Organizations continually grapple with the best ways to secure their assets, especially as more of them migrate to the cloud and attackers get smarter and more sophisticated. One option that is often touted is a zero trust model through which access to critical resources is scaled back and granted only under specific conditions. But organizations planning to implement zero trust need to ensure that the process is done correctly to get the most bang for the buck.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
In a report released Thursday, security provider CyberArk outlines five tips on how to effectively set up a zero trust model. Sponsored by CyberArk, “The CISO View 2021 Survey: Zero Trust and Privileged Access report” collected the advice based on interviews with 12 top security executives from Global 1000 companies.
1. Identify targets subject to cyberattack
Attackers are increasingly pursuing end users and other types of targets who have valuable or powerful access. To counteract this tactic, identify the users with high-value access as well as the systems and data most likely to be targeted. Where are these systems and data and what types of users need to interact with them?
You also need to look at service accounts with high-value access. Such accounts are typically created over time by developers and not managed centrally. One way to find them is to use analytics to sift through logs for highly sensitive databases and applications so you can determine the source of their logins.
Next, keep tabs on administrative accounts. Maintaining an inventory of all administrative accounts can be challenging, especially for cloud, SaaS and RPA applications as the admins for these apps may not be part of a technical team. Consider working with the procurement team to ensure that all new security controls, infrastructure components and applications are identified and brought into the security program.
2. Ensure that your MFA implementation is effective
Organizations often kick off their zero trust process by focusing on multifactor authentication. But you want to make sure you get it right so attackers can’t sneak around it.
One strategy is to use a standards-based single sign-on. MFA combined with SSO improves the user’s experience by reducing logons and replacing passwords with such methods as device certificates, biometrics and push notifications. Where possible, use SSO tools that support standard protocols such as SAML or OpenID Connect.
Find ways to lock down the MFA registration process. To achieve this goal, use an out-of-band process such as a phone call to check if a registration request was made by the legitimate user. Also consider not allowing registration on more than one device. Further, make sure the user registers with a valid ID such as a passport.
User acceptance of your MFA implementation is key. Make the authentication experience consistent across all types of applications and platforms (e.g., web vs. mobile). Use easier methods such as biometrics or push notifications where possible. Align the method to the sensitivity of the system. For example, highly sensitive systems might require a one-time password while less sensitive systems may require just a push notification.
You also need to guard against MFA fatigue in which users respond to MFA prompts without thinking, a process that can be exploited by attackers. Ensure that reauthentication requests make sense to the user. For example, if someone working from home changes to a different ISP but stays in the same location, a reauthentication request may not make sense to them. Further, make sure that MFA requests are out-of-the-ordinary so users will pay attention and thoughtfully respond to them.
3. Protect higher risk credentials in a PAM system
In a zero trust model, most user access to applications is protected with such controls as MFA and adaptive authentication. However, consider using a Privileged Access Management system when certain security benefits are required. PAM systems should be used to protect all high-level, administrative access for individuals and accounts, such as an IT admin or a process with administrative access to infrastructure.
PAM tools can provide a wider range of controls for both applications and infrastructure, including the following: 1) Storage of credentials in a centralized, enterprise-grade vault; 2) strong authentication for retrieval of credentials by authorized users; 3) automatic rotation of credentials; 4) revocation of access in the case of anomalous behavior; and 5) time-of-day restrictions.
4. Allow just enough access
Providing just enough access for just enough time to just enough resources minimizes the impact of any intrusion by giving the attacker a smaller footprint in which to move. For all valuable resources, minimize the number of accounts, users with access to accounts (both human and machine), and their privileges. Less access is easier to protect, restrict and review.
Make it a priority to know who has access to what. Establish processes to regularly remove unnecessary privileges and accounts. Set up third party access to automatically be revoked after the contract expires. Aim to implement analytics to review and tighten access.
You also want to minimize local admin access and restrict software installation. If an attacker compromises a user’s device, their ability to install damaging malware and move laterally is greater if the attacker obtains local admin privileges. Consider not allowing local admin access or allow it only for certain roles. Endpoint protection technology can also restrict installations to whitelisted or greylisted applications. Additionally, just-in-time access can temporarily give users elevated privileges to install software such as a printer driver.
5. Drive a cultural change
Zero trust is not just a set of controls. It’s also a mindset that requires a cultural shift. To be successful, you’ll need the support and engagement of stakeholders throughout your organization.
First, start with the name. The term “zero trust” can be misinterpreted as implying that the organization does not trust its employees. Some organizations avoid the term altogether, replacing it with terms such as “earned trust” or “
Make sure employees realize they are responsible for the access they’ve been granted and that having less privilege is in their own interests. Be clear that privilege reduction is happening across the organization and not just to specific employees. Start awareness campaigns well in advance of the implementation. For example, announce that local admin access will be broadly revoked in six weeks. This gives employees time to think of new ways of working.
Finally, focus your user training and education. Prioritize users who are likely targets of spear phishing. Use marketing techniques such as social media campaigns to develop more compelling content about security risks. Tailor messages to specific departments. Give remote workers specific guidance on securing their home working environment, such as changing the default password on their home router.