The perimeter model is broken. Historically, the fundamental security model was to erect a “perimeter” around the corporate network and assume anyone inside was “trusted” and anyone on the outside was “untrusted.” Cue worn out security clichés and metaphors: “crunchy on the outside, soft and chewy on the inside,” a “moat and castle,” etc. This model has come under increasing attack, because the perimeter has become less relevant.
To take an extreme example, a user (employee, partner, supplier, etc.) could be accessing a corporate application hosted in the cloud (maybe a SaaS app or a custom app built on IaaS or PaaS with an unmanaged device from a coffee shop. At no point will either the user or the device traverse the internal network or network security controls.
We need a new way of thinking about security. Clearly we need a new way of thinking about security, and a new paradigm has been gaining momentum in recent years, referred to most commonly as “Zero Trust networks,” but also often conflated with other terms such as BeyondCorp (following Google’s internal deployment), software-defined perimeter (SDP) and micro-segmentation. Each of these terms has a subtly different meaning, but they are often used interchangeably.
Moving Beyond the Perimeter So what is Zero Trust? Though there are many definitions, at a high level, Zero Trust does away with the notion of “inside” and “outside,” and nothing is assumed to be trusted. Most importantly, access to resources is based more on “who” you are than “where” you are, which implies that identity moves from being a secondary security consideration in the old “on-prem” world to playing a central role in this new security paradigm.
Another way to think about Zero Trust is that it’s really an extension of the principle of least privilege: Only grant users (or services) access to those things they specifically need to do their jobs, and nothing more, which implies more granular access controls than most firms have historically relied upon. VPNs, for example, typically provide broad access to an entire flat network, or network segment, which presents obvious security risks.
Components of Zero Trust. So what is needed to roll out Zero Trust? For starters, if “trust” based on location or network segment is no longer sufficient, it follows that authenticating and authorizing users before granting access to any resources is a critical component of any Zero Trust initiative. User authentication can occur via simple passwords, challenge questions or other forms, though ideally will rely on some form of multi-factor authentication (MFA).
And with the growth of containers, micro services and IoT, authentication and authorization will increasingly need to be capable of addressing more than humans. In addition to authenticating users, a Zero Trust architecture will have some way of verifying the devices they are using, and ideally, some way of verifying the security status of those devices via some form of endpoint posture checking.
Who can do what? Once users and devices have been verified, a Zero Trust system also needs a way to determine what those users and devices are allowed to do, and this can be done via ties to Active Directory, other LDAP directories or maybe to an identity provider (IdP) like Ping Identity, Microsoft or Google.
Lastly, Zero Trust requires some sort of policy engine to create and manage access rules, as well as an enforcement layer to ensure that corporate access policies are followed, either by alerting, blocking, dropping sessions or asking users to “step up” with higher levels of authentication.
MFA and Zero Trust
While there are clear benefits to deploying a Zero Trust approach, there are also some notable challenges, some of which may be daunting. For starters, Zero Trust can be complex, with lots of moving parts. One way of helping manage this complexity is to address Zero Trust with a “phased” or “layered” approach.
For example, simply adopting MFA more broadly throughout the organization would go a long way to improving an organization’s overall security posture. Most modern breaches are the result of compromise credentials, yet data from 451 Research’s Voice of The Enterprise (VoTE) service shows that only 51% of enterprises have adopted MFA, despite the well-known limitations and inherent security risks of password-only authentication. And one of the reasons for that low adoption rate is that historically, MFA has meant a poor user experience.
However, new approaches have enabled ways of adopting MFA while maintaining a positive user experience, and forward progress in security may be dependent on more automation and better adaptive mechanisms to smooth out the user experience, which in our view implies a greater role for machine learning and AI.
Another challenge with MFA and single sign-on is that they are binary—once you’re in, you’re in, and the authentication system has little insight into what actions a user takes post login. Ideally, authentication will also be continuous, and be able to detect compromised credentials or prevent man-in-the-middle attacks post login.
The countdown to Zero Trust has begun, but Ping Identity is already launching smart technologies that are making a passwordless future more and more of a reality. If you are at RSA Conference 2019 March 4-8, make sure to stop by booth 427 in the south hall to join Ping Identity in the countdown to Zero Trust.