Enabling zero trust for small and medium enterprises [Q&A]
The move towards zero trust has been one of the big security stories of 2020, driven by a switch to remote work, but so far it has been largely the preserve of bigger organizations.
Now though JumpCloud has added Conditional Access policies to its Directory Platform, enabling IT admins to adopt zero trust security from the same cloud platform that they use to manage and securely connect users to IT resources.
We spoke to Greg Keller, CTO at JumpCloud to find out how this will make zero trust adoption more accessible for any size of business.
BN: How is Zero Trust getting adopted in the companies you work with? Any trends that you are seeing?
GK: Zero Trust was once considered a 'privilege for the enterprise' -- almost untouchable from a cost, time-to-implement, and management perspective for the small to medium enterprise (SME). The most critical adoption we are seeing in our customer base is in reaction to the hard need for protecting employees when outside their normal 'trusted' firewall-backed perimeters.
That, specifically, is coming in three ways. One; trusting the networks employees are communicating over and two; trusting the devices they are working from. The former is to ensure there isn't traffic coming in from some requestor the company doesn't know, and the latter, so the company knows the worker is on a device that is managed by the company (e.g. has the appropriate security policies, AV, DLP, etc.). The third component is verification in this process. That means leveraging multi-factor authentication at the right moment to ensure the person, again outside the office, is really who they say they are.
BN: Smaller companies are behind in adopting zero trust, what can be done to make this approach easier for them?
GK: As mentioned above, smaller companies can now approach zero trust implementations in a realistic and cost effective way. These smaller companies typically are limited in total number of IT admins, and therefore cannot afford the time to deal with complex installations, integrations, tooling, and on-going management.
The number one positive impact to an SME on their journey to zero trust is broad coverage. This means getting the key pillars under governance: centralized identity management and trust, network trust, and device trust. They are all ingredients of a soup called 'Conditional Access'.
BN: How far is zero trust off the mainstream? Is it going to become a standard approach for the future, or are we still a long way off that at the moment?
GK: It's close. If we agree that the SME essentially gets trickle-down technology from the enterprise, so the enterprise is sort of like a canary in the coalmine of thought leadership and needs that eventually could be beneficial to any size company like security, then zero trust is not far behind for everyone, even consumers. I would liken zero trust's adoption to how the world is adopting multi-factor authentication.
The enterprise knew passwords were a vector of attack due to the inherent laziness of humans, so make them verify who they are. Similarly, zero trust will become the way of implementing security, based simply on the fact that nothing should be trusted and everything should be verified. The battleground will be being able to deliver this simply and cost effectively.
BN: COVID-19 has made cloud the default approach to IT, but will this continue in 2021?
GK: There is no looking back from our new normal working pattern. I feel that 2021 will be just the beginning of the real movement to bigger ideas and solutions. 2020 and 2021 was and will be about continuing to solve for the acute pain of trying to secure remote/off perimeter work. Essentially, those brittle and antiquated security implementations were predicated on an office and/or a real brick and mortar perimeter.
I think you'll find the SMEs as thought leaders here in many ways, but principally because these companies were largely never saddled with these brittle networking constraints. They were built and born in the cloud. Their employees have been working remotely, in co-located workspaces, and generally have adopted modern tooling for their business needs. They too will need new layers of protection but their 'bones', their original cloud-based infrastructure, has already given them a head start.
BN: How does conditional access work, and how does it fit into the need for remote working and security that we see coming up?
GK: Conditional access is all about context. Context are the conditions. It is all based on the premise of layering context about an authentication attempt and learning how, when, and where to allow that authentication to occur. Combining context into a set of rules -- think gates -- and establishing the fact that if any of the rules are broken, challenge the authentication. For example, and very generally speaking: if the user is of some privileged type, and if this user is from a known location, and if this user is on a known device, then allow access, else ensure the user is verified and/or parties are notified of this non-typical authentication attempt. Patterns are key in refining context as well.
BN: Are there any other trends in security that should be on people's watch lists?
GK: Beyond the discussion around zero trust, security at large will again be at the forefront of IT and senior leaderships' minds moving into 2021. Identity centralization and governance will be key as will hardening cloud infrastructure. I think we'll see a trend towards companies much earlier in their scale start to adopt and live by SOC standards as the cost of any sort of data breach or nefarious commandeering of infrastructure is too costly, or business-ending for the smallest of companies. Doing this cost effectively and more lean will be the key balance point versus typical SOC engagements reserved for companies of greater scale and resources to manage examination periods.