Identity-based threats have become a dominant source of attacks and data breaches. Organizations aware of these threats realize the need for improved identity detection and threat response strategies. According to security experts, this is best achieved by implementing an identity-based zero trust approach. But before we dive into the identity aspects of zero trust, we must first establish what zero trust is and what it isn’t. Keep reading to learn how it works and how to implement zero-trust security effectively.
What is Zero Trust?
The zero trust model is a security approach centered around the idea that you, as an organization, shouldn’t automatically trust anyone inside or outside the perimeters. Instead, you need to verify any entity or user trying to access the system.
This model, also called zero trust architecture, was coined in 2010 by the principal analyst at Forrester Research, John Kindervag, as a more effective security framework than the traditional castle-and-moat approach.
As a security framework, zero trust supersedes the idea of a network edge. It focuses on securing the network infrastructure, whether local, cloud-based, or hybrid. The framework requires all users and entities trying to access the network to be authenticated and authorized before accessing any resources, data, or applications.
The security doesn’t end when entering the network. Users’ sessions need to be regularly monitored, and their identities routinely validated, to maintain access. This approach addresses challenges such as securing workspaces with remote and hybrid workers.
As the number of vendors offering zero trust solutions increases, the need for a standard definition arises.
How Zero Trust Authentication Works
Implementing a zero trust authentication framework within an organization requires combining different technologies, including identity protection, endpoint security, risk-based identity management, data encryption, and multi-factor authentication. Besides the combination of technologies, the framework needs to be implemented on a robust cloud infrastructure to enable continuous verification.
Continuous monitoring and authentication are the core requirements of a zero trust architecture. To achieve this, you need to enforce policies that consider the user and device’s level of risk, and compliance requirements. This means continuously authenticating both users and devices that have privileges and attributes during the session.
To build a zero trust architecture, you need to first identify the network’s critical assets, users, services, and data. By doing this, you can prioritize and create security policies.
After discovering the critical assets you need to protect, the next step is to understand which users are using which resources. Implementing a zero-trust authentication architecture requires mapping all privileged accounts and controlling what and where they connect, relying on real-time visibility.
For that reason, validating identity only at the session’s beginning is not enough because the user risk level may vary during the session. Thus, continuous validation of all access requests is a must within this framework. To achieve continuous authentications, zero trust policies control user and application identity attributes such as:
- Credential privileges
- Behavioral patterns
- User identity
- Risk levels in authentication protocols
A comprehensive zero trust architecture covers users, applications, and infrastructures.
- Users: the framework needs to authenticate the user identity and the integrity of the user device while enforcing the principle of least privilege to be applied across all systems.
- Applications: by applying zero trust to applications, you assume applications cannot be trusted, and you need to validate their behavior continuously.
- Infrastructure: everything in the infrastructure, from routers to IoT devices, should be under the zero trust approach.
Zero Trust Use Cases
The zero trust authentication approach has become a best practice as an effective response to the different security risks and challenges over the past decade. Many organizations, however, have come to understand the benefits of implementing zero trust only through the latest waves of security threats and successful ransomware attacks.
Which organizations can benefit most from a zero trust approach?
If your infrastructure model includes:
- A multi-cloud, hybrid, or multi-identity infrastructure
- BYOD or unmanaged devices
- SaaS applications
- Legacy software
If your organization has the following challenges:
- Lack of skilled SOC expertise
- Compliance requirements
- Lack of threat visibility
Your organization is at a high risk of these attack vectors:
- Insider threats
- Supply chain attacks
Your organization has third parties working inside the corporate network
- You need to protect remote workers that access public cloud resources.
- Your industry employs IoT devices, such as sensors.
Organizations with varied use cases can successfully implement zero trust, adjusting it to meet their specific needs, digital transformation challenges, and security strategy.
Zero Trust Use Case: Capital One Breach
The Capital One breach in 2019 is an excellent example of unauthorized access. A former Amazon employee infiltrated the database by using access credentials from her former employer. The hacker stole more than 100 million consumer applications, resulting in a fine of $80 million for the financial corporation.
Could Zero Trust have prevented this attack?
This case shows the importance of implementing zero-trust and access management tools for hybrid and cloud environments. The cloud or hybrid environment will have a more robust security posture against unauthorized access by implementing a zero-trust approach. A zero-trust solution would have detected the hacking attempt as being from a suspicious location at a suspicious time, and prevented it.
Zero Trust Use Case: The Colonial Pipeline Ransomware Attack
On May 13, 2021, the Colonial Pipeline Company became the victim of a ransomware attack. The attack resulted in disrupted operations across more than 5,500 miles of pipelines, with a cost in downtime of billions of dollars. According to an FBI report, the DarkSide hacking group was responsible.
DarkSide infiltrated the organization’s network environment using ransomware, compromising Colonial Pipeline’s IT systems. It forced the company to stop normal operations to contain the attack and prevent it from spreading to operating systems.
Could Zero Trust have prevented this attack?
Zero-trust granular control and security policies ensure all access attempts are checked and verified. By doing this, security practices will continue even if an attacker accesses the network, immediately blocking malicious behavior and preventing more disruption. This attack is an example of how implementing zero trust can prevent further damage.
