Security professionals invoke zero-trust today as almost a cure-all for all the many issues that keep them up at night. The number of organizations deploying zero-trust has more than tripled – from 16% three years ago to 60% today. But zero-trust security can become a headache for the staff in charge of network infrastructure and even create vulnerabilities as users try to finesse their own ways around those pain points in their workday.
A better option for security would apply the same concept of zero-trust—never assume users are who they say they are — to user identity as opposed to system resources.
The zero-trust model
Most organizations implement zero-trust security at the network level to prevent a hacker from using a compromised account to move laterally within the environment or spread malware. It works by breaking down the network into smaller segments and authenticating users by checking their identity and access privileges before they enter each one.
The security benefits of this network approach are clear. However, it requires a lot of work on the network infrastructure to control access to every segment. Upon initial implementation, security teams have to rebuild the entire network infrastructure for this segmentation. Since most enterprises have complex information infrastructures, including on-premise and cloud-based resources, there’s a lot of work involved in deploying zero-trust network security.
Since network-based zero-trust has been built on the premise of keeping attackers from entering a network segment, if attackers manage to bypass a particular segment’s security controls they are free to move laterally and access any resource within it. An approach that secures each single resource rather than just the segment’s gateway would better align with the concept of defense-in-depth and serve as a much better choice.
Identity-based zero-trust
Enter identity-based zero-trust security, which focuses security on the identity layer, instead of the network layer. This architecture applies authentication to the very identity of the user, instead of the user’s connection, as in network-based zero-trust. In its zero-trust architecture, NIST agrees that identity-based zero-trust is a good approach for enterprises that use cloud-based apps and services which don’t allow customers to bring their own security tools.
For example, in network-based zero-trust, authenticated VPN users are trusted and intrinsically allowed to access resources such as file servers or databases in the environment. In an identity-based approach, authenticated VPN users are not automatically “trusted” and must authenticate every time they try to access a resource. It’s like the bartender checking someone’s ID every time they order a drink, after they already showed ID to get into the club.
Identity-based zero-trust continuously monitors all access requests made by all users to any resource in the system, whether on-premise or on the cloud, and builds a thorough audit trail for compliance and policy enforcement. Every time an individual user—human or machine—tries to access a resource, a risk analysis gets performed based on the user’s behavior during the session and other contextual parameters.
Based on this assessment, an identity-based zero-trust architecture enforces the organization’s access policy in real time, either requiring some form of additional multi-factor authentication before allowing access, or simply denying user access. For example, if a user attempts to access a SaaS app, they are normally vetted by the cloud provider’s identity and access management system, and allowed access to all the company’s SaaS apps. Identity-based zero-trust validates users every time they attempt to access a new app on that cloud, continuing the audit trail.
Identity-based zero-trust offers several advantages that ease implementation and management, and increase security. There’s no need to rebuild and replace anything in the system’s infrastructure. This means no downtime and lower costs. Once deployed, identity-based zero-trust delivers greater visibility into risk by performing risk analysis at every resource access attempt rather than at the network segment level. And most important, by carrying out security checks at every resource access, it improves the detection of anomalies and threats, improving the organization’s security posture.
Don’t think of partial zero-trust as zero-trust. To deliver effective protection, a zero-trust architecture needs to span all resources both on-premises and in the cloud, as well as all access requests by machine and human accounts. Applying zero-trust to identities makes this possible.
Ron Rasin, vice president, product management, Silverfort