API Academy

The Industry Authority for APIs and Microservices

CCTV cameras

The Push for Zero Trust

Bill Oakes, CISSP

with Rob Marti

Why the Enterprises are adopting this model to bolster their cybersecurity posture

The Zero Trust model is founded on the belief that organizations should not automatically trust anything inside or outside its perimeters and must verify everything trying to connect to its resources before granting access—based on identity, trustworthiness, and context.  These concepts are not new; they have been around and used for years, so what is driving the buzz and making Zero Trust adoption more important than ever? 

The Primary Challenges Facing the Business 

As referenced in the Executive Order, the Federal Government, like most commercial entities, is seeking to modernize their IT environments, and three developments are driving increased risk to the business: 

  • Cloud Migration: The spread of cloud technologies has changed every facet of modern IT, reshaping the way organizations develop and use applications.  Those embracing the cloud are realizing a range of benefits, but cloud adoption also brings new challenges. Traditional security tools were not designed to adapt to the dynamic nature of these cloud environments.  
  • Secure DevOps: At its most fundamental level, DevOps seeks to increase the speed and quality at which innovation can be introduced into applications.  One of the key tenets of DevOps is automation; however, traditional security processes and tools are still heavily dependent on human configuration and effort to implement. As a result, security best practices are often ignored because they impacts delivery timeframes.
  • Remote Workforce: The modern enterprise was already facing an issue with “Bring Your Own Device” movements within the workforce, but this issue was compounded by the COVID-19 shutdown.  Traditional perimeter defenses, such as firewalls and VPNs, were never designed to handle the large number of employees suddenly forced to work remotely, many of whom may have been forced to access corporate resources with personal devices.  

Although each of these challenges may look unique and different, and they may not seem related, the reality is that a Zero Trust Architecture (ZTA) addresses them all. Let’s examine how.

Depending on the source, Zero Trust can be divided into different pillars or tenets that break down the various technologies that encompass a ZTA, but almost everyone agrees that Zero Trust has three core principles: 

  1. Verify every user or device requesting access.
  2. Ensure least privileged access
  3. Assume breach. 

Halt!  Who goes there? 

The first principle addresses two primary actors and threat vectors:  the users and devices attempting to access your applications and data.  How do we ensure that they are whom they claim to be?  

This principle begins with authentication—positively identifying legitimate users from fraudulent ones is a critical and foundational step as you cannot effectively enforce access controls if you do not really know who is requesting the access.  Enterprises can address this challenge by providing multifactor credentials and contextual risk analysis so that stronger authentication can be applied where it is needed.  And once authentications, a user’s session must be managed and monitored to ensure that it has not been compromised after they have been authenticated. Additionally, do we need to further verify these users as they elevate their access?  Did the credential used at initial login provide the level of trustworthiness needed to access more sensitive resources?  A comprehensive Identity & Access Management (IAM) solution will address all of these issues, but it is just one cog in your overall ZTA. 

The first principle also addresses devices, which are also a primary target for cyber attackers.  Today’s global threats are so adept at entering at the endpoint that it can take less than seven minutes for an attacker to compromise an entire enterprise.  A comprehensive and integrated endpoint security approach that addresses threats across the entire attack chain is required to protect traditional and mobile endpoints and provide interlocking defenses at the device, app, and network levels.  Additionally, another point of attack is the communications between devices and apps and resources, which are predominantly done using APIs.  This threat vector can be mitigated with a hardened API Management solution that includes integrated security and management controls designed to help enterprises safely and reliably expose internal assets to developers and remote apps as mobile APIs.  An API management solution solves critical, mobile-specific challenges around identity, security, adaptation, optimization, and integration.

Are you on the list?

After we know who you are, the second principle of Zero Trust asks the question, are you authorized to gain access?  The concept of least privileged could be defined as granting only access entitlements that are necessary; no more, no less.  A least privileged posture access is achieved through two primary capabilities: Enforcement and Governance.

Enforcement acts to restrict access at the time it is requested.  Across the enterprise, various types of policy engines are leveraged to evaluate access requests, and then grant or deny these requests based on contextual data, such as roles, profile attributes, or group memberships.  These policy engines could be embedded within an app or externalized as a centralized shared service that supports many apps, and they could be granting access to the apps, data, network, or infrastructure. 

