On January 26, 2022, the Office of the Management and Budget (OMB) issued the memo, Moving the U.S. Government Towards Zero Trust Cybersecurity Principles. With the government acknowledging and embracing the criticality of zero trust, can the private sector be far behind?
Zero trust may not be the latest buzzword, but it is still a relevant and necessary part of any organization’s security strategy. However, a common question from those deciding to jump on the bandwagon is:
Where do I start?
Before trying to answer that question, we need to understand what it is we are really asking for.
There is no product or technology that you can implement for zero trust. It is a philosophy — a set of guiding principles that can be used to improve the security posture of an organization and reduce the risk of a breach by limiting lateral movement. This demands a different way of looking at security, and how access to data is granted. It will require new policies and controls related to access. In short, it is a fundamental change of approach to security, which can no longer be an add-on. Security must become an integral part of everything you do.
Let’s circle back to the question that everyone is looking to answer: “Where do I start?”
The ideal place to start is with a review of your existing security policies. Any security control, technology implemented, or new process will be in support of these policies. Traditional approaches to password policies have proven to be ineffective (further detailed in this blog). Hence, policies regarding authentication and the use of passwords must be updated to ensure the right access to the right people, such as multi-factor authentication (MFA) methods, preferably phishing-resistant MFA. For example, the OMB memo calls for specific actions related to authentication as follows:
- MFA must be enforced at the application layer, instead of the network layer.
- For agency staff, contractors, and partners, phishing-resistant MFA is required.
- For public users, phishing-resistant MFA must be an option.
- Password policies must not require use of special characters or regular rotation.
Other policies covering topics such as remote access, privileged access and minimum controls for revalidating access for the purposes of least privilege access must also be added or updated. Now that we have our updated policies, here’s what we do next.
Take a look at this zero-trust framework (left to right).
Everything to the right, including access to devices and data, applications, and network is dependent on having the following:
- A verified digital identity
- A policy defining what the identity can access
- A governance surrounding these to ensure least privilege access
This is identity and access governance.
To the far right, we have access enforcement that determines whether the identity in question can access a target resource, such as data. These are the keys to knowing where to start.
Everything related to access in zero trust depends on a few things:
An identity must be valid and associated with a real entity. Remember that a growing number of identities are for non-humans.
In the post-COVID world, a large portion of the workforce is remote and you cannot rely on an employee showing up at the office with government documentation that can be verified in-person.
This same level of verification is needed for the remote workforce and for non-human identities.
The entity using an identity is the entity associated with the identity. When access is attempted, it is essential to verify that the identity making the request is being used by the same entity that it was issued to.
Any access request must be verified against policy. Simply put, you must determine whether or not the identity been granted the requested access. Additional checks can increase the strength of the authorization, such as verifying the security posture of the device used by the requestor or determining real-time risk associated with the request.
Access must adhere to the principle of least privilege. This is a regular process of verifying that identities are still valid (e.g., the employee has not left the company) and that the access is still required (e.g., the employee is in a new role and no longer requires access to project data).
What do I implement first?
Identity and access-related processes and hygiene
Well-defined processes are critical for managing the lifecycle of identities and access, as well as for revalidating this access to ensure least privilege and compliance. If these are not in place, solutions such as a zero-trust network access solution, will be vulnerable. It could grant access to an employee who has left the company a month ago but still has valid credentials. These processes could be manual, but ideally they should be automated and controlled using an identity governance and administration product.
Multi-factor authentication (MFA)
This should be used for all types of authentication. In the case of privileged access, this should explicitly be in the form of phishing-resistant MFA to minimize the risk of exposing privileged credentials.
Single sign-on/Federated identity (SSO)
The component providing SSO provides a central point or identity provider (IdP) to facilitate standards-based authentication. This allows applications and devices to leverage central authentication mechanisms, identity stores and entitlement catalogs — without having to build them into each application. It also provides a more consistent user experience for authentication.
Privileged Access Security (PAS)
Privileged access must be tightly controlled, which is typically accomplished through a PAS or privileged access management (PAM) tool. The tool will provide control over access to accounts with privileged access, as well as other features like session isolation and monitoring, credential rotation, session recording and enhanced auditing of access to privileged accounts.
Identity and access processes and hygiene, coupled with MFA, are absolutely essential to have in-place before you implement any other zero trust elements. Everything else can follow.
If you follow the approach outlined above, you will be well on your way to a successful zero trust journey.
About the author
Global IAM Practice Lead & CTO, Atos
Allen Moffett is Global IAM Practice lead and CTO at ATOS. He is also the global lead for the IAM and Biometrics sub-domain of the ATOS expert community, helping to steer business strategy and building the technology roadmap by anticipating the products and services that will be needed by the market. He also is member of the Executive Advisory board of the Identity Defined Security alliance.