Large-scale, sophisticated attacks like the SolarWinds cyber intrusion and the Microsoft Exchange Server hack are disturbing, to say the least. These are more than just bad headlines; they reflect fundamental, systemic problems with the security postures in most enterprises. One underreported issue is the continued adherence of organizations to principles that maintain strong perimeter controls to prevent things outside from coming in. Meanwhile, they are comparatively lax about security within their interiors, yet, depending on the industry, upwards of 50% of attacks today originate from the inside.
Microperimeters Are Still Perimeters
The notion that defending the perimeter is sufficient to achieve robust security is outdated in today’s threat environment. Nearly two decades ago, the Jericho Forum proposed deperimiterization — the idea that the walls between an organization and the digital world at large needed to come down. They surmised that while it might be possible to erect and confidently maintain fences around a handful of systems, assurance would erode once hundreds of assets, unmanaged devices and software as a service became pervasive and necessary parts of operations. This is the exact scenario we face today!
The idea that organizations should trust nothing and secure everything, often referred to as zero-trust security model, is a good theory, but it’s less clear how to get started. Microsegmentation is often put forward to get to zero trust, and it has some merits. Its goal is to take a usually flat network and compartmentalize disparate systems with little or no reason to talk with each other. A Linux server over here and an active directory server are each stuffed into discrete, secure boxes. That has some practical appeal, but, in part, that is because of its familiarity. Microsegmentation still is a perimeter-based strategy.
Identify, Observe, Then Contain
Hitachi ID proposes an altogether different approach: a security fabric that uses the techniques of identity and access management, privileged access management, adaptive multifactor authentication, and continuous diagnostics and monitoring (CDM) to secure resources and users actively. The goal is to provide users with a single sign-on, using federation standards like SAML whenever possible. Whether users are on premises or in the cloud, there is a steady stream of feedback about who they are, what they are doing, and the posture of their endpoint so security can be continuously re-evaluated. Constant risk analysis of resources and users makes it possible to create and enforce security policies.
Why do this? The first step to being successful in your organization’s zero-trust journey is to change perspective. In a cloud and software-as-a-service (SaaS) driven world, there is no meaningful inside and outside. Watching individual users is more important than containing them. Instead of pouring resources into building and endlessly maintaining white lists and micro-segmentation capabilities, it is more effective and sustainable to let users undertake activities, watch what they do, and have security systems that decide how they are governed, moment by moment, based on what they do. If an organization drives toward that, it will become able to do some clever and productive things within its privileged access space.
To get there, a properly implemented zero-trust approach leverages identity to make contextually driven decisions about who can access what and under what conditions. Context asks questions about the user’s environment, their job title, their job code, and how many entitlements they hold. Such context then makes it possible to ask further questions. For example, if a user already has extensive entitlements, is it risky to let them amass more?
An identity-based approach relies instead on readily available metadata about the user, device, connectivity and even behaviors. The nice thing is that organizations already have the data needed to profile their users effectively. Extensive attribute data already lives in active directories, such as LDAP, PeopleSoft, Workday and more. All of that data can be harnessed to build robust profiles that can be used to differentiate between users. Those factors can then be used to implement a security policy. So the user at the coffee shop on an unsecured open network might have to navigate triple-layer authentication to prove who they are, while the employee at their desk undertaking the same tasks they’ve done every day for years has a more direct route.
Applying the principle of least privilege, it is desirable to scale and flex access dynamically and on a truly individual basis. When an employee or contractor is first hired, birthright access can be set, based on particular attributes, to give the individual narrow, specific access. A salesperson, for example, might get a Microsoft Office 365 E3 account (because they don’t need an E5 account), as well as SalesForce. Meanwhile, a contractor might only be given a Microsoft Exchange Online plan because they cannot access sales data by the policy.
They can always request more, but now it is possible to make intelligent decisions and approvals based on context. So, when a high-risk user, perhaps a contractor, attempts to access a high-value asset to do their work, the system could prompt a manager or somebody from IT for authorization. On the other hand, an employee who uses that same data every day might automatically bypass some extra authentication steps. However, the behavior is monitored and tracked in case of anomalies.
All of this would be difficult, if not impossible, in a perimeter-based approach where the primary focus is on network access. In that scenario, security is a blunt tool that makes sweeping yes/no decisions about admission and has no control after saying “yes.” A zero-trust approach to security based on an identity access management approach offers substantially greater flexibility while ensuring that no one ever has access to more than they need at a time. The result is a dramatic reduction in the organization’s total vulnerability and helps avoid becoming the next headline.
Bryan Christ is a Sales Engineer at Hitachi ID Systems, Inc.