Can zero trust kill our need to talk about locations?
As security professionals, we have acknowledged for over a decade that our data resides outside our network. Yet, we still talk about strategies for protecting the enterprise vs cloud infrastructure, or access management for branch offices vs remote workers. We need to stop talking about places and start focusing on a goal like location-agnostic access.
Cybercriminals are focused on achieving access via compromised accounts. The 2020 Data Breach Investigations Report (DBIR) showed that over 80% of hacking-related breaches involved the use of lost or stolen credentials. Additionally, Akamai’s State of the Internet report showed credential stuffing attacks continue to be a growing issue, with 75% of API traffic in the financial sector being attributed to these attacks.
To build out a location-agonistic access plan, we need to start by focusing on what we are providing access to and then determine how we can provide it without ever thinking about where the person is. If the office is just a wireless hotspot vs. a trusted network, we would force the experience to be the same for the main office, branches, road warriors, remote workers, partners, and customers. Performance and security should be uniform, so the risk profile is standardized. This also allows us to rapidly respond to new business needs.
Many of us have gone through the process of requesting a new VPN, and then calling in a favor to get it done in under five business days. Much like waterfall development, these expectations of timelines are no longer acceptable. Today, we need to be able to have application owners provision someone in real-time and grant that access the same day.
Use cases are a great way to determine how to test and validate both the security and operational benefits of moving to new solutions. For access, some examples are office vs remote workers, business partners, sub-contractors, mergers and acquisitions (M&A), and external auditors. Some of these require protections like clients/agents or checking patch level; for others, you can’t mandate specific protections. For someone like an external auditor or business partner, it is typically easier to achieve security by limiting access to just the specific information they need rather than the entire network.
I want to be clear; application owners provisioning access is a two-edge sword. We have all had an audit finding for someone who has left a team not being deprovisioned, and now we are expecting the application owner to do this. We will need strong processes with audit functions to ensure deprovisioning happens.
I am a strong believer in strategies that leverage frameworks to build our processes that implement security controls. While that sentence feels overly complicated, it is the key to building a strong program that is compliant. Some industries are dealing with regulations like HIPAA or FFIEC. Others have industry standards like PCI or NERC CIP. These generally map back to NIST, but they don’t help with best practices. For those, I like to leverage resources like MITRE ATT&CK or Gartner SASE framework.
Let’s look at NIST SP 800-207, which defines zero trust architecture for the most common approaches as “enhanced identity governance–driven”, “logical micro-segmentation”, and “network-based segmentation”. Segmentation is generally built around VPNs. The challenge is: VPNs have been around so long that there are several security concerns to contend with. For example, supply chain vendor issues, IoT device and network infrastructure, compatibility issues with third party providers, and a stream of security agencies and research organizations posting new vulnerabilities that are active in the wild.
The more modern approach is “governance-driven,” which is implemented at the application network layer (i.e., Layer 7), with the most common deployment model being the agent / gateway. This provides more security, with role-based access being the norm and lateral movement being much more difficult if criminals gained access.
While I am a fan of leveraging frameworks, I would caution you to not include them in your strategy or policy documentation. You don’t want to be called out for not following everything in the framework, so it is better to call them analytical tools used to help you build your plan.
When adopting a location-agnostic architecture like zero trust, you need to augment it with other edge protections like web application firewalls and multi-factor authentication. Frameworks like SASE and ZTX are great reference tools here. Furthermore, I would recommend you use the cyber kill chain to determine where you have multiple points of failure to interrupt the attackers.
I want to close with some steps you can take to move toward location-agnostic access. Determine your programs’ current status for maturity and coverage, then categorize any compliance requirements, identify standards, or frameworks you want to leverage. Use that criteria to develop an architecture in partnership with the IT team so we understand the infrastructure that will be deployed.
This is where moving away from structured networks, to treating everything like a hotspot, could be agreed on. Use this coordinated plan to get buy-in from both stakeholders and senior leadership. Finally, build out the budget and develop phases to implement (i.e., start with use cases).