2021 Playbook: Enforcing Zero Trust for All Identities
Wed 9 Jun 2021 | Kamel Heus
Adopting a Zero Trust mindset ensures organisations stay ahead of the security curve and promotes a ‘never trust, always verify’ security stance.
Last year, COVID-19 spurred organisations everywhere to rapidly accelerate the digitalisation of their customer and supply chain interactions and internal operations. In response to the demands of national lockdowns and stay-at-home orders, they had to scramble to digitally enable the workforce and digitise their product and service portfolios at a breakneck pace.
According to research by McKinsey, companies acted up to 25 times faster than expected, and in the case of remote working some moved up to 40 times more quickly than previously thought possible. Indeed, business leaders estimated it would have taken more than a year to implement the level of remote work that took place during the pandemic crisis. In reality, it took just an average of 11 days to implement a workable solution.
Fast forward 12 months and it is clear that the events of last year have propelled organisations to embrace a raft of technology-related changes. As economies reopen, organisations are putting their remote working and customer interactions models onto a more permanent footing and investing in further digital technologies for competitive advantage.
As a result, cloud usage is continuing to escalate. However, the build-out of all these new cloud, hybrid cloud and multi-cloud infrastructures are putting the traditional identity and access management (IAM) practices of many organisations under significant pressure.
Minimising the growing cyber exposure risk
With IT administrators, security teams, and regular enterprise users now dispersed and heavily reliant on remote access to corporate systems, DevOps environments, and applications, threat actors are benefiting from a vastly expanded threat surface that puts many more attack vectors at their disposal. Often that means exploiting phishing and other social engineering campaigns designed to take advantage of human shortcomings so they can hijack credentials that provide access to IT infrastructure and data.
When it comes to engineering cyber breaches, identity has emerged as the weapon of choice for hackers looking to log into systems using stolen, purchased, weak, default or otherwise compromised credentials. According to the 2020 Verizon Data Breach Investigations Report, 80% of breaches happen due to compromised credentials. If privileged users routinely use shared privileged accounts for access, especially through a VPN, then any attacker that is able to compromise these credentials effectively has the keys to the enterprise’s crown jewels.
Unfortunately, it’s not just privileged users that are in the cross-hairs of external threat actors. Many cyber-attackers target regular employee accounts to gain an initial foothold, using these to bunker down, fan out and profile the network, and acquire elevated privileges to complete their objectives.
Locking the doors to the kingdom
Enterprises need to re-evaluate their security stance in light of the highly distributed IT infrastructures that are now being utilised by remote workers and contractors and find ways to protect the massively expanded attack surface that has been created. Addressing all these new dynamics will require the implementation of Zero Trust security strategies and modern Privileged Access Management technologies that are designed to help organisations stay ahead of the security curve where privileged access abuse is concerned.
This approach should not just be limited to identities for human user access. Non-human identities and service account for machines, applications and other workloads increasingly represent the majority of ‘users’ in today’s organisations. This is especially true in cloud and DevOps environments where developer tools, containerised applications, microservices, and elastic workloads all have identities that need to talk to each other.
Getting to grips with the Zero Trust PAM model
As users and IT assets become more distributed, the traditional network perimeter is dissolving. This means that it is no longer appropriate to base access decisions on simplistic concepts such as ‘trusted users are on the inside’ and ‘untrusted users are on the outside’ and then using IP addresses to make that distinction.
Instead, organisations must assume that threat actors are already inside their systems. By adopting a Zero Trust mindset, organisations are able to ditch the outdated ‘trust but verify’ approach and instead embrace a ‘never trust, always verify’ security stance.
This ensures that legitimate administrators no longer have carte blanche access to privileged accounts. Rather than using shared privileged accounts such as root and local administrator at will, they can only use their HR-vetted enterprise account which has their rights and entitlements built into their identity. All of which prevents high-impact mistakes and limits fallout should an attacker compromise that account.
PAM security controls can then selectively grant elevated privileges when the situation requires, based on centralised role policies. Adopting this ‘least privilege’ approach to access reduces risk while ensuring legitimate admins are able to do their job by enabling them to request just enough privilege, just-in-time, and for a limited timeframe only. Most importantly, the privileged access session can then be closed upon completion, leaving zero standing privileges to be exploited.
By implementing a Zero Trust approach to PAM via least privilege access controls, organisations will be able to minimise their attack surface, improve audit and compliance visibility, and reduce risk, complexity, and costs. But to be truly effective, organisations will need to apply this consistently across all IT assets including their data centre, DMZ, virtual private cloud, and multi-cloud environments.
The journey to Zero Trust maturity
Achieving PAM Zero Trust maturity begins with tackling some of the basics first, before moving to implement more advanced features.
For example, continual education in good password hygiene should be mandatory for all users, not just admins. High entropy passwords that are hard to crack are essential, while frequent password rotations – especially for non-human accounts – will reduce the window of opportunity for hackers. Use PAM to take these accounts under the central management and apply a frequent rotation policy, using a modern PAM solution to ensure passwords are synchronised across all dependent systems to mitigate any risk of application failure.
Implementing multi-factor authentication (MFA) consistently at multiple access points for extra identity assurance for all administrators represents another key step that will stop a bot or malware attack in its tracks.
Finally, identities with standing privileges carry significant risk and Linux systems, in particular, are a huge source of local privileged accounts, so it’s best practice to eradicate as many as possible. For those that can’t be eliminated, utilise a secure password vault and limit access for emergencies only.
Today’s perimeter-less enterprises need to rethink security with Zero Trust in mind, adopting a PAM mandate that follows three rules: never trust, always verify, and enforce the least privilege. By implementing basic password hygiene, password vaulting and MFA, organisations can build in layers of security that will help preserve the enterprise from the risk of breach due to compromised credentials.
Written by Kamel Heus Wed 9 Jun 2021