Trust dimensions in zero trust security
The increasing sophistication of cyberattacks and subsequent costs associated with containment and remediation has brought about an evolution in the security industry. Enterprises are now beginning to realize that trust is a precious commodity and one of the best ways to preserve it is by taking a zero trust approach.
To many, zero trust security implies certain types of solutions like micro-segmentation, whitelisting, or perimeter-less access. However, these are merely technical building blocks. The core of zero trust lies in understanding the various trust dimensions that come into play when implementing security and creating a layered security architecture that can provide access based on the trust level.
Security and trust
A security solution provides access to protected entities based on trust establishment. A user swipes their badge and gains admittance to the company premises. Likewise, a user logs in and is provided access to data. If a device is present within the company’s premises, it is provided access to connect to other servers. In each of these examples, the trust is “static” – once established, access is provided.
However, the security industry is now realizing that trust is not a static factor. Nor is trust a unidimensional factor. Trust needs to be based on ‘who wants to access what (resource/data) from where using what device and at what time’. This approach brings multiple factors into play and the riskiness associated with each of the factors must be addressed. For zero trust to be successful, the industry needs to provide for a framework in which trust decisions becomes multi-dimensional, fine-grained, and dynamic.
The protected entity
The raison d’être of a security solution is to protect. The entity being protected could be a ‘resource’ or ‘data’. The resource could be company premises, networks, laptops, servers, or other critical infrastructure. The ‘data’ could be intellectual property, legal or financial data, or personal data. The security of data and resources depends on who is accessing them and whether they have the requisite authorization. In other words, can the access be trusted?
User trust
The most common trust that we see is user trust. This is also the trust that is quite well developed and continues to be so. User trust has two parts: identity establishment and user authorization.
A company trusts its employees and this trust is commonly established by a login mechanism, which is essentially a shared secret. Alternatives to login have been biometrics (what the user is), or what the user possesses (badge/token/phone). However, to prevent identity thefts, companies have begun to adopt multi-factor authentication.
Once the identity has been established, access is provided based on authorization. For example, a finance employee won’t have the authorization to access research reports or source code. Authorization typically flows based on the role and department the employee works in and this can change over time.
However, in the absence of fine-grained and dynamic controls, restrictions are usually based on additional identity authentication to access various applications and data. The result is individual login requirement for each application, introducing complexity in managing trust and access. While single sign-on improves the end user experience, it comes with a cost as access by individual users to various applications and data needs to be managed effectively.
However, the primary challenge with user trust relates to identity theft and insider threats. In the case of an identity theft, the user is usually unaware of the situation. And insider threats have always been a pain point for any security system. These threats are usually tackled using mechanisms like need-to-know access or limited time access.
Location trust
Location trust is about determining the risk of providing access based on the location from which a user is trying to access a resource. For example, depending on whether a user is accessing a resource from within company premises or via a corporate network or from a public place such as an airport or hotel lobby, the risk of providing access varies significantly. Providing access to sensitive information to which a user normally has access may be risky on a public network.
Though the term “location” usually refers to GPS data, the location information to base trust could vary widely. While GPS is an example of fine-grained data, it could be coarse as well. Location parameters may include:
- Network profiles (Office/Home/Public WiFi)
- Site / building differentiation (HQ/Building1/New York Branch/US-Arizona/EU-London)
- Country, State, or City
- GPS data
Location is likely to be a composite parameter incorporation one or more of the above. Location can also imply a time zone, thus tying location information to time based trust.
Device trust
Today, users demand access from a variety of devices. These could be corporate laptops managed by the enterprises’ IT dept, mobiles, tablet computers, or personal laptops. The threat perception of a device can vary based on factors like the type of operating system, security solutions installed on the device, and whether it has the latest security patches.
Also, device trust is not static. If a device, say a laptop, remains unpatched because the user had gone on a holiday, its trust would need to be deemed lower. This brings the ‘time’ dimension also into play for device trust.
Time trust
If an employee who works from 9am to 5pm is found accessing a company resource around 11PM, would that be OK? What if an employee is accessing an application while they are on vacation? Is it really that employee? Or has the employee’s identity been stolen?
Time trust deals with identifying risk based on when the resource access is being made. The time information used as a trust factor could be the time zone or the clock time. In most cases, the time information needs to be co-related with other trust factors, such as location. For example, an employee could be traveling to a different site in a different time zone. In this case, an employee accessing a resource at 11pm (of their home time zone) may be fine.
Leveraging trust dimensions
A combination of trust factors can help realize a fine-grained and dynamic trust framework to provide effective control over resources and data. However, the key challenge is in leveraging these effectively to establish a security solution for the organization. This in turn requires deeper thought into what needs to be protected and the parameters based on which access needs to be granted to each of the protected entities. This will cause some degree of loss of freedom of access to employees who are used to getting access anywhere and anytime. However, a key principle of zero trust is that trust is not just about the user, but also about establishing trust in many other factors that concern the access.
For solution providers, the challenge is to ensure that the security solution provides an intuitive way to define the required trust rules for fine-grained and dynamic access. When new sites are established or new device accesses are provided, would the user need to completely redo the configuration or, does the solution support a simple way to extend the trusted access policies? This requires a well-thought policy framework which can combine with behavior analytics to determine whether an access request is “normal” or “anomalous” before granting or denying access.
Most solutions available today are point products that do not address all the trust dimensions. Some solutions are focused purely on data-centers and some purely on end-user access. The need of the hour is for a unified solution that can tie in both and bring an end-to-end view which can be leveraged to implement zero trust security across the organization.