A zero-trust strategy starts with identity
At this point in the history of cybersecurity, the concept of a network perimeter seems almost quaint. The perimeter was like a moat or castle wall designed to keep the bad guys out. But the days of employees and all their digital tools residing within an isolated secure area are long gone.
Today, the walls have crumbled, and the moat has dried up. Now we live in a world where people can and do work from anywhere. And they need access to resources that may be located on premises, in the cloud, or even in multiple clouds. The dramatic changes in how people work mean you can’t use location to determine who can and can’t be trusted. Today’s new demands require a new security model. And that model has a name, zero trust.
Zero trust isn’t a product or a service -- it’s a different way of thinking about a security. Instead of assuming someone who has gained access to the network can be trusted, the zero-trust model takes the opposite approach. You can’t assume someone on the network can be trusted. Everyone is a potential threat, and every interaction is a potential risk. With the zero-trust model, any time someone requests access to a resource, they need to be verified first.
Although zero-trust concepts have been around for more than a decade, more people are taking it seriously because of increases in cyberattacks and new requirements. Everyone from NIST to CISA to the White House says the time to implement zero trust is now.
A new way of thinking about security
Zero trust is a mindset that should drive how you think about security going forward. The zero-trust way of thinking is built on two core foundations. The first relates to the assets and data you want to secure, and the second is securing who has access to those assets or managing identity. Because you can no longer rely on the network perimeter, it’s even more important to know who has access to what and where. Data may be stored in a cloud service or a combination of services. For example, you could have a composite service that has some of its data in AWS, does some of its processing in Google Cloud, and is accessed using front end system that’s located on premises. It’s impossible to put "walls" around such dispersed assets because you’d effectively have to build a wall around the world.
If identity and data are the foundational principles of zero trust, what does that mean in practice? First, you need to identify all the assets and data you want to protect and ensure that they are properly secured. Second you need to know who is accessing those assets. The goal is to have secure, compliant and seamless access for anyone, from anywhere, to anything. Identity solutions help you answer these questions:
- Who is the user?
- What can they access?
- Why do they have access?
- When and for how long?
- How are they managed?
Modern authentication solutions establish identity, and governance and lifecycle solutions provide risk insights that answer questions about why and how long someone has access.
Where to start
Although everyone agrees zero trust is important, many people aren’t sure where to start. Identity is a good first step on any zero-trust journey.
1. Implement MFA now. Many breaches result from weak passwords or passwords that aren’t changed. Every organization should deploy MFA and work with a vendor that can support all your needs. If you need both cloud and on-premises access, make sure the solution supports it. Opting for a single solution is easier for users and simplifies management.
2. Clean up orphan accounts and make sure that people only can access what they’re supposed to be able to access. Over-entitlement can become an issue over time as people change jobs. For example, if someone moves from marketing to sales access is often added, but rarely is anything taken away. Audit your entitlements, so people only have access to the resources they need to do their job and nothing more.
3. Develop a strategy for identity and assets. Identify the assets that are most important that you need to focus on first. Not everything is equally important, so ensure that you have an identity strategy related to the most important assets.
4. Limit entitlements to reduce the attack surface. Look for creative ways to reduce access. For example, consider "just in time entitlement provisioning" for resources that are only used for short periods of time like a benefits system that’s only used for one month a year. By reducing the attack surface, you limit the attack vectors and lower your risks.
Failing to secure identity is like putting a big lock on the door and then leaving the window open. Not only is identity a cornerstone of zero-trust, it’s also just plain old common sense.
Image credit: Olivier26/depositphotos.com
Jim Taylor is Chief Product Officer at RSA.