Date breaches most often originate from a remote endpoint or device that shouldn’t have access to the breached resources in the first place — often involving nothing more than a stolen username and password. Wouldn’t it be nice if we could reduce the attack surface from every computer or device on earth to only the protected systems that should have access in the first place? That may sound like a pipe dream, but the reality might be closer than you think with the right setup.
As I wrote before, security starts with protecting users. First, we must verify every user to make sure we know who they are and that they only have access to what they need. This verification is done through adaptive multi-factor authentication and tools like single sign-on, coupled with behavior-based machine learning that can make intelligent access decisions in real-time based on user context and risk. . With that in place, we’ve already dramatically reduced the attack surface so that an attacker who has a stolen password can’t simply log in from anywhere, or reuse that same login credential over and over again.
Verifying every user is an important first step. However, after that, the challenge remains that there are still many ways that applications, systems or networks can be compromised. Anyone with the right credentials can still successfully log on. What happens when a bad guy has acquired both the user’s login credentials and a clone of the user’s device, as is the case with the phenomenon of SIM-swapping? MFA alone may not protect against that scenario.
So how can you take your security posture to the next level to protect against this? The answer is simple. If “verify every user” represents your leading left hand jab, then “validate every device” is the follow-up right cross of a Zero Trust strategy. Here’s how to master the Zero Trust one-two punch combo to land a devastating blow to the bad guys’ chance of breaking through your guard.
Come out swinging when it comes to device context and security
Everything online typically comes from accessing a device, so we should care a lot about the security posture and permissions that each device has. Organizations wouldn’t want some rogue server operating on their network, so why then a rogue mobile device or laptop?
But understanding every computer or mobile device that might have access is becoming increasingly difficult in a world where our professional and personal lives are more intertwined than ever before. We use our personal laptops, smartphones, and tablets to access work apps or emails after hours and at home, on the road, or even 30,000 feet in the air. To suddenly cut-off that access for pre-authorized, work-issued devices would be a huge knock to users’ productivity. That’s where the Zero Trust model comes in.
Instead, we want to make sure that every device is being used in a secure manner. It should have a screen-lock policy enforced, , and proper credentials – because we don’t want passersby or someone who steals the device to use that, get in, and establish repeatable access. Configure device access to reflect best practices – each device should only do what it needs to do. This is done through device management capabilities, which many companies have tried to buy for each system. However, a next-gen access approach integrates these capabilities into the system so that we know good security policy is always baked into each and every device that gains access.
Roll with the punches using next-gen access
Once we know that a device has the right security posture and the user is the real deal, this can be used as a proxy for all sorts of context. User behavior thus becomes a powerful new technique to make smarter access decisions.
Today, Zero Trust empowered by next-gen access technology (like Idaptive) can use location or other behaviors to determine whether to grant instant access or introduce additional hurdles to confirm their identity. In the future, we’ll be able to use even more behaviors of the user on the device for context – such as whether they’re typing at a normal pace or moving their mouse as they usually do. This is called behavioral biometrics, and is important because it could tell whether the person using the device is real, and make sure it’s not a rogue virus or trojan that has taken the machine or is pretending to be the user.
All of these add up together to whether we can trust the device, and trust the user on the device, and therefore allow it to have the access that it’s requesting. Recently, this has been much more difficult to do because the modern business is no longer a bunch of PCs chained to a desk in a room. All workers today have laptops and their own mobile devices, and try to access things remotely. We even have people other than direct employees – such as partners, other vendors or third-party consults – that all need access to our apps and services as well. That complexity requires a system that makes sure what is let in is both 1) in good security posture, and 2) used by the right people.
In our modern threatscape, the barriers to keep the bad guys out are no longer firewalls. Resources are increasingly located outside of physical walls in the cloud, off-site databases, or partner systems. There’s no longer the ability to put a security barrier on a remote SaaS system your organization doesn’t own, or to restrict access to only a predetermined set of devices.
Because our apps, services, and systems are so widespread, we need to spread access control to users and their devices. That means making sure we verify every user and validate every device with every login. That’s the one-two punch of Zero Trust.
Stay tuned. In my next blog post, I’ll spell out the ways that an organization can “intelligently limit access” within the Zero Trust framework.
Read the Zero Trust series here:
Zero Trust Series – 1 What Is Zero Trust and Why Is it So Important?
Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”
Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle
Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.
Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust
Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security
Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.
Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.
Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model