The COvid-19 pandemic has resulted in changes for organizations in India, and correspondingly, their IT infrastructure and cybersecurity needs. The concept of the traditional perimeter has blurred due to the rapid move to a “work from anywhere” environment and today, identity is the new perimeter. In addition, more businesses are going online, with their users accessing business applications from multiple environments.
This new landscape has created many issues related to security. A major proportion of breaches happen due to the compromise of identities and abuse of privileged credentials. For example, in a multi-cloud environment, any identity – be it a remote IT administrator, remote worker, a third-party vendor can become privileged and have access rights to a company’s most valuable assets. The classic case of the SolarWinds software supply chain attack, which saw the compromise of identity and manipulation of privileged access, is a stark reminder of the dangers of unmonitored privileged access.
With identity being the new perimeter, a holistic identity security strategy that includes authenticating every identity accurately, authorizing each identity with the proper permissions and providing access for that identity to privileged assets in a structured manner – is critical for creating the foundation of trust.
Understanding the Zero Trust model
In this new world, Zero Trust has been accepted as a viable and effective security model for reducing risks significantly. Zero Trust assumes by default that nothing – be it a device or an application or a human being – can be trusted. In this framework, every possible action by every entity must be authenticated and proved for every session. The foundation for a zero-trust model must begin with security as the only control that is available for organizations across on-premises infrastructure or the cloud across different networks and devices and applications, are identity-based.
Let us look at the fundamentals of a Zero Trust Security model, which is based on three core aspects: verify every user, validate every device and transaction, and limit privileged access. As one can see, in a zero-trust model, every identity is authenticated and authorized before access is granted.
The core principle is “never trust, always verify.” This approach ensures that every user’s identity is verified, their devices are validated, and their access is limited to just what they need and are taken away when they do not need it. To do this, identity security remains fundamental and core if an enterprise has to implement a zero-trust model.
Why identity security is key
It is important to note that Zero Trust is not a solution or technology but rather an approach to security based on the principle of “never trust, always verify.” This approach ensures that every user’s identity is verified, their devices are validated, and their access is intelligently limited to just what they need – and taken away when they don’t.
As the embodiment of this model, identity security offers a set of technologies that is foundational to achieving Zero Trust. Identity security helps enterprises secure individual identities including authenticating the identity, authorizing it with the required permissions, and ensuring access for it to privileged assets. Identity security is at the core of a zero-trust strategy, as it can help enterprises empower workers and customers with secure access to apps and resources from any device they use.
An average large enterprise can have hundreds or thousands of human and non-human identities, most of which have privileged accounts that need to be protected and managed. A significant number of organizations do not have a centralized approach to managing privileged accounts for these identities, which results in them playing catch up every time there is a new user or identity. The swifter an organization can get a handle on protecting these assets, the sooner they mitigate the risk against today’s advanced threats.
Applying the least privileged principle
One of the fundamental aspects of the zero-trust approach is the concept of least privileged access, and identity-based controls can help limit privileged access. For example, identity security can help provide access to on-premises apps through a remote access gateway while considering factors such as who the user is, the security posture of the device, the current risk of the user’s activity, and the system or app that requires access. This is a significantly superior approach to mitigating risks than giving a broad access to the network through VPN connections.
The least privileged principle is also extremely useful in multi-cloud environments. For example, in many data breaches, we can see that by stealing a credential to access a cloud-based resource, an attacker can access critical workloads undetected or escalate their privileges to steal cloud-hosted data, disrupt high-value applications or even take entire cloud deployments offline.
To address this, enterprises must consider implementing least privilege principles, in which all identities have only the minimum necessary entitlements to perform their responsibilities. Establishing least privilege principles also limits the number of entities that can grant or configure new permissions, making it extremely difficult for hackers to escalate their attempts.
A privileged access management (PAM) solution can help discover and manage privileged accounts and credentials as well as isolate and remediate risky activities across environments. Default credentials left unchanged or an escalation in privileges are some of the main reasons for data breaches in multi-cloud environments. PAM eliminates excess cloud entitlements, while improving the visibility of hidden, misconfigured, and unused permissions across cloud environments.
A Zero Trust approach has proven to be an effective way for organizations to mitigate some of the emerging security risks. As most of the elements of a zero-trust strategy has its roots in identity-based security solutions (multi-factor authentication, privileged access management), fortifying identity-based access controls must be one of the key focus areas for enterprises to have better command and visibility of their corporate assets.
Views expressed above are the author’s own.
END OF ARTICLE