Zero Trust Part II: The Evolution of Trust and Five Key Considerations
March 26, 2019 | Security and Risk | Corey O'Connor
This is the second half of a two part series on Zero Trust. Find the first part here.
The Russian proverb ‘trust, but verify’ was not only used for Nixon’s presidential campaign, but it’s been leveraged many times over to describe Zero Trust. But, the definition of trust in this context has certainly evolved. The ‘trust, but verify’ adage probably needs an update to something more appropriate like ‘Trust, but verify and re-verify’ and keep re-verifying and adding layers of security until you establish true Zero Trust.
A logical progression from trust to Zero Trust begins with trusting the actual identity (be it a human or machine identity). Then, instead of trusting the entity, you trust the asset that the entity accesses and set up controls (e.g. security certificates or scanning devices) that ensure that the asset can be trusted on the network. defense-in-depth, layered approach is instrumental to a true Zero Trust strategy.
We recommend the following five steps for building out modern architectures that align to Zero Trust:
1) Implement a Risk-based Approach to Security
End users, applications, data and infrastructure no longer exist solely within the confines of the data center and corporate office space and you can’t control what you don’t own. The “Castle and Moat” approach is a non-consideration in this model. Organizations need to secure their enterprise at the core, which starts with securing the privileged access pathway.
Insider threat and external attacks continue to persist, affecting every industry and often involve the misuse of privilege1. The core of what we do at CyberArk is to empower organizations to take a risk-based approach to a better security posture, enabling organizations to implement their strategy over time and focus on what matters most first. Your first priority should be securing your last line of defense, which is privileged access, since it’s the road most traveled by internal and external nefarious characters.
CyberArk is established as the leader for protecting against privileged account compromise – wherever those accounts exist – on premises, in the cloud and everywhere in between. CyberArk provides the controls you need to take a risk-based approach to security. We’ve developed a programmatic approach designed to help organizations improve security and reduce risk by establishing and maintaining strong privileged access security hygiene. Taking a programmatic approach that incorporates a thorough understanding of the risk your organization is challenged with, as it relates to Zero Trust, and building off of it is key.
2) Continuous Multi-step Authentication and Security to Tier0 Assets
As investment in perimeter security has had diminishing returns over time, there’s an even more accelerated need for stronger security on administrator access to Tier0 assets. Single factor authentication is a single point of failure, leveraging Multi-factor Authentication (MFA) narrows the focus of trust for users and devices.
Beyond MFA, introducing things like step-up authentication and managerial approval processes before allowing access to critical assets and resources is essential for Zero Trust. These technologies allow for the authentication of privileged users at the exact point of access to sensitive assets, dramatically mitigating risk from privileged credential-based attacks.
With traditional VPN solutions, organizations are forced to provide all or nothing access to the perimeter. The issue becomes even more challenging if temporary access needs to be provided to external vendors. It’s important to consider scenarios that involve multiple access types, including third parties and remote vendors, and to provide an improved remote user experience with modern authentication techniques to secure access to corporate resources and applications.
Both Zero Trust and Google’s BeyondCorp models require consistent, continual authentication and access management for users logging into mission and business critical applications, including the CyberArk Privileged Access Security Solution. Ensure authorized privileged users are on secure devices when accessing their accounts as well as Tier1 and Tier0 assets. Continuous multi-step authentication will increasingly become a part of every effective security program and not limited to just Zero Trust.
3) Secure Core Privileges on Endpoints and Endpoint Devices
One of the main pitfalls and short comings of implied trust is that if someone gets a foothold on an endpoint, they, essentially, become that user (be it standard or privileged user). In the event an attacker or malicious insider gains access to a privileged account and its associated credential, they will become indistinguishable from a fully validated and trusted user. This makes it difficult to detect high-risk activity and behavior.
Application control becomes an important factor in the ‘trust, but verify and re-verify’ methodology. Organizations should implement restriction models that only trust specified applications, run by specific accounts and under specific circumstances. Application control will help mitigate the risk of ransomware attacks and code injections (among others) and is a foundational component of a Zero Trust strategy.
Beyond identifying all human and machine users, discovering and classifying any and all assets, both software and hardware, within the enterprise is important. It’s important to understand your device health across the enterprise – know your device fleet! Get a handle on which software versions you’re running and establish security configurations such as screen lock and disk encryption on all of your devices under management. Ensure device trustability and wrap centralized policy around it – e.g. management status, software versions, security properties, etc.
Zero Trust is just the beginning. Start by providing ‘initial trust’ and continue to verify and re-verify and put controls in place to mitigate risk. Introducing controls on the endpoint provides some level of trust, but securing and monitoring the privileged pathway takes you that much further towards true Zero Trust.
4) Secure and Monitor the Privileged Pathway
Trust, verification and monitoring network traffic are three main elements of both Zero Trust and BeyondCorp. Key indicators of malicious activity are often overlooked or mischaracterized as benign due to an implicit trust that malicious activity will be flagged by detection mechanisms2.
With traditional perimeter models, there’s always a way in and out of a network. Visibility is important. Detection, response, remediation and recovery are even more important. Monitoring the privileged access pathway prevents malicious insiders and external attacks from progressing their attack. Place tight controls around what end users are accessing and monitor, detect, respond and remediate before the business suffers irreparable damage.
Create isolation layers between endpoints, users and target systems and monitor access – specifically the “who, what and when.” Create secure connections for end users connecting to critical assets and resources and make sure you have the ability to review the session in real-time. Identify and pre-define the key indicators of malicious activity and implement automated controls to respond when it’s necessary to take action. As more and more employees work from remote locations and from uncontrolled devices, having the ability to provide application isolation layers to protect corporate resources from these uncontrolled devices is critical to Zero Trust.
CyberArk provides rich analytics out-of-the-box that couples deterministic algorithms, statistical modeling, machine learning and behavior profiling to enable the organization to make calculated decisions based on both trust and risk. Combining intelligent analytics and response results in a force multiplier that inherently scales security proficiency, especially where resource constraints present an issue to the business.
5) Implement Attribute-based Granular Access Controls
Knowing who (for both human and non-human users) has access, to what and which actions they are able to perform is vital. Enforce attribute-based access control that combines enterprise-level policy with specific user criteria.
Enforce governance and the principle of least privilege over everything and control what users and applications are able to do. For human users, enforce both access and active controls. This doesn’t just mean access control in the traditional sense, but also placing controls around privileged task activities and management.
Going beyond least privilege enforcement, organizations should create active controls that allows privileged users to execute certain, pre-defined tasks while blocking activities that present a high risk to the organization. Zero Trust concepts need to be applied to applications. If not users will have the ability to gain access to the application and, in the event that the application has the credential hardcoded, they can spoof it and validate the application. Then it’s game over.
The evolution of perimeter security has undoubtedly influenced the principles of Zero Trust, and the foundation of privileged access security draws a tight analogy, as it’s very much connected to these same principles. You cannot achieve true Zero Trust without incorporating privileged access security controls at the core of your strategy.
To learn more about Zero Trust, watch the Implementing Privileged Access Security into Zero Trust Models and Architectures webinar.
1 – Verizon, 2018 Data Breach and Investigations Report, March 2018
2 – FireEye, 2018 M-Trends Report, April 2018