Whereas enforcement determines whether or not to grant access, governance asks the question, should you even have this access?  Users are assigned access rights and entitlements during initial onboarding and throughout their time at the enterprise.  Identity Management tools can often automate the provisioning and de-provisioning of some of these entitlements to adjust them based on changes in role or department, but undoubtedly there will be many entitlements that were manually assigned that just get missed, or provisioning rules that never were updated due to organizational changes.  An Identity Governance solution addresses this challenge by streamlining and automating the processes associated with reviewing and certifying user access—and this ensures that users are only granted the level of access that they absolutely need.

The fox is in the henhouse? 

The third principle of Zero Trust is to assume breach.  Say what?  I thought the whole purpose of security was to prevent breaches.  It is.  As security professionals, our jobs are to implement strategies and technologies that work towards minimizing the risk of a breach.  Zero Trust simply tells us that this is not enough, or more importantly, we must expand our minds to envision the impossible—that we will be breached, and when it happens, how can we minimize the impact. 

To understand what can and should be done, we must put ourselves in the shoes of the hacker.  Have they come to steal or cause damage?  If they have come to steal, what would they steal first?  How would they steal it?  If they have come to cause damage, which systems will they target?  How can the damage them?  And finally, how can you stop these attacks once they have access? 

One of the first lines of defense that addresses the third principle of Zero Trust are User and Entity Behavior Analytics (UEBA) tools, which enable you to continuously monitor user activities and model normal behavior patterns.  When an external hacker compromises an internal account, or worse, an internal user turns malicious, their usage patterns with that account will be different.  UEBA tools analyze current activities and compare them against historic data to detect unusual or out-of-pattern behavior in real-time.  In many cases, these tools can even initiate automatic mitigation actions, such as forcing a re-authentication, adjusting the privileges assigned to the account, or terminating the session—all of which can help minimize the damages of the breach. 

Another critical security capability to implement is a Privileged Access Management solution.  Privileged accounts are often an organization’s most valuable asset—and the most likely to be exploited by external hackers or insider threats.  But these accounts are rarely the first to be compromised.  Hackers will usually find another weak point to compromise, and then once they have a beachhead will seek to elevate their privileges in order to carry out their attack.  And once they compromise a privileged account, they can cause irreparable damage to your infrastructure, intellectual property and brand.  Privileged Access Management technologies are designed to prevent unauthorized access to sensitive administrative credentials and accounts, to control what activities users/devices can perform once they are granted access to these accounts, and finally, monitoring and recording all activities performed by these accounts (and which user/device performed them). 

Finally, against all odds, we must consider that every layer of defense has failed and a hacker has reached the data they are seeking.  Encryption and Data Loss Prevention technologies can then be used to provide visibility and control of data flowing in, out, and across your extended perimeter.  Additionally, Data Loss Prevention tools can integrate with various technologies and systems to help discover where sensitive data is stored; you can’t protect data if you don’t even know where it is!  But data needs to be used and your staff relies on mobility and anywhere-access to stay productive, and to achieve these ends, your sensitive data may be unknowingly synchronized across your hybrid environment and put into places that are less secure than others.  Encrypting all files, no matter when they are stored, protects sensitive information and ensures regulatory compliance for maximum security. 

Summary

Achieving Zero Trust is a journey and requires the integration of many types of security tools that have traditionally operated in their own silos.  With a Zero Trust architecture, you can support modern applications and hybrid environments; adapt security automatically and dynamically for development pipelines; and be flexible and scalable to support the remote workforce, enabling secure access to any corporate app, data, or system to any user, regardless of where they are located or what device they are using. 

Although Zero Trust represents a fundamental shift in security approach, it does not mean a radical shift in technologies.  Many of the tools needed for Zero Trust already exist within your enterprise; all delivering value but some likely with the potential to deliver even more.  Some traditional technologies, such as perimeter defense tools, may not be capable of dealing with modern SaaS, IaaS, and PaaS environments, but even these can be augmented by new cloud-based software-defined perimeter technologies.  Similarly, as we have discussed, Identity & Access Management capabilities are more critical than ever, which means that your existing platforms need to be integrated with these newer perimeter tools and similarly augmented, where needed, to adapt to modern apps and environments.  Symantec combines the best of both worlds—market-leading IAM with modern API Management and cloud security to provide a comprehensive Zero Trust solution

If you are seeking a partner to weave all of these disparate systems together and also help fill in the gaps where they exist, you do not need to look any farther than Symantec, a division of Broadcom.  For more information on how we can help you, please visit our Zero Trust landing page.