I have witnessed the zero-trust transformation closely down in the trenches of Google, Mobileiron and other companies I worked at prior to SGNL. I have in fact helped develop some of the standards such as SAML and CAEP that facilitated it, and the Google BeyondCorp API. BeyondCorp of course, is the pioneering architecture that realized zero-trust in a commercial environment for the first time.
But What is Zero-Trust Anyway?
I like to think of zero-trust as really ephemeral trust. Any decision to trust an access request is only good for a really short period of time, and localized to the resource being requested in that particular request.
This leads to a lot of flexibility in how your secure digital assets may be organized. They need not always be inside a well fortified infrastructure that provides persistent trusted access once a user is permitted inside, such as your enterprise network. As a result, enterprise assets in zero-trust architectures (ZTA) end up being located in cloud platforms and SaaS services. Users can access these assets from anywhere in the world.
Zero-trust is, however, a highly overused term. A frustrated customer once told me: “I just had my zero-trust coffee, are people selling zero-trust donuts now?” The sentiment is understandable. In this article, I’d like to focus on what you can do to secure your organization’s data in the brave new zero-trust world.
Floating Over the FENCE
For enterprises, which typically like to take deliberate, steady steps to adopt any new technology, the advent of zero-trust architecture appears too far-reaching and ridiculously sudden. Not only has the familiar moat and castle model of the “FENCE” architecture (Firewalled Enterprise Network Computing Environment) evaporated as more and more services and data moved to the cloud and SaaS platforms, the pandemic driven work transformation has democratized access and put an expiration date on the dwindling assets that still remain in the data center.
If the FENCE architecture resembles a moat and castle, the zero-trust architecture resembles a global armada. Every SaaS platform, every VPC (virtual private cloud) and every endpoint need to be protected independently, but still needs to be centrally commanded and managed. Obviously, the strategies to defend your organization’s assets are going to be radically different in such an environment.
It’s All About Data
Digital Assets of an organization boil down to stored data. Whether it’s an approval for a customer refund, financial details of business performance, or an onboarding of a new employee – it always translates to access to an organization’s stored data. In short, protecting an organization’s digital assets is the same as protecting the organization’s stored data.
In the FENCE model, organizations had direct administrative control from the ground up over their infrastructure. In cloud platforms, large tech companies own and manage the infrastructure. SaaS providers, while they may be in-turn dependent on the cloud providers, manage the infrastructure security of their own services.
Since the infrastructure and SaaS services are now shared across all tenants, their tech savvy hosts invest heavily in their defense. While there are notable and exceptional compromises of such infrastructure, the more alluring way for attackers to get unauthorized access to your data is by compromising individual organizations’ access to the services hosted in these platforms.
Identities are the New Targets
Organizations hosting their tenants in cloud platforms get extensive administrative tools provided by the platforms to manage them. Similarly, SaaS services provide administrative access to their services. These administrative capabilities are accessed by privileged users, who perform administrative duties to support the business and manage this infrastructure.
The next category of users are the normal business users, who access internal applications that your organization provides them, either hosted on these cloud platforms, or the SaaS services. Business users may be employees or vendors, contractors and temporary workers.
Finally, if your organization offers digital services to your customers and / or partners, then there are the customer / partner users, who access your organization’s publicly available digital services.
So to summarize, there are three classes of users that an organization manages:
- Privileged users, who are IT users with administrative privileges over your infrastructure
- Business users, includes employees, vendors, contractors and temporary workers.
- External, i.e. Customer users and Partner users
We should also note that Privileged users may also be Business users for any function they perform for which they are not using their administrative access. E.g. say, requesting PTO.
Protecting External User Access
An organization can suffer serious, even fatal reputational damage if external user access is compromised repeatedly and at a large scale. However, the ease-of-use bar for these users is extremely high. As a result, one may offer a graded level of access. In this model, a user may be required to provide multi-factor authentication (MFA) only if they are accessing critical data, such as performing financial transactions. A popular method for MFA for external users is to use one-time passcodes sent as a text (SMS) message to the user’s registered phone number. Motivated attackers can phish such passcodes, or perform SIM swapping attacks to receive the passcodes. So such techniques are useful only when the protection required is relatively low value. A number of products from vendors in the category of “Customer Identity and Access Management” (CIAM) are used to manage such external user access.
Protecting Business User Access
Business users, including employees, vendors, contractors and temporary workers represent perhaps the most critical attack surface in a zero-trust environment. This is because their ordinary job functions may require them to use internal applications to perform high-value transactions. Malicious insiders or attackers posing as business users can wreak havoc in an organization and inflict enormous financial and reputational damage. The whole area of Identity Threat Detection and Response (ITDR) has arisen because attackers target user identities and misuse their credentials.
There are two concerns here – authentication and authorization. If you haven’t done so already, you must require all business users to perform multi-factor authentication to access all your applications. This simple step can curtail attacks to a large extent.
Enterprise authorization is the area that ensures users have the right permissions once they are authenticated. This area conventionally uses role-based access control (RBAC) or attribute-based access control (ABAC) to ensure that insiders have the right access permissions. These techniques unfortunately have been found to have significant shortcomings. Newer techniques such as Just-in-time Access Management provide dynamic permissions to users based on their currently sanctioned tasks. Our company, SGNL provides one such solution.
Protecting Privileged User Access
Because privileged users are high value targets for attackers, an organization needs to protect them using a different strategy. These users may be willing to have a much higher bar for authentication. For example, it is not uncommon for organizations to distribute physical security tokens to all privileged users. There are a number of vendors offering Cloud Infrastructure Entitlement Management (CIEM, pronounced like “Kim”) solutions to address this user constituency.