Zero Trust. No, I’m not talking about the U.S. Presidential election. I am talking about cybersecurity. If you have not heard about the Zero Trust concept, here is a handy primer. Zero Trust is still an evolving concept (as my colleague recently pointed out). That said, the time has come to create a Zero Trust action plan.
Remember Implied Trust? Of Course, You Don’t
Before you can create a Zero Trust action plan you have to know what Zero Trust is. One way to understand Zero Trust is to remember what the concept replaced. I call it Implied Trust, though no one at the time ever gave it such a cute name.
Way back when—2004 or so—the security idea was to create a secure perimeter that would keep the bad actors out. If the perimeter was secure, and all your resources stayed inside the perimeter, you could trust that everything was secure. Hence, Implied Trust. You secured your perimeter. You checked to make sure there were no viruses inside the perimeter. Logically you could trust everything inside the network. If there is a moat around the castle and the gate is secure, everything inside the castle walls is safe and can be trusted.
The problem was people were not staying inside the castle. This idea called “mobility” was taking hold. People wanted to work wherever they were, not just inside the castle. And then there was that weird wooden horse that showed up one day with a sign reading, “You may have already won!”
Never Trust, Always Verify
Eventually, people started to question the notion that you could ever trust a person or device. Trojans and other malware were becoming much more prevalent. The time between discovery of a vulnerability and the creation of an exploit was rapidly shrinking. Out of this reality came Zero Trust. Its tagline—Never trust, always verify—was a spin on the famous Ronald Reagan phrase.
The first thing to remember as you create a Zero Trust action plan is that you must plan for a world where you cannot be sure that any device or user account is free of malware. Zero Trust does not mean abandoning your perimeter defense strategy. What it does mean is that you must do more.
Zero Trust has three guiding principles.
- You want to explicitly verify identity and access. Put procedures (such as multi-factor authentication) in place that give you confidence the person is who they say they are.
- Grant the least privileged access that still lets the person get their job done. Most users don’t need access to administrative systems. And those that do need access to such systems don’t need it all the time.
- Plan for a breach to occur. Think about how you can limit the damage that a breach might inflict. For instance, you might put Internet of Things (IoT) devices like web-connected cameras on their own wireless network.
Start with Identity
The first stop as you create a Zero Trust action plan is Identity. Is this user who they appear to be? Is that device one that I trust? I talked earlier about how mobility fractured the idea that perimeter security was a sufficient security approach. In a comparable way, the proliferation of personal devices with network access has challenged the idea that you can trust the device because you provided it to the user.
If you use Active Directory (AD) as your identity management system, we recommend that you migrate to Azure Active Directory. If AD is not for you, make Okta or another identity management service your cornerstone. Make sure that access requires a complex password. Use multi-factor authentication.
Connect your other applications to your identity management service via Single Sign-On (SSO). Eliminate separate usernames and passwords for each application (your users will love you for that). Doing this will eliminate multiple attack paths.
As you create a Zero Trust action plan remember that you want to grant the appropriate level of access to the user and device. You know what applications and data each user needs. Give them access to that and restrict access to other applications and data.
Finally, monitor access activity. Are you seeing instances of multiple failed login attempts? Do you see attempts to access the network from places your users don’t frequent? Are there access attempts occurring outside of normal business hours? These activities can indicate attempts to break into your network.
You’re Off to a Good Start
If you accomplish these identity management steps, you are off to a good start with your Zero Trust action plan. I will cover some additional actions you can take with identity management in a future post. And (naturally) there are other areas to secure. Even so, these identity management steps will provide immediate benefit and give you some breathing room to contemplate your next set of actions. And if you would like to read ahead, Microsoft has a well-organized paper on Zero Trust here. The examples they use tend to be Microsoft-specific, but the principles they describe will apply regardless of the technology you use. Enjoy!