Digital transformation, the proliferation of disruptive technologies and modern business models, have all blurred the digital boundaries of corporations. Simply put, not much remains of the security perimeter that organizations used to rely on to protect their digital assets. With these boundaries diminishing, traditional perimeter security solutions have become inadequate to respond to increasing demands for access from literally everywhere.
These developments coupled with the alarming increase in data breaches, have rendered the concept of intrinsic trust as a vulnerability. Zero Trust security is based on the tenet “Never Trust, Always Verify” and requires strict, and continuous verification of user and machine identities to minimize implicit trust zones.
What is identity-based Zero Trust?
In a business environment where applications are delivered from the cloud to the cloud, users are located everywhere and use multiple machines to accomplish routine tasks. That means that all interactions—even those originating from employees—are inherently risky and necessitate a different approach to security.
Zero Trust is a strategic initiative and principle that helps organizations prevent data breaches and protect their assets by assuming no entity is trusted. The National Institute of Standards and Technology (NIST) defines Zero Trust as “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Zero Trust is a security approach that focuses on individual transactions, and thus on the identities of the people and machines that are involved in them. Because the model requires strict verification of all identities, human and machine, Zero Trust moves the decision to authenticate and authorize closer to the endpoint. Zero Trust also minimizes implicit trust zones while promoting access rules that are as granular as possible to enforce least privileges required to perform the requested action.
Figure 1: Identity-centric Zero Trust. Source: NIST SP 800-207
The identity-centric approach of Zero Trust architecture places human and machine identities at the heart of security policy creation. In this architecture, enterprise access controls and policies are based on identity and assigned attributes. The primary requirement to access corporate data and resources is based on the access privileges granted to the requesting user or machine. To step up authentication and implement a risk-based approach to security, access policies may consider other factors as well, such as device used, asset status and environmental factors.
Why do we need to validate machine identities?
The proliferation of IoT devices, the adoption of multi-cloud platforms and the widespread use of containers all require the creation and management of numerous identities to authenticate them. Businesses have become increasingly reliant on human and machine identities. As a result, identity and access management (IAM) functions have become a top security priority for all organizations. However, these identities are also attractive targets for cyber criminals. According to the Verizon 2021 Data Breach Investigations Report (DBIR), compromised credentials and identity theft are the main causes of security incidents and data breaches.
In addition to the expanding attack surface driving the need for Zero Trust, regulations such as GDPR, CCPA, PCI DSS and HIPAA enforce the principle of accountability, by requiring the strong authentication and authorization of every access request to corporate data. Finally, as the global business environment is changing and as remote working becomes the norm, it will accelerate the adoption of multiple cloud platforms. The new technology and security landscape increases the need to effectively authenticate and grant access to corporate resources based on contextual, adaptive, and dynamic decisions. All of these contribute to your Zero Trust strategy and architecture.
Don’t forget about machine identity management
When businesses start their journey towards Zero Trust, they usually start with network segmentation, implementing privilege access management and adopting multi-factor authentication. However, an area that is often forgotten is the effective management of machine identities. This includes the protection of associated certificates and cryptographic keys.
This overlooked area creates many gaps. Cybercriminals are prone to leveraging compromised machine identities and stolen keys to either infiltrate undetected corporate networks or masquerade their actions, by using encrypted channels. The risks associated with mismanaged machine identities are huge and can become really serious really quickly in the event of a breach.
As the number of machines, cloud workloads, containers and IoT devices that access corporate resources is increasing at a rapid pace, errors related to machine identity management—such as expired certificates, outdated cipher suites and compromised certificates and keys—are causing significant risks for businesses across all sectors.
The benefits of identity-based Zero Trust
Identity-based Zero Trust provides several advantages that facilitate the implementation of robust access controls, increase security and reduce risk. Because Zero Trust is technology agnostic, there is no need to rebuild and replace anything in your system’s infrastructure.
Once deployed, identity-based Zero Trust provides greater visibility into risk, by performing risk analysis at every access request of every entry point, rather than at the network level. Most importantly, by bringing the decision to the level of entity requesting access to resources, Zero Trust enhances the detection of anomalies and threats, improving the organization’s security posture.
To provide effective protection, a Zero Trust architecture needs to span all resources both on-premises and in the cloud, as well as all access requests by machine and human accounts. Applying Zero Trust to human and machines identities makes this possible. For Zero Trust to be effective and for businesses to reap the benefits of Zero Trust, the management of all identities—human and machine—must be robust.