Enterprise networks – and the attacks against them – have evolved. No longer static, they are dynamic entities. And yet, IT organizations continue to use traditional security controls that aim to protect an increasingly irrelevant perimeter. It is no wonder IT organizations are failing to prevent malware infections and data loss. It won’t get any better until we take a different approach to security and adopt a new paradigm: the zero-trust model.
We live and work in an increasingly connected world that is driven by social, cloud, big data and mobility. These drivers fundamentally change how IT organizations provision and manage IT. The result is a highly complex enterprise network with thousands of firewall rules, and a weakening relationship between static network assets, and dynamic applications and users.
While IT organizations struggle to manage and protect an increasingly complex network environment, criminals use a relatively easy means of accessing the corporate crown jewels. Contrary to popular belief, the majority of criminals today are not using zero day exploits. They’re phishing privileged account credentials or guessing passwords for automated service accounts. In fact, according to Gartner, 80% of all attacks use privileged accounts.
Who are highly entitled or privileged users? These are people who require anything more than the lowest security level. They are super users with access to high risk, sensitive areas of the business. They include your sysadmins, corporate executives, developers, salespeople with special access, finance and HR. As Target found, a privileged user can be from a third party outside your organization and network.
Once criminals get access via a privileged account they can move about the network undetected, exfiltrating and modifying data in your most sensitive systems. This can go on for months – even years – before being detected. In fact, the average attack on corporate networks goes on for six to eight months before anyone notices. Clearly, the traditional approach to preventing these cyber attacks simply doesn’t work.
How access control works today
Users today are considered an entity within an identity system. Applications and resources use known entities. At the same time, access is based on roles. Buckets of privileges/entitlements are created and users are put into those buckets – even if they only need access to one item in the bucket.
Meanwhile, networks have no real concept of the entity within the identity system. Instead, networks and firewalls map users to IP addresses. This is fine inside the network, but what happens if the user changes locations? Networks don’t know the user’s identity. What happens if they change locations or connect to the WiFi in the cafeteria? This is where traditional approaches begin to fail. Firewall rules, network ACLs and VLANs are static. Traditional network access control solutions only go part of the way to managing access and ultimately aren’t flexible enough. We need a new approach to security.
Zero-trust made simple
The zero-trust approach eliminates the notion of a secure perimeter. It doesn’t assume that anyone at any time is a trusted user. Instead, it assumes that there are untrusted users on every network
A zero-trust approach applies strict access control and minimal privileges without impacting user productivity, limiting access to non-authorized network resources. In short, it considers user context to define what a specific user at a specific time can access. Everyone requires dynamic, context-aware entitlements and privileges to access sensitive areas.
I recommend a five-layer security model to achieve a zero-trust environment:
1. Encrypted communications. Always assume that unauthorized users are able to intercept communication, regardless of whether services are accessed internally or remotely.
2. Multi-factor user authentication. Strong multi-factor user authentication should be the first step to gaining authorized access to applications, services and data. This is essential for information security and risk mitigation.
3. Session/device authorization. In an environment where users can access information from different types of devices in a variety of locations, advanced authorization methods must include the ability to capture the posture and context of each session.
4. Policy enforcement. Evaluate each transaction against security policies to determine which resources should be made available to the user on a specific device, in a specific environment.
5. Global audit logging. Systematically log and accurately track all user access to support on-demand security reporting and auditing.
A context-aware security gateway can help IT organizations implement these five layers. The gateway establishes software-defined perimeters that are unique to each and every user based on his/her device, posture and identity. Users are only given access to authorized resources – everything else is invisible. They cannot ping, telnet or trace route anything else on the network. And when the session is terminated, the user has to go through the authentication and authorization process again.
IT organizations need a new approach to network security. One that’s not ‘complicate and hope,’ but ‘simplify and secure.’ Context must be looked at before entitlements are given to deliver true control and security. A zero-trust approach is the way to start.