gateway screen provides a simple, secure and single point of entry into each of the application doors.
What is appealing about the agile and flexible approach is its ability to bring new applications on board wherever they are found – whether running in the cloud, in a local data centre or a third-party application. No matter where the doors are, they can be open or shut from a central point based on a policy. So as the digital transformation drives change in the business and new applications are brought on stream, the Duo solution ensures that security controls enable, rather than block or hinder.
And, of course, because we want to control the doors, it doesn’t mean we think that all users are there to play the fool. Just the bad guys.
To maintain control and reduce vulnerabilities, why not start with a Duo Security trial.