In the older days (barely a couple of decades ago), companies operated out of their own buildings, using their own physical servers relying on their own computer networks. No one outside of the company’s network could have access to the inside of the network. This was a security model known as “castle-and-moat architecture” where the castle was the network, and the moat was the network perimeter.
With the popularity of cloud infrastructures and the proliferation of components required to do business such as mobile devices, internet-of-things (IoT) hardware, web applications firewalls (WAF), application programming interface (API) management software, the increased interoperability of all these components based on a “connect to everything” approach exposed enterprises to frequent cyber-attacks and data breaches.
Enter Zero Trust Security (ZTS), a relatively new blueprint for a security architecture originally made popular by Forrester, an information technology (IT) research and advisory company.
ZTS’s catch phrase is “never trust, always verify.” The assumption is that all access to a company’s resources is implicitly untrusted until necessary verification is applied. Reliance (or trust) is now predicated on the requester’s identity (whether it’s a user, a web service, or a device), rather than the proverbial “moat” around the company’s network.
ZTS’s guiding principles are as follows:
- Don’t trust any user, device, or network by default.
- Assume your sandbox is the whole Internet.
- Become aware of the fact that identities (users, devices, applications, services) are the new “perimeter.”
Following are the recommended steps for Implementing ZTS:
- Comprehensively audit all your devices, endpoints, and process / data flows. Seeing how your users, devices, and applications are connected is a critical first step to understanding what components should be communicating and what components shouldn’t.
- Define your environment leveraging a software-defined infrastructure (SDI):
- Software-defined network (SDN): Create a centralized and programmable logical network, particularly when applications need to access multiple servers and databases.
- Software-defined compute (SDC): Abstract compute functions from the hardware they run on, based on the SDN environment.
- Software-defined storage (SDS): Uncouple storage resources from the underlying hardware platform to make storage resources programmable.
- Software-defined perimeter (SDP): Define secure remote access to your enterprise applications (this is a much more secure alternative to conventional VPNs). SDP relies on standards-based components such as data encryption, digital certificates, federated single sign-on (SSO). SDP includes a combination of micro-segmentation and identity-based access control providing a security model that dynamically creates one-to-one network connections between the user and only the resources they’re entitled to access.
- Enforce policies at runtime decoupled from your network to ensure effective ZTS controls wherever your endpoints and workloads live (a workload could be anything with an IP address, e.g., a physical or virtual server, a container, a storage appliance, or an IoT device).
As previously mentioned, ZTS’s lynchpin is the resource requester’s identity, not the network perimeter. As such, deploying an industry-standards-based, cloud identity and access management (IAM) solution is essential. The key IAM features in support of ZTS are as follows:
- Authentication, user session management.
- Step-up authentication (MFA), with multiple factor options.
- Role-based access control (authorization based on entitlements assigned to users and user groups).
- Behavior detection, also known as Adaptive MFA.
- Device trust.
- Network zone detection.
Ideally, IAM should be leveraged in conjunction with a software-defined infrastructure (SDI) platform as described above.
BeyondID has partnered with market-leading vendors for IAM (Okta) and SDI (Illumio). Please contact BeyondID for details on how we can help you (1) assess your current environment and (2) deploy and integrate IAM and SDI in a ZTS environment. To learn more, fill out the contact form below: