Is your zero trust program at risk of failure? [Q&A]
Zero trust is no longer a 'nice to have' for cybersecurity leaders. As organizations embrace hybrid and remote workforces, the volume of cyberattacks and data breaches involving unauthorized access to networks, applications and systems has surged.
In response, cybersecurity leaders are striving to adopt a zero trust approach to security to reduce the risk of data breaches, ransomware and insider threats. However, the success of these efforts are being undermined by a variety of factors.
We spoke to Tom Ammirati, CRO at PlainID, to discuss the challenges of adopting zero trust.
BN: What are the most common pitfalls of transitioning to a zero trust program?
TA: Zero trust frameworks have traditionally focused on solving authentication challenges associated with endpoint and network access security. However, the rapid increase in identity related breaches means that organizations now need to implement a comprehensive authorization framework. This framework must make it possible to authenticate users and devices on an ongoing basis and continuously monitor users post-authentication.
However, our CISO Zero Trust survey found that many UK and US organizations have not implemented this foundational capability. Only 50 percent said authorization features in their zero trust program, an omission that could expose their infrastructure to threat actors.
The survey also found that only a third (31 percent) of organizations had sufficient visibility and control over authorization policies intended to enforce appropriate data access, with a further 45 percent citing that the lack of technical resources was proving a challenge when it comes to gaining true visibility and control of their network or optimizing enterprise authorization and access controls. What is even more worrying is that 41 percent of organizations also say they are using unmanaged and ungoverned OPA-based solutions to authorize identities.
Indications are that while many organizations may well be implementing a form of zero trust, they often lack the complete toolset or capabilities required to extend zero trust from authentication through to final access point and target data set. Added to which they don't have true visibility or control of their network and are utilizing legacy home-grown solutions that were never designed with today’s fast evolving threat landscape in mind.
BN: What are the limitations of zero trust?
TA: There are numerous technologies dedicated to addressing aspects of zero trust in relation to network access control and advanced authentication. However, the protection features provided by solutions like gateway integration and segregation, secure SD WAN and secure access service edge (SASE) are primarily network centric.
Today's increasingly complex operational realities means in addition to network access, zero trust also needs to be applied to application access and access to intra-application assets. In other words, achieving genuine zero trust protection means organizations will now need visibility of all resources, applications and networks. Indeed, protecting hybrid working environments depends on it.
Unfortunately, implementing limited access controls can create a false sense of confidence and significantly increase an organization's exposure to risk.
Relying on authentication alone, which verifies a user's identity before granting them access to data, network, system or device is no longer enough. Organizations must also implement authorization that follows every digital interaction that happens post-authentication, granting or revoking user permissions to resources in real-time.
Unfortunately, authorization can prove a broad and complex challenge for organizations unless they utilise a comprehensive authorization solution that makes it possible to initiate identity aware security at every layer of the enterprise's computing infrastructure and maintain central policy visibility, manageability, and policy governance.
BN: What is one of the most important components of a zero trust approach?
TA: Dynamic authorization is an advanced approach that grants fine-grained access to resources -- it is a must-have element of any complete and successful zero trust architecture, and for any business wishing to optimize its security infrastructure. Providing a more technically advanced approach to zero trust, dynamic authorization drives two processes that are essential to zero trust: runtime authorization enforcement and high levels of granularity.
For example, when a user attempts to access a network, application or assets within an application, this will trigger the evaluation and approval process of a number of key attributes. These include user level (their current certification, level, role and responsibilities), whether users can access confidential and personally identifiable information (PII), along with other asset attributes such as data classification, location assignments and any relevant metadata. Other factors that are assessed include the location the user is authenticating from (internal or external system), the time and date of authentication, and technical aspects such as the risk level of the system).
Considering all these and any other relevant attributes, the policy engine makes a decision at the point of access during runtime, making a new decision every time access is attempted in real-time. Utilizing risk-based intelligence to add context to each access decision rather than relying on 'as-based-on' attributes which have been predefined by the application.
By implementing dynamic authorization, organizations can replace hundreds or thousands of policies that can be managed centrally through a single pane of glass. Making it easy for security professionals to add, update and quickly deploy policies and enable the fine-grained access control that ensures users gain smooth access to the correct data.
BN: How can an organization address zero trust security gaps?
TA: Zero trust must treat all identities as potential threats. While zero trust boosts higher levels of confidence, it’s imperative to pair it with a comprehensive authorization framework. Enterprises today need continuous evaluation and validation across all tech stack interaction to mitigate data breach impacts.
Providing rigorous identity-aware security at every layer of the enterprise, it makes genuine zero trust protection a reality by delivering continuous evaluation and validation across all tech stack interactions to mitigate the risk of data breach. Providing a comprehensive risk-based authorization and identity aware security framework enables organizations to address zero trust security gaps and elevate their overall security posture.
Image credit: Olivier26/depositphotos.com