We will discuss the following five technologies:
- Conditional Access
- Multi-factor Authentication
- Single Sign-on
Zero Trust started off in 2009 as the brainchild of John Kindervag, Palo Alto Networks Field CTO, who was then at Forrester. The original idea, to oversimplify, was “never trust, always verify.” For example, a computer on a network inside the firewall should not automatically be granted access to everything inside the firewall. Think of a candy with a hard crust and a soft center.
Things have evolved since then, but the basic insight has become even more relevant. First, bad people get into networks by credential spoofing (e.g. using passwords acquired through phishing), brute force attacks on access points, through unguarded ports… in all kinds of ways. Once inside, they move across the network and try to escalate their access privileges to work their evil will. What is to stop them then?
The matter has become more complicated because it’s never anymore just a question of defending a local area network and its systems. It’s about granting, and testing, access to anything, anywhere on the Internet, from anything, anywhere on the Internet.
Oversimplifying Zero Trust to Make It Useful
So, how do we simplify this? First, if it were really “Zero Trust,” nobody would ever be trusted, so nobody would ever get access to anything. It’s really “How much verification do you require, of whom, under what circumstances, so they can do what?”
As such, it has two sides: Under what conditions is somebody allowed access (When do you trust them?), and what do they get access to (What do you trust them to do?)
On the side of verifying access rights, you have multi-factor authentication, conditional access, and single sign-on. On the side of limiting access to the verified, you have micro-segmentation, least privilege access, more uses of conditional access, and monitoring.
Conditional access technologies, such as Azure AD and its necessary related products, are a good place to start. A good conditional authentication system can require all kinds of things before granting access, such as things about the user, the user’s device, the user’s location, the application requesting access, etc. It can also apply varying controls depending on how completely the access conditions are satisfied, and it can limit the assets to which the request is given access.
Conditional access technology works best if it is combined with single sign-on technology. You want each user to have only one identity for access from anywhere to anywhere. It’s easier to see what goes wrong with an identity when each user only has one, in one system.Single sign-on is also convenient for users.
Of course, this raises the question of “Shadow IT,” which has become so important during COVID because so many people are accessing non-organizational web apps from home. It’s best to identify them and choose which to support and which to eliminate.
In terms of adoption, single sign-on and multi-factor authentication (MFA) seem to be leading the pack. Multi-factor authentication seems to be overcoming the adoption issue, which is great. It remains to be seen how long it maintains its security edge, now that some malefactors have found ways to get around it, as I mentioned recently. These methods are labor-intensive, so they may initially be aimed at targets that are potentially very profitable.
It is possible to configure some conditional access systems to selectively require MFA under certain conditions, such as a login from a previously unauthorized device or location. When possible, however, combining with single sign-on is the best approach.
The Other Side
Configuring where somebody may go and watching them do it so you can detect bad folks are on the other side of the Zero Trust coin. Some of this can be done through conditional access technology, some can be done through next-generation firewalls, and there are also independent micro-segmentation products to regulate the flow of workloads across networks. Some of these products are aimed at the users’ machines on the edge and promise, for example, that ransomware on any endpoint can be kept from infecting any other system.
Monitoring continues to be complex. Smaller organizations may find this the most difficult Zero Trust technology to use effectively, because it requires expertise on the part of the analyst. Some organizations have found that hiring a part-time security consultant is enough to make this work.
In the end, I think Zero Trust is most valuable because it can move you from a reactive, whack-a-mole stance to one based on adding an access-based architecture, with varying requirements prior to granting trust. I suspect that some have adopted the component technologies and products without seeing how they fit into an architecture. Hopefully, at least for laggards, this analysis helps.