(Source: rawpixel.com @ freepik.com)
The reality of a distributed workforce has changed the notion of a corporate security parameter. Organizations are no longer just securing a simple office building. This was becoming the reality even before the pandemic forced companies to migrate their workforce remotely.
Modern organizations require a comprehensive security strategy to manage today’s technological complexities, and zero-trust security fulfills this need. It assumes that each network request is a breach and verifies it as if it originated from an unauthenticated source. With cyberattacks such as ransomware becoming more brazen, we can no longer afford to assume that everything behind the corporate security parameters is secure.
Today, we’ll dive into the concept of zero-trust security and discuss how you can implement it in your organization.
Why do we need zero-trust?
These days, companies allow employees to access important business assets from remote devices and cloud software. Connections to these precious company resources must be secured regardless of where they originate from. Security must evolve with how we use technology, and the traditional static security parameters that we once relied upon are now insufficient.
An increased number of organizations find that they must continuously exchange valuable data between cloud applications, remote devices, IoT devices, and data centers. All of these moving parts make the lives of cybercriminals much easier while making the lives of security specialists harder.
Because of the variety of available entry points, it may take months or even years for organizations to identify breaches and intrusions. During this time, cybercriminals could be stealing important data while inflicting massive damage to company assets. A more open digital landscape in business can encourage greater productivity from anywhere, but proper steps must be taken to maintain the company security without tangible perimeters.
The basics of zero-trust
The National Institute of Standards and Technology (NIST) provides a comprehensive guide on Zero-Trust architecture, but we’ll break down the basics for you here. At its core, zero-trust architecture is based on three basic principles:
- Requiring explicit verification
- Use of least privileged access
- Assumption of a breach
Every request must be fully authenticated, authorized, and encrypted before granting access, and this rigorous verification of identities must be based on all available data points. By default, no workload or user should be trusted, regardless of their location (inside or outside the organization’s secure boundaries).
Whether workers are at a home office or on some far-off tropical island, strong policies are at the core of zero-trust. They enable you to secure a mobile workforce while still facilitating maximum productivity. To ensure that an effective zero-trust strategy is in place, minimal access to resources and information based on legitimate business purposes should be enforced.
As such, organizations should limit user service and application access by implementing:
- Just-in-time (JIT) access management
- Just-enough-access/administration (JEA)
- Risk-based adaptive policies
- Data protection controls
Software development firms and technology companies should adopt a zero-trust approach early in the development stages. This may involve shifting security to the left and developing products like firmware that affirms zero-trust.
Of course, this will require companies to hire new capable staff or upskill current staff. You can expect to pay between $60 to $80 an hour for an experienced freelance developer who understands cybersecurity. You will also want to train every employee on good cyber hygiene and the zero-trust philosophy so they understand why changes are being made.
Before zero-trust: The old paradigm
To further highlight how zero-trust architecture has changed the security landscape, let us examine how companies typically secured remote access to software services in the past.
The traditional model would consist of services hosted on-premise or a remote server that a company has complete control over. Often, connections to these services were facilitated by a virtual private network (VPN), and the VPN would be hosted on a demilitarized zone (DMZ). Users would have to provide credentials to access the VPN, typically in the form of a username and password.
This was before the popularity of multi-factor authentication (MFA), where websites and web services were secured through a multifold solution. The VPN would provide the user with an IP address once the verification process was completed. This would allow the user to gain entry into the company’s internal network where the applications and services are hosted.
Since the majority of breaches result from stolen or weak passwords, it was clear that single-factor authentication was no longer viable. Plus, one of the biggest challenges of a VPN from a security standpoint is it often gives users unmitigated access to other internal network assets. For instance, if a user logs into an SSH server, they can then pivot to other places in the network. Unless you have other security measures on the network that provides mitigation or restricts control, it can become a dangerous vector for a potential cyber-attack.
How zero-trust shifts the paradigm
One of the biggest disadvantages of cloud-first architecture is limited visibility, which is something the zero-trust model addresses. To update the previous example using zero-trust principles, we will first need to replace the traditional VPN with a reverse proxy. It will be responsible for brokering access into the internal network.
Additionally, we’ll also add a single sign-on gateway. The most popular and effective protocol for single-sign solutions is the Security Assertion Markup Language (SAML). When users try to access on-premise resources, they’ll need to connect to the reverse proxy using their browser or local application. The reverse proxy will connect them to the single sign-on gateway. The single sign-on gateway will then communicate with a company configured source of identity (such as an on-premise directory) to help authenticate the user.
If resources are located on the cloud, the single sign-on gateway will grant them direct access. Because authentication is done on a gateway that the company controls, the company gets to determine what policies are applied for entry. This allows the company to apply the same policies to cloud-based apps that it would to on-premise services. However, there is a slight difference in how the reverse proxy handles connections to on-premise resources.
Typically, the proxy would connect the user to the single sign-on gateway, authenticating the connection and then sending it back to the broker. Upon verification, the proxy would then tunnel the user into each individual service or application they have the authority to access.
For organizations running a hybrid cloud, the transition is seamless and unnoticeable to end-users. They won’t be able to tell the difference between cloud services or on-premise assets. The reverse proxy and single sign-on gateway will handle the authentication for both.
None of the on-premise resources will accept any connections unless they’re tunneled from the reverse proxy.
In this way, a zero-trust approach will restrict users from pivoting from resource to resource. Fundamentally, we’re not just verifying the user and their device; we’re also verifying the individual network components that they’re allowed access to.
Organizations should design their systems so discrete components are not compromised by an attacker influencing other features. This should occur within a reasonable risk assumption.
Furthermore, organizations should use telemetry, analytics, and business intelligence to increase visibility and speed detection. They should identify all valuable assets and form microsegments to create multiple inspection points. This will stop intruders from pivoting between assets. These tools will allow them to respond to threats in real-time.
Whether you’re assessing your business’s zero-trust readiness or building plans to improve protection across your identities, devices, applications, data, infrastructure, and networks, “never trust, always verify” is the mantra to adopt.
|Ludovic Rembert is a security analyst, researcher, and the founder of PrivacyCanada.net. He spent his career as a network security engineer before taking up freelance writing on a variety of technical and cybersecurity subjects.
- Zero-trust security counters multiple cyberthreats
- Ransomware catalyzes industrial security revolution
- Avoid data security vulnerabilities at the edge
- 10 fatal mistakes in embedded systems security
For more Embedded, subscribe to Embedded’s weekly email newsletter.