Why Conditional Access Is Essential to Zero Trust Security

June 19, 2019
|
co-authored by Michael Covington
|
4 min read

You’ve probably heard of zero trust security — it’s by no means a new concept. That said, many companies have reached a critical point in their digital transformation strategies. With more devices outside the corporate perimeter and more apps in use from the public cloud than ever before, organizations essentially have no choice but to explore new conditional access models to achieve security. The traditional approach simply cannot scale any longer.

Why Adopt a Zero Trust Model?

Despite radical changes in IT architecture and modern working practices, the on-premises approach to security has persisted. Given the slew of security breaches in recent years, it has become clear that on-premises security is no longer fit for purpose. When all employees, resources and systems sat on-site, protected by the corporate firewall, the on-prem approach seemed sensible. Today, the mobile workforce has become the norm and companies are transitioning to cloud apps and mobile-first strategies.

In Deloitte’s “Global Outsourcing Survey 2018,” 93 percent of participants said their organizations were in the process of or considering cloud adoption. Migration to the cloud seems inevitable, whether partially or fully, but traditional approaches to enterprise security were not designed to accommodate the protection of data that is maintained by third parties.

Register for the July 11 webinar

Mobile Further Complicates Access Management

Mobile adds another reason to adopt a zero trust model. The anytime, anywhere mentality is a reality: Employees expect to be able to work from any device. With an increased number of devices accessing corporate resources — managed and unmanaged, inside and outside the perimeter — how can IT teams be sure that access is only being granted to employees? Access to cloud apps becomes far more complex when mobility is involved, especially if the only layer of protection an app has is a username and password.

Additionally, one of the inherent problems of perimeter-based security is that it grants access based on implicit assumptions. If something is requesting access from a trusted location (inside the network), it’s given the green light. Unfortunately, due to the rapidly evolving threat landscape, this approach fails to account for threats that are already within the corporate perimeter.

Zero trust is far less assuming, adopting a healthy amount of skepticism to access management and basing decisions on more robust authentication mechanisms. Companies need to adopt the mantra, “Never trust, always verify.” Moving away from implicit trust assumptions such as location means security teams have had to rethink how to authenticate users.

Identity Is an Essential Building Block of Zero Trust

Ultimately, every security mechanism attempts to accurately determine the identity of the individual making a request. If it can’t, access shouldn’t be granted. That’s pretty black-and-white.

Each employee has a unique identity, but this isn’t necessarily reflected by traditional password-based authentication. Employees invariably find themselves having to manage different user credentials for dozens of different applications, with best practices dictating that the same password shouldn’t be used twice. Unfortunately, convenience often usurps privacy — 59 percent of people use the same password for everything, according to LastPass.

What’s more, a username and password combination doesn’t equate to identity; it just means someone has the right combination of login credentials. So, with companies building more decentralized architectures, password-based authentication can’t be the only line of defense.

Identity and access management (IAM) has helped organizations better manage access to sanctioned cloud applications, enabling them to enforce multifactor authentication (MFA) to more accurately determine the identity of end users. Unified endpoint management (UEM) has helped make it possible to manage and enable smartphones, tablets, laptops, wearables and the internet of things (IoT) through one platform. But even though IAM and UEM tools enable an admin to precisely verify an individual’s identity, does that mean Simon from accounts should be granted access? Not necessarily.

Zero Trust and Conditional Access

Zero trust is a no-nonsense approach to security. Think of it as the manager of a Ferrari dealership. Ferris Bueller walks in and asks to test drive the most expensive model. Despite having a license to drive, the manager is still going to require Ferris to prove he can afford it before he puts the key in the ignition.

There is a number of contextual factors to consider; identity alone does not suffice. Just because Simon has been verified, it doesn’t mean the device or network he is using is secure. This is particularly pertinent when it comes to mobile, where there are myriad misconceptions around how threats behave, as well as a general lack of protection. Zero trust is about taking a holistic view of the access request and provisioning access accordingly.

Develop an Unconditional Love for Conditional Access

Conditional access uses policies to govern based on contextual signals, such as geolocation, device type, operating system (OS), network context and more. It’s about understanding the risk at the endpoint, conducting a real-time risk assessment of a device’s identity and combining these signals with threat intelligence.

For instance, consider an employee requesting access to the company’s customer relationship management (CRM) system via a device that has both an outdated operating system and detected malware. While the company is able to tolerate this particular version of the OS, it is not acceptable for the malware-infected device to be accessing sensitive resources per the organization’s mobile threat defense (MTD) policy. As a result, access would be denied and a notification sent to the end user to remediate. These measures enable productivity within reasonable security-driven parameters while instilling cyber hygiene.

Each access request needs to be dynamically determined. It’s no good to evaluate a device at specific intervals, storing this information so it’s ready for the next access request. Too much can change. Even within a session, a user may download a suspicious application, increasing its risk posture. Timeliness is key when it comes to risk assessment.

As important as identity is to the authentication process, it needs to be combined with risk assessments that include the user, endpoint and network over which the access request originates. A zero trust model moves security away from implied assumptions: Just because an employee has been verified does not mean their device is devoid of threats.

Modern IT and security leaders need to assess more than just the device, the user and their policy compliance when determining whether they should or should not grant corporate app and resource access. With MTD in the mix, IAM and UEM offer a pathway to a zero trust model for the enterprise in delivering access.

Register for the July 11 webinar to learn more

Alex Cherian
Program Director, MaaS360 Offering Management, IBM

Alex has over 18 years of software development and product management experience in IBM and currently handles product management and strategy for IBM MaaS360...
read more