If, somehow, the attackers were already inside the system, zero trust would have prevented the attackers from reaching the customers’ PII.
What are the Core Principles of the Zero Trust Model?
According to the NIST 800-207 standard, the Zero Trust approach follows three core principles:
- Verify continuously: verifying access requests at all times, from all users and all resources.
- Minimize the impact: limit its spread as much as possible, if a data breach occurs.
- Leverage automation: accurately get data from the entire IT stack by incorporating behavioral data.
The Zero Trust motto is “Never trust, always verify”. This means there are no trusted applications, devices, or credentials in a zero trust approach. Every asset and user trying to access a system or a resource must be verified. Achieving this task requires having a couple of elements in place.
First, you need to implement a risk-based access control system that will enable a consistent user experience. The system will alert the session only in case the risk levels are concerning. Second, your policy model needs to be dynamic and scalable. In any organization, the workflow, users, and data change regularly. Therefore, your security policy should adapt to include compliance and other specific requirements.
Minimizing the Impact
If a breach happens, it is critical to minimize the impact as soon as possible. If you have implemented a zero trust approach to security, it will help limit the attacker’s range of actions, giving your security team time to respond to the attack.
Other organizations define the core principles as a “default deny” access to corporate assets. This includes implementing zero trust networks, workloads, data, people, and devices:
- Networks: A network based on the zero trust framework is secured differently than traditional perimeter security. In the zero trust approach, the perimeters exist around the company assets, micro-segmenting the network
- People: Zero trust enables advanced protection against compromised credentials by providing identity zero trust and robust authentication processes.
- Workloads: The zero trust model recommends implementing granular security monitoring and access management to protect cloud assets and virtual machines.
- Data: One of the main goals of a zero trust approach is to enhance data security. Zero trust identifies critical data, maps the data flow, and defines policies across the IT ecosystem.
- Devices: The zero trust security framework considers all devices connected to the network as potential threats, verifying their status constantly, and isolating those that are compromised.
Finally, to achieve a strong zero trust security strategy, there are other two essential capabilities:
Complete visibility and analytics: A zero trust security policy should be based on real-time data, which in turn requires complete visibility into the behavior of the network, users, and devices. A solution that has deployed zero trust should constantly monitor, collect, log, and analyze data from the IT ecosystem.
Integration and orchestration: Automation is key for effective identity threat detection and response. To be effective, implementing zero trust architecture will allow you to integrate with the existing corporate security infrastructure. This will enable automated and scalable incident response and threat hunting capabilities.
Implementing Identity-Based Zero Trust
Today’s enterprise environment includes multiple resources including physical servers, SaaS apps, cloud workloads, file shares, on-prem applications, etc. Identity-based Zero Trust authentication ensures the following criteria are met:
- All users are by default not trusted until they are properly authenticated.
- Once authenticated, user accounts are only authorized for the resource they requested access for.
- Authentication and authorization are continuous. Their risk is constantly being assessed in the background and their risk score/profile is being adjusted accordingly.
For example, let’s assume that a remote user has connected remotely by authenticating to the enterprise VPN. Once inside the internal environment, the user now attempts to access a file server. Identity-centric zero trust would evaluate this new access request and determine if it is allowed and would never assume that this user account is trusted based solely on their VPN access.
How you implement zero trust depends on your organization’s needs and requirements. Here at Silverfort, we like to recommend the following stages to achieve a mature Zero Trust model:
Mapping and Visualization
By this stage, you have mapped and understood all resources, know how they can be accessed, and what risk they may present. You should see all entities and understand the vulnerabilities they may present. This will enable you to see potential attack paths.
Keep in mind:
- Ensure complete identity-side visibility.
- Look for identity gaps, mainly when you use several identity providers.
- Identify all entities including service accounts. As service accounts are machine-to-machine, they tend to be overlooked and can’t be verified, resulting in additional security risks.
After the discovery stage is complete, and you have detected security threats, it’s time to respond to them. In the case an attacker is already inside, you can mitigate the damage.
Keep in mind:
- Incorporate behavioral analytics so you can detect insider threats and compromised credentials.
- Remember to segment and implement the least privileged principles to stop lateral movement.
- Prevent false positives by extending the context over threat intelligence.
Once you deploy your policies, it is time to extend the protection to the entire IT infrastructure. It is essential to keep a seamless user experience.
Keep in mind:
- Implement conditional access to prevent MFA fatigue.
- Remember to expand the protection to legacy systems.
Why Silverfort for Identity Zero Trust?
Implementing the right solution can simplify your transition to a zero trust architecture.
Silverfort has pioneered the first Identity Threat Protection platform purpose-built for real-time prevention, detection, and the response of attacks that utilize compromised credentials to access targeted resources. Using innovative agentless and proxyless technology, Silverfort seamlessly integrates with all existing IAM solutions (such as AD, ADFS, RADIUS, Azure AD, Okta, Ping Identity, AWS IAM, etc.), extending their coverage to assets that could not be protected until today, such as homegrown/legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access and more. Silverfort effectively prevents identity-based attacks across dynamic and complex cloud and hybrid environments. By doing this, Silverfort gives organizations the capabilities to prevent identity-based attacks and achieve compliance.
Learn how Silverfort can help your organization achieve zero trust. Contact us.