"The trust of the innocent is the liar's most useful tool." - Stephen King
The IT industry has spent the last 30 years enabling connectivity, making it easy for everyone to access to everything. But once everything is available to everyone, security and access control become vital.
It began with basic usernames and passwords and evolved to grant access to designated user groups like the "IT Department," "Finance Department," and "Sales Department." This progression has since extended to incorporate Multi-Factor Authentication methods such as SMS messages, fingerprints, and facial recognition, enhancing user identity verification.
Once you know who a user is, they can be trusted, right?
- A user is connected to a corporate network and logged in, you know who they are, so they can be trusted, right?
- A user is a member of the “Finance Department” group, so you can give them access to the Finance systems, right?
- A user is sitting at their desk in the office. You know they have come through the front door using their staff entry card, so they can be trusted, right?
But in a world where legitimate users can be anywhere (in the office, at home, in a coffee shop, on a train, in a customer site), so can attackers.
Approximately two-thirds of cyber attacks originate from sources deemed "trusted," with a staggering 90% of established hacker groups employing spear phishing tactics, which target individuals, as an effective means to infiltrate a company's internal network.
In the current landscape, attackers seek out the path of least resistance within an organisation, and today, that vulnerability often lies with individuals rather than the infrastructure, which is typically fortified with firewalls and other security measures.
Gone are the days when trust could be presumed based solely on a user's successful network connection or login. Attackers can now easily launch their assaults from a seemingly "trusted" position, evading conventional security protocols.
Out of this evolving challenge emerged the concept of Zero Trust, guided by the principle of "never trust, always verify."
Zero Trust redefines access control, taking into account not only authentication factors like username/password and multi-factor authentication, but also contextual factors such as user roles, location, time of access, the condition of the connecting device, and the specific data being requested.
Zero Trust for Identity
Who is the user, where are they, what time of day is it, what device are they on, what are they accessing? In the modern, cloud-based world, the “user” is just as likely to be a machine, a PC, an IoT sensor, a cloud service, or an API call.
We recommend implementing a robust system for Zero Trust for Identity, which will usually consist of:
- An Identity Provider (IdP) such as AzureAD/EntraID, Okta, PING
- Some form of Multi-Factor Authentication
- Certificate-based authentication for user-less devices
- Endpoint security (usually in the form of client software on corporate devices)
- A mechanism for allowing/denying access based on the user credentials and the security status of the device being used to access
- Some form of Privileged Access Management (PAM)
Figure 1: Protect access to your data using strong Identity-based security
Zero Trust for Identity is where Zero Trust starts. But for most “Zero Trust” vendors, that is also where it ends. While being certain who is accessing your data is arguably the most important aspect of Zero Trust, it is also important to limit the visibility of your data and assets before users even try to access it.
This requires Zero Trust for Networks, a concept only provided by a very small number of vendors and service partners. At Principle Networks, we think it is as important as the Identity part of Zero Trust. We provide this service through Zscaler, who offer a “Zero Trust Exchange” environment through which all incoming requests are routed.
Figure 2: Limiting your Threat Surface through a Zero Trust Exchange
An analogy - let’s compare Zero Trust to a parcel delivery service
- If a parcel is addressed to an individual, the parcel company will look up the address on a database/directory/map and take the parcel to the front door of that address. They will knock on the door and deliver the parcel to the addressee. If the parcel is malicious, it has reached it’s intended destination.
- Implementing Zero Trust for Identity, in this analogy - the parcel service would ask the recipient for proof of who they are. They may even X-ray the parcel or open it up to check the contents are what they should be and that they are safe to deliver. They then deliver the parcel to the addressee. Although this adds a layer of security, the recipient is still reachable from anyone who has access to their address, via a phone book, the internet, social media… etc. So the recipient is at risk of malicious packages from anywhere (any source).
- If we were to implement the equivalent of a full Zero Trust for Networks solution, the recipient would register their address with the parcel company as a valid recipient. Any deliveries to the recipient would be sent to the parcel company depot. They would scan the parcel, check the safety/validity of the sender and the recipient and then only forward on the parcel once all checks are passed. It would be impossible for anyone to send a malicious parcel directly to the recipient as their “real” address is never made public. This is true Zero Trust - not trusting any sources until all aspects of trust are verified.
Summary
Zero Trust is a valuable security strategy that can help organisations to protect their data and applications from cyberattacks. By assuming that no user or device can be trusted, Zero Trust can help organisations to protect their data and applications from even the most sophisticated attacks.