Zero Trust Security: Never trust, always verify
Zero Trust Security assumes that untrusted actors already exist both inside and outside the network. Trust must therefore be entirely removed from the equation.
In this podcast, Barry Scott, CTO, EMEA at Centrify, talks about how you can secure every user’s access to apps, endpoints and infrastructure through single sign-on, multi-factor authentication and privileged access security.
Here’s a transcript of the podcast for your convenience.
Hello. My name is Barry Scott, and I’m the EMEA CTO for a company called Centrify. And what we’re going to be talking about today is zero trust security. Now that’s been coming around for a number of years now. It’s not a brand new concept, it’s been around since basically deperimeterisation of our network started about 10 years ago. It stopped the fact that everybody was either inside or outside, and people started traveling around. That’s why the deperimeterization came from or rose from.
So, zero trust is really the way that things are going nowadays in terms of security. It means different things to different people. but to Centrify it’s to do with securing things through what we call Next Gen Access, and it’s all around securing identity. And there’s really four different things that are involved in Zero Trust Security.
First of all we have to validate the user, we need to know that you are you when you are accessing systems. The second thing is that we need to make sure that the device you’re on is good. You know, we might give you a different level of access if you’re connecting from a kiosk system at a show, than we would if you were using your normal home laptop. Then the third thing is that once we validated the user and we validated the device they are using, we’ve got a good idea of who they are where they’re coming from.
But let’s give them least privilege. What we mean by least privilege is just that they have the rights to be able to do exactly what they should be able to do at that moment in time – no more no less. So, like if you’re listening to this podcast in a car now, why should you have any privilege rights to any systems at your office or to any applications? Ideally you only want things on demand, but that’s, you know for some people, that is a bit too much to actually manage.
So, those are the three things. We’ve got validate the user, and we’ve got to verify the device. And we’ve also got the fact that we want to give you just the rights that you should have for your job. And it’s not just end users either, it’s about end users and privileged users and really anybody that needs to access anything.
Now the fourth thing about this is that we want to use analytics to improve the user’s experience and machine learning to make everything more secure. So what we mean by that. The first piece of verifying the user – nowadays it’s very important that we use multifactor authentication and that we consolidate our identities. If you consolidate your identity down to one, all your eggs are in one basket. So, there’s a danger that if your password get stolen, you’re in trouble, hence multifactor authentication everywhere.
Security is perceived in a ways of getting in the way of users and their experience. And it doesn’t matter if they’re end users or privileged users, it’s the same “Damn, something getting in my way, I’m going to go around it.”
So, what the analytics layer does, coming back to that, is checking what’s happening, is this normal for this person to be doing this, at this time, from this device. Is it 3:00 in the morning from some strange country that we’ve never seen the person before on a Windows machine, when they normally use a Mac? So, what analytics does, it decides the riskiness of the access, and based on the riskiness it will either give you access with no need for re-authentication, or no MFA needed. If it sees that the access is slightly risky, but different, you know maybe I’m logging in from the U.S., where I normally login from the UK, then we might have said that we want to do multifactor authentication on that sort of access, because it’s slightly risky. But then if I am coming from somewhere that just really is unexpected – strange time of day, or device as I mentioned earlier, then quite possibly the access will just be blocked altogether.
So, that’s really what Zero Trust Security is through Next Gen Access of Centrify. Just to summarize again, it’s verifying the user, validating the device, making sure we have least privilege. And also, at the end of that, it’s that analytics layer to make the user experience better as well.
In terms of if you like the traditional spaces of IT security, there is a convergence going on between where if you look, take us an example mobile device management over the years. It started off as a MDM, then it became MIM as well and container management, and eventually everything all sort of converged into enterprise mobility management. What we’re seeing extending that out even further is that we have privileged access management or PAM, which people are quite familiar with, and there’s really two flavors of that. One is a password vault solution where basically the vault looks after passwords to privileged accounts. On the other side is a pure least privileged solution where you log onto a Windows machine and we don’t want to make you an administrator, but you need to add at printer driver or something like that.
So, that’s the least privilege side of things, it now extends to Windows, Unix, and Linux, but that gives us privileged access management, mobility management. Also we’ve got Identity as a Service which has been big over the last few years, accessing cloud apps or traveling around outside and needing access to your secure remote access to your apps that are back at base, as it were.
So, we got those different things the IDaaS, the privileged access management, enterprise mobility management, and they’re all converging and Centrify has them, that is our Next Gen Access effectively, within our platform we offer all of those things. Because we’ve built everything ourselves from the ground up, I think customers can see the, you know, it’s a coherent and cohesive approach that all the products are our own at the end of the day.
Thanks very much for listening to the podcast, it’s been great to be here. If you’d like to look at the Web site its www.centrify.com. It’s all about Zero Trust Security, so thanks very much.