You’ve probably heard of zero trust security — it’s by no means a new concept. That said, many companies have reached a critical point in their digital transformation strategies. With more devices outside the corporate perimeter and more apps in use from the public cloud than ever before, organizations essentially have no choice but to explore new conditional access models to achieve security. The traditional approach simply cannot scale any longer.

Why Adopt a Zero Trust Model?

Despite radical changes in IT architecture and modern working practices, the on-premises approach to security has persisted. Given the slew of security breaches in recent years, it has become clear that on-premises security is no longer fit for purpose. When all employees, resources and systems sat on-site, protected by the corporate firewall, the on-prem approach seemed sensible. Today, the mobile workforce has become the norm and companies are transitioning to cloud apps and mobile-first strategies.

In Deloitte’s “Global Outsourcing Survey 2018,” 93 percent of participants said their organizations were in the process of or considering cloud adoption. Migration to the cloud seems inevitable, whether partially or fully, but traditional approaches to enterprise security were not designed to accommodate the protection of data that is maintained by third parties.

Register for the July 11 webinar

Mobile Further Complicates Access Management

Mobile adds another reason to adopt a zero trust model. The anytime, anywhere mentality is a reality: Employees expect to be able to work from any device. With an increased number of devices accessing corporate resources — managed and unmanaged, inside and outside the perimeter — how can IT teams be sure that access is only being granted to employees? Access to cloud apps becomes far more complex when mobility is involved, especially if the only layer of protection an app has is a username and password.

Additionally, one of the inherent problems of perimeter-based security is that it grants access based on implicit assumptions. If something is requesting access from a trusted location (inside the network), it’s given the green light. Unfortunately, due to the rapidly evolving threat landscape, this approach fails to account for threats that are already within the corporate perimeter.

Zero trust is far less assuming, adopting a healthy amount of skepticism to access management and basing decisions on more robust authentication mechanisms. Companies need to adopt the mantra, “Never trust, always verify.” Moving away from implicit trust assumptions such as location means security teams have had to rethink how to authenticate users.

Identity Is an Essential Building Block of Zero Trust

Ultimately, every security mechanism attempts to accurately determine the identity of the individual making a request. If it can’t, access shouldn’t be granted. That’s pretty black-and-white.

Each employee has a unique identity, but this isn’t necessarily reflected by traditional password-based authentication. Employees invariably find themselves having to manage different user credentials for dozens of different applications, with best practices dictating that the same password shouldn’t be used twice. Unfortunately, convenience often usurps privacy — 59 percent of people use the same password for everything, according to LastPass.

What’s more, a username and password combination doesn’t equate to identity; it just means someone has the right combination of login credentials. So, with companies building more decentralized architectures, password-based authentication can’t be the only line of defense.

Identity and access management (IAM) has helped organizations better manage access to sanctioned cloud applications, enabling them to enforce multifactor authentication (MFA) to more accurately determine the identity of end users. Unified endpoint management (UEM) has helped make it possible to manage and enable smartphones, tablets, laptops, wearables and the internet of things (IoT) through one platform. But even though IAM and UEM tools enable an admin to precisely verify an individual’s identity, does that mean Simon from accounts should be granted access? Not necessarily.

Zero Trust and Conditional Access

Zero trust is a no-nonsense approach to security. Think of it as the manager of a Ferrari dealership. Ferris Bueller walks in and asks to test drive the most expensive model. Despite having a license to drive, the manager is still going to require Ferris to prove he can afford it before he puts the key in the ignition.

There is a number of contextual factors to consider; identity alone does not suffice. Just because Simon has been verified, it doesn’t mean the device or network he is using is secure. This is particularly pertinent when it comes to mobile, where there are myriad misconceptions around how threats behave, as well as a general lack of protection. Zero trust is about taking a holistic view of the access request and provisioning access accordingly.

Develop an Unconditional Love for Conditional Access

Conditional access uses policies to govern based on contextual signals, such as geolocation, device type, operating system (OS), network context and more. It’s about understanding the risk at the endpoint, conducting a real-time risk assessment of a device’s identity and combining these signals with threat intelligence.

For instance, consider an employee requesting access to the company’s customer relationship management (CRM) system via a device that has both an outdated operating system and detected malware. While the company is able to tolerate this particular version of the OS, it is not acceptable for the malware-infected device to be accessing sensitive resources per the organization’s mobile threat defense (MTD) policy. As a result, access would be denied and a notification sent to the end user to remediate. These measures enable productivity within reasonable security-driven parameters while instilling cyber hygiene.

Each access request needs to be dynamically determined. It’s no good to evaluate a device at specific intervals, storing this information so it’s ready for the next access request. Too much can change. Even within a session, a user may download a suspicious application, increasing its risk posture. Timeliness is key when it comes to risk assessment.

As important as identity is to the authentication process, it needs to be combined with risk assessments that include the user, endpoint and network over which the access request originates. A zero trust model moves security away from implied assumptions: Just because an employee has been verified does not mean their device is devoid of threats.

Modern IT and security leaders need to assess more than just the device, the user and their policy compliance when determining whether they should or should not grant corporate app and resource access. With MTD in the mix, IAM and UEM offer a pathway to a zero trust model for the enterprise in delivering access.

Register for the July 11 webinar to learn more

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read