From the philosophy behind it, to the technology that powers it, at Idaptive we’ve talked about Zero Trust a lot (see the list of the entire Zero Trust blog series at the bottom of this post). That’s a good thing because all big shifts in both strategy and approach take repetition, repetition, repetition (see what I did there?) before they gain universal understanding and buy-in. Let’s wrap up this series by highlighting six things you can do to move down the path to achieving a Zero Trust security posture.
1) Never trust, always verify
Zero Trust is actually pretty simple. It all starts with a mindset, and the mantra that guides it: “never trust, always verify.”
Don’t automatically trust users or devices because they have access to your network. Doing so assumes that your security perimeters are secure (hint: they’re not) and you’re able to definitively separate the “good guys” from the “bad guys” as they enter your perimeter. Instead, organizations must shift their mindset and examine the context of every access attempt — regardless of where the resources resides — in order to verify every user, on every device, for every access attempt, every time.
This is easier said than done, but once an organization has transformed its security culture to place Zero Trust at the foundation, it simply becomes how security happens. That’s “never trust, always verify.”
2) Adopt MFA here, there, and everywhere
Hands down, multi-factor authentication (MFA) is the single-best line of defense against unwanted guests wielding compromised credentials. But the effectiveness of MFA is dependent on how it’s adopted and consistently used across an organization.
Malicious actors are like water flowing down a hill — they will always take the path of least resistance. If one of your users are not using MFA somewhere, they’re going to find that user and exploit that vulnerability. Most companies today use pockets of MFA for only certain resources like VPN, or a different MFA solution for an individual application. This approach leads to varying and inconsistent user experiences, and leave significant gaps where MFA is not applied.
Even with a consistent method to apply MFA capabilities across all apps and services, at best, users are prompted to verify their identity every time they access any resource (which can be annoying and impact productivity). At worst, MFA isn’t used on some apps and services, creating the path for bad actors to flow right into your networks.
For true Zero Trust, organizations should use a platform approach that applies MFA to every app and service and integrates with other features to improve users’ productivity instead of hindering it.
3) Avoid the use of VPN where possible, and adopt an application gateway instead
Supporting the shift to remote work has been at the top of every IT team’s to-do list over the last two months. Many companies have chosen to go the virtual private network (VPN) route. While good for a quick fix, VPN connections can often be pricey — and if not maintained and implemented properly — expose wide swathes the corporate network to bad actors, when only limited access to certain critical applications is needed.
You could secure remote access in the short-term using MFA on the VPN instead of passwords alone, but a more Zero Trust-oriented solution is to provide VPN-less access directly to on-prem apps through an application gateway, limiting access to only those apps that a user needs. This mitigates the risk inherent in VPN connections, and replaces it with secure, behind-the-firewall access to individual on-premise applications.
By using a cloud-based gateway there’s no hardware to install or maintain, no firewall rules to change, and no need to provide full network access for external users (remote employees, but also vendors and partners.) It’s your IT team’s remote access wish list gift-wrapped in Zero Trust packaging.
4) Fuse single sign-on with MFA to maximize user productivity
Single sign-on (SSO) is a powerful tool that saves users hundreds of hours managing logins and businesses millions of dollars in boosts to productivity. Alone, it’s a double-edged sword that can greatly decrease an organization’s attack surface, but also increases the impact of a breach because of its centralized access.
But Zero Trust has an answer. SSO can be combined with MFA to form a potent pairing that eliminates the need to enter multiple passwords — without giving up the keys to the kingdom when one login is compromised. SSO and MFA together create additional layers of security that require both the user and their device to be verified, making access both secure and transparent for the end-user.
5) Balance security with usability through conditional and risk-based access
With SSO and MFA working in concert, the next step on the Zero Trust journey veers into what we call “Next-Gen Access” territory. Next-Gen Access marries these capabilities with artificial intelligence and machine learning to verify identity and make access decisions in real-time.
Whether using a recognized device from the office or a personal laptop from a remote location, conditional and risk-based access tools prompt users with just the right amount of security steps to verify authenticity every time — without sacrificing security. Next-Gen Access platforms do the heavy lifting to understand and assess user behavior, develop a unique model for each of them, and then grant access based on risk— so that security is properly balanced with a killer user experience
6) Look for identity and access management solutions that work well together, and make integrating with your existing and future IT environment easier
Once you’ve come this far, you’ve probably realized that the key to Zero Trust is picking the right tools for the job. It’s critical that you pick identity and access management solution(s) that work well together, and can integrate with your existing and future IT environments with ease.
Find a vendor that has capabilities for each of the use cases I discussed here today, instead of just one. Most companies who stumble on this leg of the journey tend to do so when they try a hodgepodge of different vendors and aren’t able to create the uniformity and consistency for a truly Zero Trust security posture. Look for a platform that offers a strong partnership and support offerings with other solutions, and a rich history of excellence around Zero Trust and can walk you down the path.
Reaching Zero Trust maturity
So what happens to organizations that adopt a Zero Trust strategy? In addition to protecting valuable business, customer, or partner data — studies have shown that mature Zero Trust organizations experienced 50% fewer breaches. They also spent 40% less on technology related to identity and access management when taking a platform approach versus buying and integrating individual IAM products, because everything is integrated. An integrated solution avoids a lot of the extra effort required when managing different products, infrastructure, IT systems, applications, and more. And it costs less to adopt a platform for Zero Trust identity than to try to piecemeal a solution together.
Perhaps more valuable though, a Zero Trust security strategy creates an organization that’s empowered to get things done. In a separate Forrester report, businesses that had adopted Zero Trust had twice the confidence in their ability to drive new business models forward and bring digital experiences to market. In addition, 66% were more confident in adopting mobile and remote work models, which even after COVID-19 subsides — will continue to be paramount in our new, post-coronavirus reality.
Better security and fewer breaches should be table stakes, but improving productivity, user experiences, and bringing value to customers are what defines successful companies. That’s what this approach to security can do. That’s Zero Trust.
White paper: The Rise of AI-Powered Identity Security
Webinar: Achieve Zero Trust with Idaptive
Read the Zero Trust series here:
Zero Trust Series – 1 What Is Zero Trust and Why Is it So Important?
Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”
Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle
Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.
Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust
Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security
Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.
Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.
Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model