Treat all users like roaming users: why your organization badly needs a Zero Trust policy
It doesn’t really matter if you and your colleagues work in the office, at home, on the go, or all combined: as long as you can do whatever you need to be productive and happy, each way is as good as any. With just one caveat: your IT manager or chief security officer needs to be happy, too.
Imagine this: you walk into the office lobby, and the security guard waves you through the gate. After all, he knows your face, as you come in here every day. No reason for him to check your ID, or – God forbid – do a full body check. You were trustworthy every day of the last six months, and you were trustworthy yesterday, so why would today be any different?
In too many modern-day companies, their digital security architecture is still organized like described in this short scene. Often, it’s fine, at least for those people who work in the office all the time. But not so much for those who work from home and connect to the company resources through a VPN gateway. When those users join the network again, they are automatically trusted – sort of like: just come on in, we recognize your face from the last time, and it was okay then so it’s fine now! And that’s risky, because the system doesn’t know whether the user has been infected at home.
In 2010, analyst John Kindervag of Forrester Research touched this sore spot, and at the same time introduced what he called ‘the Zero Trust Model’. In his view, companies should implement stricter cybersecurity programs and regulate access control. In short: you cannot trust users just because you recognize their IP addresses, as their computers and devices are – potentially – as unsafe as any unknown user’s. So, to keep their network and resources safe, companies should opt for the old punchline from ‘The X Files’ when setting up their security architecture – ‘Trust no one’ – and hence treat all users as if they are roaming users.
The Zero Trust model consists of three pillars:
Each time a user or device (computers, laptops, but also printers or cameras) wants to access your company resources, you should strongly check its identity. And not only by checking one password, but at least by combining fixed and one-time password checks.
It’s not because your user or device was safe yesterday and the day before that it’s safe today. Basing the safety of a user on, for instance, its geolocation is definitely a bad idea. This posture check should be done in real-time, all the time.
Give users the access they need, but nothing more than that. There’s no need to let people digitally walk around in any room they like, it’s better to only allow them in the places they need to properly do their tasks. This is obviously the most difficult rule to implement, as the layout of your network is probably pretty complex – it might even resemble a labyrinth. But still.
Sometimes, a fourth pillar is added:
Even if you take many security measures, you cannot be one hundred percent sure that your resources are safe. Therefore, you must assume that they will get infected, at one point in time. To limit the damage, you should limit the lateral movements of your users (i.e. from one user’s device to another) and only allow the vertical ones (from a user to an application service). Typically, malware spreads through the network by infecting those devices in the neighborhood of the primo-infected system, because this traffic is not filtered by security devices. If lateral movements are confined and systems are kept in a bubble, threats can more easily be contained.
A zero-trust policy can be implemented for different kinds of resources: your network itself, your applications, or data within those applications. The latter is the toughest nut to crack. After all, making a full inventory of the contents of every application is a giant’s labor; and once users are inside, it’s complex to restrict which data they can and cannot get their hands on. But still, you should aim for a good combination of ZTNA and ZTDP tools – the former standing for Zero Trust Network Access, the latter for Zero Trust Data Protection. ZTNA tools limit users’ access to your resources, and ZTDP tools do the same for your data.
But where do you start? First, there is not one product type that implements the zero-trust policy pillars – there are many. Some of them enforce the policy at the LAN access level, others at the data center access level, and so on. But building a comprehensive zero-trust architecture requires combining different products, such as NAC technology, an SDWAN platform, an SSE product, or a SASE solution (that’s a mix of both SDWAN and SSE: learn more about it here).
It probably all depends on your company’s level of balance between safety and usability. Still, it’s recommended to start with ZTNA, as it is much easier to implement: you don’t need to locate and identify the different kinds of data and elaborate a complex user/privilege map. Moreover, only mature organizations will be able to implement a ZTDP tool.
If you are, say, in the defense industry, you’re probably used to spending a large budget on implementing a complex set of security measures and sophisticated products. You’ll have to work on a wall-to-wall jigsaw puzzle of tools, both great and small, and deal with frustrated users who complain about not getting the proper access – the latter is just the small price you pay for sleeping soundly. But if you’re a small B2B company with no real secrets, you can probably do with the bare minimum, like buffing access to your network infrastructure and installing two-factor authentication for users. And that shouldn’t cost you an arm and a leg either.