Identity management and zero trust: Where to get started
The past year has taught us all a few things, from how much we value our health to what we take for granted regarding IT.
The impact of the last year should be obvious, but the Verizon 2021 Data Breach Investigations Report laid it out clearly. During the past year, privilege abuse was the biggest cause of data breaches by far, and phishing, ransomware and use of stolen credentials all went up.
David Smith and Bernard Wilson, the US Secret Service agents quoted in the report appendix also pointed to lack of identity management as an ingredient for data breaches in more companies: “Organizations that neglected to implement multi-factor authentication, along with virtual private networks (VPN), represented a significant percentage of victims targeted during the pandemic. The zero-trust model for access quickly became a fundamental security requirement rather than a future ideal.”
So, after a tough year where security teams moved heaven and earth to keep their companies both productive and secure, it’s time to take stock. While some new identity management program implementations will be effective for the longer term, others will find gaps and assumptions that could lead to unnecessary risk. Reviewing your approach now should help you spot any areas where you can continue to improve and move toward a zero-trust security model.
Core identity and authentication
Zero trust starts with who you are authenticating and what they should have access to – otherwise called identity trust. Based on the directory which is your single source of truth and core identity provider, or IdP, this is what stores and authenticates the identities your users use to log in to their devices, applications, files servers, and more (depending on your configuration).
Traditionally, many organizations use a directory as their single source of truth, such as Microsoft Active Directory (AD) or an implementation of OpenLDAP. However, these approaches tend to be aimed towards larger organizations and require on-premises servers, networks, and hardware.
Today, the move to remote working has put more emphasis on cloud directory services that can support both cloud applications and the range of devices that users might have access to. Supporting access remotely requires a layered security approach which goes beyond a single factor for authentication, and moves to multi-factor authentication (MFA). MFA adds additional factors like one-time password (OTP), mobile push authentication or security keys. For many smaller companies, MFA is something that can be easy to overlook, as it can require additional expense and licenses to implement. Modern cloud directories provide MFA as part of their offering.
The challenge around MFA is how to provide a low-friction, easy-to-use MFA experience that can be used across the organization’s applications and endpoints. Different challenges for each application or device can put people off adopting MFA, even though it is one of the best ways to reduce your attack surface. Instead, unifying your MFA approach will make it easier to roll out single sign-on (SSO) to applications, log in to devices, and authenticate into services based on stronger credentials.
Thinking about when to provide access
This is the basic set-up for access control and authentication for identity trust, so now it is time to look at how to improve your overall approach so that you support smarter working as well as better security. One good route to this is to think about conditional access policies.
Conditional access involves looking at other types of trust to make an access and authentication decision. In a zero-trust model you “trust nothing, verify everything.” Along with identity trust, you can use device trust, network/location trust, geofencing, and even conditional policies for individual applications to limit access. A good starting point is to look at the devices that your users will have, as these will have to be authenticated as well under a zero-touch approach (just because a user’s credentials are correct does not automatically mean that the device is one that should be allowed access).
For example, you may have allowed your users to take their endpoints home during the pandemic. These devices should have your company applications implemented and your existing security solutions installed. They should be up to date and secure, and therefore trusted. To provide proof that each of these devices is what they say they are, you can implement security certificates to each device. Whenever someone logs in, your access control policy can check that the user is on their device with the right security certificate. If they are, then they can be allowed access. If a user opts for their personal device without this certificate in place, then a different kind of MFA challenge can be used instead.
Alongside this, you can use network and IP data to decide on whether someone should be allowed access. With this information, you can decide on whether to allow access or to take another step. With so many people working from home now, it might not be practical to whitelist every single home office IP address; however, you may limit access based on the user connecting to the organization’s VPN.
There are some approaches that you can take to improve security based on the geolocation where you expect users to work. For example, if your employees will only work in the UK or the United States, then you can create a geofence by looking at geolocation data before allowing or denying access.
If a request comes in that has the right credentials but is connecting from a country that the user is not expected to be in, then it can be blocked. Alternatively, if you know that someone travels for work to a wide range of places, then a request coming in can lead to an additional authentication request using MFA to verify that they are allowed access.
This can be extended to specific applications and services too. For example, if your organization has software developers that manage your continuous integration and continuous deployment processes or use cloud services to manage code repositories, you can enforce stricter rules on when those users can get access. Other applications – standard productivity apps, say, or individual SaaS applications – may not need those additional levels of security.
However, with so much emphasis today on software supply chains and tracing all contributions through, enforcing more security at the application level can help. With this SSO approach in place, you can manage access and keep control over who can access these kinds of applications, as well as which devices and locations can be used.
Getting back to normal means better systems management
One of the biggest challenges after the pandemic will be getting back to normal. For some companies, remote work has already become the default; for others, employees will now be able to work remotely for several days of the week and spend the rest in the office.
Remote working has offered some benefits for both enterprises and employees, and those we should hang on to. However, there are some processes that should be put back in place. Using a zero-trust model and following best practices for using a conditional access approach will help keep the security on track.
This also underpins an effective zero-trust approach based on checking the identity, then authorizing activity at every step of the way. A good identity management approach should make it easier for employees to get their work done, while still allowing security to adopt the right risk management approach over time.