Best Practices for Identity and Access To Enable Zero Trust
- May 12, 2022
Zero Trust is a security architecture that addresses the challenges of the modern workforce. The last few years have shown that the traditional model is no longer effective. Zero trust network architecture (ZTNA) prevents the unrestricted lateral movement of conventional architecture and demands that trust is verified at each stage before granting any access. And identity is the foundation of this verification process.
This has become even more important in recent years, particularly since the pandemic. Zero Trust is the way forward for a modern enterprise, and a robust identity management program is key to the success of a ZTNA migration. But there are serious obstacles to overcome.
Zero Trust hurdles
Enterprises have to give flexibility to their employees to work from anywhere, and they’re using applications that are no longer confined to their own data centers. More and more enterprises are using SaaS apps on a day-to-day basis, and the trend is going up. Most of these are not even under the control of the IT department, and business units are buying and deploying apps on their own and using them.
Employees work from anywhere, using their own devices — personal phones, tablets, laptops and computers. On those personal devices, they have individual apps along with business apps. How do you ensure that business data is protected on a device outside the control of your security and IT teams?
In addition, enterprises collaborate heavily with contractors and partners to accomplish their clients’ objectives. How do you grant third parties selective access to those systems and assets they need — but no more? And how do you prevent the proliferation of zombie accounts (accounts created but rarely used)? Such accounts, especially those with high privileges, pose serious security risks and cost the enterprise money in the form of license fees.
Another hurdle might be digital transformation. Organizations are accelerating cloud adoption. This significant shift in work culture and technology adoption brings enormous security risks for enterprises. Attack surfaces are constantly increasing, and threats are continually evolving: ransomware attacks have been rising in recent years. The majority of the ransomware attacks start with compromised credentials — the malware installation comes later. The only solution to these growing challenges is a solid identity-based Zero Trust security architecture that addresses the root cause of the problem.
So, how do we build a good identity infrastructure to support Zero Trust? There are a few things any enterprise needs to do to give themselves a strong identity foundation on which to build their ZTNA.
Create a single source of truth and use federated identities / SSO
We often see identities scattered all over most enterprises. Active Directory, HR Systems, individual applications: these are just a few places you’ll find identities. The situation worsens when there are M&A activities and multiple organizations come together, each with its own AD infrastructure, HR system, and apps catalog.
These multiple identities for the same entity create operational issues and significant security risks. You need to bring these identities together and create a master identity based on an authoritative source. Profile sourcing, schema mapping, data cleanup, and an ultimate decision on the authoritative source are some of the activities needed to create a single source of truth. This is both a technological and an organizational hurdle, as there will often be stakeholders with competing interests.
Users have to remember different credentials for different applications. Most of the time, they use identical user ids and passwords everywhere or use weak passwords so they can easily recognize the many credentials they need throughout their workflows.
This is not only inconvenient for users and impacts their productivity; it poses a very high security risk. To address this issue, you need to use the federated identity and SSO (single sign-on). Federated identity enables employees, partners, and contractors to work across enterprises without any need to create new identities in each enterprise.
SSO (single sign-on) enables users to access different applications within an enterprise using a single identity. Users log on once to an ID provider portal or their company portal and seamlessly connect to other authorized applications. Federated Identity and SSO functions use technologies such as SAML (Secured Access Markup Language), OIDC (Open ID Connect), Auth0 etc.
Implementing these technologies will require significant organizational effort and alignment, and they’ll need buy-in from across the enterprise. However, we find this effort to be more than worth it. The end result creates a frictionless work environment, increases user productivity, and drastically improves security.
Use strong password, MFA, or conditional access . . . or even go passwordless
Multi-factor authentication adds an additional layer to identity verification. Just using ID and passwords is simply not enough anymore. Hackers can access user accounts using a range of techniques, brute force attacks or password spray, or even social engineering.
