In a Zero Trust security model, we assume some level of authentication for all connections
Whether they are from inside of our network or from outside. Indeed, the notion of internal versus external trust is becoming messy even in today's networks. We have systems that interact with the cloud (see my previous blog). And we haves all these different combinations of interactions are growing exponentially.
In theory, it would seem that the same authentication processes would work across the board. Users simply access the corporate network using domain credentials. That would seem to be the easy way, right? But the reality is that it’s never that simple. As we learned in the Target breach, we need to be especially careful when granting trust to partners who are accessing information within our networks.
“Companies don’t have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users—employees, partners, customers – accessing applications from a range of devices from multiple locations and even potentially from around the globe,” notes CSO.
Machine Identity Security Architecture
Authorizing external partners adds a layer of complexity
Authorizing access is already challenging enough for organizations that are interacting with their own employees, their own systems, their own machines. I wrote about how machine identities contribute to that effort in a previous blog. But when you add different external partners you need to interact with, it adds new layers of complexity. So that trust model is even harder to control.
You need to have different levels of permissions for your internal consumer versus your external partners who need to be able to access segmented information in your environment.
As Cloudflare observes, “Zero Trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network.”
To be effective, the scope of machine identity intelligence needs to go beyond the machines within your organization’s direct control. To rely on the integrity of machine identities under the control of your customers and partners, you need to be able to monitor all machine identities that are connecting to your network.
So, you have to be able to authenticate your users as well as your third-party providers. In other words, you need to have complete visibility into all machine identities that are being used to access your network, whether internal or external.
But first, you have to determine how that process looks from an internal perspective and from an external perspective. You may wish to have more control over the keys and certificates that authenticate your on-premises infrastructure, which you trust more.
How can you build trust in third-party environments?
If you're hosting some of your critical applications in a third-party environment, you may have different expectations. How can you build trust in there? How do you authenticate between the network you control (your comfort zone) and something that's running in a third party, where they have their own assumptions around trust?
Zero Trust assumes that we don't have any built-in trust that we can use. You need a way to manage all these different credentials. For example, how will you protect all these different keys across different environments?
At the end of the day, the best security is minimal access security. And when I say that, I’m talking about privileged access. Taking your security strategy down to the foundational level of machine identities is a good place to start. A platform for machine identity management will help give you the visibility, intelligence and automation you need to effectively manage machine identities across your environment, whether it’s internal or external.
Are you concerned about third-party partners authenticating on your machines?
Get a 30 Day Free Trial of TLS Protect Cloud, Automated Certificate Management.
Related posts