The concept of zero trust security is increasingly understood within Australian businesses, yet many remain unsure about exactly how it can be implemented.
Treating everything within (or connecting to) a corporate IT infrastructure as potentially hostile has required a shift in thinking for IT teams. Rather than relying on perimeter defences to keep unauthorised parties out, zero trust instead requires users, devices, and applications to continually confirm their identity and authorisation to connect.
While it’s a relatively simple concept, actually putting a zero-trust strategy in place can be a challenge. No single tool that can tell an IT team the state has been reached and that it’s OK to relax. Instead, it’s a process that requires ongoing management and oversight.
The importance of identity
One of the most critical factors facing newcomers to zero trust is understanding the importance of identity. This doesn’t just relate to the users on a network but also the devices connecting to it and the data running over it.
This is where implementation can seem complex. Everything needs to have confirmable identities that can be used to ensure they are who they claim to be at all times.
Typically, digital user identities rely on traits such as an assigned username, a password, and access permissions. Other variables could be the devices used to access resources and the location from which they typically work.
This is a very small set of attributes to base risk decisions about who can access a company’s most sensitive data and systems. However, amplifying the risk by ‘X’ number of users multiplied by ‘Y’ number of devices and ‘Z’ number of locations and there is suddenly a mountain of identities to manage.
By contrast, identities for hardware, software, and services can be built from larger collections of attributes. For example, characteristics like the SHA256 hash, PE header values, process identifiers, the UUID of the BIOS, and the operating system can be combined to form a system or resource identity.
Because this type of identity is built on a larger collection of attributes than a typical user ID, elements of it can change, for example, through a software patch, without “breaking” the identity.
Identities, therefore, become upgrade-tolerant and adaptable and do not require an administrator to create or change a rule that compensates for every change. Moreover, because this type of system identity incorporates cryptographic properties and immutable elements, attackers are much less likely to be able to masquerade as a legitimate piece of software or process; thus, the probability of breach decreases.
Overcoming the challenges
Having a zero trust strategy underpinned by secure identity will be increasingly important in the months and years ahead. According to analyst firm Gartner, during the next three years, 99% of cloud security failures will be the customer’s fault, and 75% of these failures will result from improper management of identities, access, and privileges.
There is a range of challenges associated with identity and access management that need to be overcome by organisations that are undertaking a zero-trust strategy. They include:
- The dynamic nature of the cloud:
Cloud resources are inherently dynamic with applications and services instantiated on-demand, and containers are continuously spun up and spun down. This makes assigning entitlements and tracking access privileges even more challenging.
- Lack of consistency and standards:
Each cloud provider has its own approach to identity and access management with distinct roles, permission models, tools, and terminology like multi-factor authentication (MFA), single sign-on (SSO), and role-based access controls (RBAC). As a result, managing identities and entitlements can become a resource-intensive, time-consuming, and error-prone function.
- Misconfigured identities:
As multi-cloud environments continue to become more complex, human error increases, and misconfigurations become more prevalent.
- Excessive privileges:
Organisations often grant privileges unnecessarily, creating additional risk and exposure. Giving overly high permissions to users can increase attack surfaces and make it easier for adversaries to move laterally across an environment.
A better approach to secure identity
Achieving consistent and secure identity for every element of an IT infrastructure is not easy; however, several promising approaches are emerging. One of the most popular is cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM).
These solutions help address the most urgent challenges in detecting and mitigating identity and access related to risk and governing identities at scale. Also, deploying a CIEM alongside CSPM will deliver a range of additional key security benefits.
These include deep visibility into multi-cloud assets and access relationships and the prioritisation and remediation of privilege and configuration risk. As a result, policies will be easier to enforce, while detection of policy violations will be easier to spot.
Taking the time to get identities right will ensure a zero-trust strategy delivers the security required in today’s interconnected world.