The new reality for IT and DevOps engineers is defined by the cloud, mobility, and increasing demands for agility. In this new landscape, the traditional “perimeter-based” security model is not aging well and binary access tools like VPNs, firewalls, and jump servers are proving to be cumbersome and unscalable.
Working environments are no longer governed by fixed perimeters. Users work off their own devices and sensitive company data is stored in third-party cloud services. Companies can no longer rely on binary security models that focus on letting good guys in and keeping bad guys out. For modern enterprises, the challenge is how to give users the access they need while reducing set-up and maintenance costs and without compromising security.
Zero trust security is not a product, it’s a process. Below are six best practices that organizations should observe on the path to zero trust security.
Verify all users with multi-factor authentication (MFA)
It is often said that zero trust is rooted in the principle of “never trust, always verify.” But, properly implemented, is it more accurate to say that zero trust is rooted in the principle of “never trust, always verify and verify again.”
Gone are the days where a username and password would be enough to validate a user’s identity. Today, these credentials must be fortified using multi-factor authentication (MFA). Additional authenticating factors may consist of one or more of the following:
When implementing zero trust architecture, the identity of every user accessing your network (privileged user, end-user, customers, partners…) should be verified using multiple factors. And these factors can be adjusted depending on the sensitivity of the data/ resources being accessed.
Verifying your users is necessary but not sufficient. The principles of zero trust also extend to endpoint devices. Device verification includes ensuring that any device used to access your internal resources meets your company’s security requirements. Look for a solution that allows you to track and enforce the status of all devices with easy user onboarding and offboarding.
The principle of least privilege (PoLP) determines what you can access in a zero-trust environment. It is based on the idea that a particular user should only be granted just enough privileges to allow them to complete a particular task.
For example, an engineer who only deals with updating lines of legacy code does not need to access financial records. PoLP helps contain the potential damage in the event of a security compromise.
Least privilege access can also be expanded to include “just in time” privileged access. This type of access restricts privileges to only the specific times when they are needed. This includes expiring privileges and one-time-use credentials.
Apart from authenticating and assigning privileges, you should also monitor and review all user activity across the network. This will help identify any suspicious activity in real time. Visibility is especially important for users who have administrative rights due to the sheer scope of their access permissions and the sensitivity of the data they can reach.
Use attribute-based controls to authorize access to resources across your security stack – from cloud and on-prem applications, to APIs, to data, and infrastructure. These will let the administrator easily adjust and enforce access policies in order to block suspicious events in real-time.
Don’t let the perfect be the enemy of the good. Implementing the perfect zero trust strategy that your end-users hate to use is not a very good strategy. You end-users just want to work. Consider a strategy and products that create the most frictionless and SaaS-like experience for your team.