The use of multi-factor authentication (MFA) drastically reduces the chance of account compromise. A good MFA process consists of three elements — something you know (password), something you have (phone) and something you are (biometrics). Obviously, modern enterprises need a strong password policy, but it’s a good idea to further strengthen that with features like not allowing commonly used passwords or not allowing passwords that are stolen and available on the dark web.
As an additional factor, you can use SMS, email, voice call, phone apps (Google Authenticator, Microsoft Authenticator, Okta Verify etc.), or hardware keys / FIDO keys (YubiKeys, Duo). Studies show that SMS is the least secure among these second factors, whereas FIDO keys are the most. Google implemented FIDO keys three years ago and has not reported a single instance of cyberattack.
The strongest factor is something you are. Biometrics (finger scan, voice recognition, facial recognition, retina scan) leads toward password-less solutions. MFA implementation also helps in achieving self-service password reset (SSPR).
MFA also opens the door for conditional access policy implementation. You may want to restrict access to critical applications such as sales or finance to only a select group of people. This restriction could completely deny or allow limited access (read-only). You may want specific applications to be accessed from certain locations.
You may want to restrict app access based on device state, such as whether the device is personal or corporate-owned, whether the OS has the most recent patches applied, etc. There could be a case of impossible travel (e.g., at 09:00 am, I am logged on from New York, and at 10:00 am, someone is trying to log on using my ID from China). You may want to verify the user based on user behavior (e.g., I am using my home network most of the time to connect to the office, and suddenly I try to log in from Starbucks).
Many signals are coming in from different sources, which are analyzed using ML / AI tools under the supervision of experienced data scientists. These can help either deny access entirely or restrict access based on conditional access policy and MFA in all such scenarios.
Implement a good identity governance process
A good Identity Governance and Administration (IGA) process enables organizations to grant the right access to the right entity at the right time — and for the right reasons. An entity can include human or non-human (such as machine identity, service accounts, IoT devices, API etc.). An IGA process includes access request, approval, workflows, approval/denial/provisioning, access certification campaign and separation of duty process (SOD) at the minimum.
Modern IGA tools include features like recommendation engines and access modeling, which uses AI / ML-based predictive analytics to analyze the enterprise data to make Netflix-like recommendations. This makes the requester and approvers’ lives much easier during the request/approval/certification process and drastically reduces the errors. Access certification makes sure that non-active accounts are removed from the system. Granting the least privileges is at the core of IGA and one of the guiding principles of Zero Trust.
Implement a good PAM solution
Privileged Accounts (e.g., super admins, service accounts) have too much power. They have elevated privileges that can bypass usual security measures to do things such as granting access to other users, add/delete data/files, system maintenance, running the application or batch jobs, accessing critical enterprise data, etc. Adversaries try to get into the network, but, ultimately, they are trying to get access to privileged accounts through their lateral movements. Once they have one of these accounts, they hold the keys to the kingdom and become incredibly dangerous to the enterprise.
You need to have a tool to scan your environment and find such privileged accounts. As a best practice, this should be done automatically on a regular basis, and immediate actions should be taken to remove such accounts which are not in use. Once you have that practice in place, the next step is to figure out how to protect such accounts. The first step would be implementing a strong MFA policy such as hardware key / FIDO tokens, as discussed above. But there are several other things you can do.
Implement a just-in-time access process to these accounts to grant access only for the needed time period. Implementing a strong IGA process to these accounts ensures that you do not have inactive privileged accounts. Activities are well recorded for the entire duration of action for compliance reasons. Modern PAM tools also include credential vaulting: super admins do not need to know their passwords. Service accounts directly connect to the PAM tool to authenticate before running any application or batch job.
As we know, Zero Trust is a journey. Implementing these identity-related best practices will undoubtedly put you on the right path. As per the Forrester research, IAM implementation during a Zero Trust Journey could be a multiyear complex program where you would need to implement identity-related control around people, workloads, devices, networks, and data based on maturity level. An experienced partner is always recommended.