The cybersecurity landscape is rapidly becoming more challenging as the pace of attacks on organizations increases and new threats emerge. An increasing reliance on remote work necessitated by the COVID-19 pandemic has only added to these challenges.
In this new normal, there’s a greater need for a security model that’s well-suited to a cloud-first organization that has employees operating across the globe. Newer approaches, like Zero Trust Security, have emerged to address the security challenges that come with remote work. Because Zero Trust is built on the premise of never trusting without first verifying, technologies that engage end users to verify their identity throughout the access transaction are critical to this model.
Defense-in-Depth No Longer Cuts It
Traditionally, organizations approached security with layers in a “defense-in-depth” architecture. This approach placed valuable data and information at the center and layered a series of defensive mechanisms on top.
The idea was to increase the system’s overall security with intentional redundancies to protect against different attack vectors. If one layer of security failed, there would be one right behind it to prevent an attack.
An attacker would thus have to breach all of these different layers to access the critical digital assets. On the other hand, authorized users would simply bypass all layers of security if they logged in with a trusted machine from inside the network perimeter.
This model can work for on-premise networks (though major flaws do exist). However, with organizations increasingly shifting to the cloud, and employees working from anywhere but the office, an on-prem network with layered security architecture just doesn’t cut it. This is why Zero Trust is the recommended security approach in the new world.
How Zero Trust Solves Modern Cybersecurity Challenges
Modern cybersecurity challenges stem from the increasing number of endpoints that organizations now have within their network, whether through cloud-based machines and apps, Software-as-a-Service (SaaS) tools or allowing employees to use their personal devices for work.
The Zero Trust model addresses this challenge by never trusting without first verifying. It operates under the assumption that valid credentials are not enough to prove that the “right” person is accessing an IT resource, as potential attackers exist both within the network and outside it, so every request to access the system requires multiple checks to be completed before authorization is granted. Thus, the traditional network perimeter is eliminated, and a perimeter (of sorts) is instead wrapped around each individual user, minimizing threat vectors that could emerge through compromised identities, devices and networks.
What are the Components of a Zero Trust Architecture?
Identity Trust
In a Zero Trust model, identity verification is one of the prerequisites for access. The user must be identified based on the attributes, role and group that they’ve been assigned. However, identity trust alone is not enough to grant access. This is due to the weakness of the traditional password: shared, reused and easily guessable passwords help make stolen credentials the cause of the majority of cybersecurity breaches.
Device Trust
Even if the right credentials are used, the Zero Trust model wouldn’t allow access unless the request originates from a device that’s known to the organization and deemed to be secure through device-installed agents and certificates linked to specific users. Device trust is key to maintaining the full understanding of its posture.
For example, organizations can implement device trust by not allowing all or certain employees to access the network through their personal devices. In addition, specific users could be allowed access to “non-critical” or “low-risk” resources (no matter where they reside) from personal devices but only with MFA enabled.
Network Trust
With the right tools, organizations can maintain granular control over which IP addresses to allow and deny. This ensures that access requests originating from whitelisted IPs are processed while others are denied. Employees can thus only access resources from networks that are known to the company and verified to be secure.
For some organizations, however, whitelisting may be too burdensome or time consuming. Blacklisting certain IP addresses or ranges can also help ensure network trust. Many attacks around the world originate from specific set countries, which when blocked can reduce the attack surface and minimize the impact of automated, “low hanging fruit” attacks.
To enforce network trust, organizations can prevent employees from accessing sensitive data from their home IP addresses and require them to pass multi-factor authentication and use a company VPN instead.
Method for Establishing Trust
Identifying the components of trust is only half the battle: you’ll also need to specify how to establish this trust. This is where multi-factor authentication (MFA) comes in.
Passwords can no longer be trusted on their own to demonstrate that a user is who they say they are. Similarly, because devices aren’t hooked up to physical networks and employees work remotely from various networks rather than one central one, it can be hard to distinguish valid remote access attempts from malicious ones. And since more and more resources are hosted externally through SaaS models, IT admins may be completely blind to malicious access attempts against critical resources.
MFA is the critical ingredient to combat this by challenging the user with more than one simultaneous proof point, making it incredibly difficult to fake (or use maliciously) a trusted identity, device, or network.
Why MFA is Critical Component to Zero Trust
MFA adds an extra layer of security through which the identity of a user first has to be proven before access can be granted. It requires a combination of something the user knows, which would be the password, and something that they have or are.
This could either be an app-based passcode generator, a registered device for push-notification authentication, or a hardware key. MFA can also rely on biometrics such as fingerprint or facial recognition.
The MFA challenge is presented once the user attempts to log in with the correct credentials. Before they’re provided access, they need to pass the MFA challenge either by providing a code, approving the login through a push notification or by using a biometric sensor on their device.
It’s a critical part of the Zero Trust model because even if an attacker is able to compromise a particular component, the MFA challenge would still prevent them from gaining access. Persistence and lateral movement attacks can also be mitigated through MFA as a successful verification is generally not valid for longer than a single session.
In short, MFA makes it much more difficult (and thus more costly) for an attacker to gain access to an organization’s resources through legitimate credentials, which has been the primary method of malicious access for many years. If an organization makes it too difficult to compromise their resources, attackers will move on to a target that is easier to attack.
Contact Our Technology Services Experts
For more information on implementing a zero-trust model, multi-factor authentication or for help ensuring your network is secure, contact Jim Dougherty or Chad Graves of our Technology Services practice by emailing bennett-thrasher@btcpa.net.
