User frustration and productivity loss should be a wake-up call as we accelerate the long-evolving trend toward the borderless enterprise.
Is the current COVID-19 pandemic, and the resulting shelter-in-place response, really changing the way you think about securing your organization and its sensitive digital assets? If it is, you really haven’t been paying attention. Zero Trust was rapidly becoming the hot topic of enterprise security even prior to the pandemic, yet the concept was evolving as far back as the early 2000s and the term was coined in 2010. The idea that our enterprises are losing their borders became a major topic in security circles no later than 2012 when Eric Lundquist of InformationWeek started a dialog on that subject leading into RSAC that year. And somewhere in the middle of all that, Google doubled down on the concept in response to a 2009 breach by developing and implementing an elegant implementation of the zero trust concept they called BeyondCorp. Now that we have moved from about 40% of corporate workers operating remotely at least once a week to 90% or more working remotely every day, many organizations are seeing their VPN infrastructures increasingly overwhelmed, hacked and maligned. It’s clearly time to move past the academic discussions and take action – but not everyone agrees on what that action should be.
Let’s review the basic objective of every IT organization in every business in the world – a worker needs access to a resource to do their job. In the modern world, this is an employee, contractor, or partner using a computing device to traverse an unpredictable network path to access the required app, system, or service. The principle of zero trust says that we cannot take for granted anything about that transaction and shouldn’t grant access unless we can verify the user is who they say they are, they are using a low-risk device, and the communication is encrypted. Since we cannot make assumptions about the user’s location and there is no such thing as a trusted network, the controls must be as close to the resource as possible, ideally owned and managed by the organization themselves. Now we just need a platform that can establish the security and validity of each request prior to granting access to that resource. It really should be that simple! A good platform will have the ability to collect a broad range of security telemetry from a variety of pre-existing security products (yes, you should keep and leverage your current investments) in order to develop a contextual model for every access and measure that against a set of well-crafted policies – specifically Principle of Least Privilege policies.
The Principle of Least Privilege (PoLP) has been around far longer than the other concepts we’ve discussed, dating back to at least 1970, when the Information Security Office of Fairfax County in Virginia described “providing only the access necessary to perform assigned duties … to ensure the confidentiality, integrity, and availability of … information systems and data.” Note that although the referenced document has been updated many times since, it retains that exact wording today. Unfortunately, role-based access controls (RBAC) have been adopted broadly by organizations as a way to simplify the assigning of privileges. With the dynamic nature of users and environments, the exponential growth of privileges assigned to users, and the high likelihood that one of those credentials has already compromised, it would be prudent to limit access to only what is needed in the full context of the request.
Amazingly, many organizations today still grant these incredibly broad access privileges to workers based on only a single factor. A worker sitting in a corporate office behind the corporate firewall (albeit a rarity today) is trusted, while the worker outside that perimeter is not. Are you using a corporate-issued device? That alone may grant you many privileges that a BYO device would not. How about corporate credentials? Simply appearing to be the person who owns those credentials will allow you to access anything that person would, even if the login comes from an unexpected location or demonstrates an unusual pattern of behavior. Perhaps the worst offender of all is the dreaded VPN. Obtaining access through a VPN is like winning an all-access pass to your favorite theme park. It doesn’t matter who you really are, and you can stay as long as you like, wreaking as much havoc on the poor victim organization as you like. Enjoy! Unfortunately, this VPN problem has gotten even worse since the pandemic stay-at-home order, and not just for the usual scalability and usability reasons. Hackers are taking advantage of the increased dependence on VPNs by finding many new vulnerabilities in these systems. Microsoft is warning hospitals of this increased threat, InfoSecurity Magazine identified a list of new VPN concerns, and the Chinese government is now being attacked through their VPNs. These are just a few indications of a collapsing remote access strategy.
Fortunately, many are coming around to the common sense of a simpler and more robust approach to security that can deliver during pandemics and beyond. But there is much confusion about what it all means and how to go about it. Part of the problem is that zero trust is a concept, not a product, and many, many security vendors have added it to their marketing material. Surprisingly some of the loudest voices are network vendors, which is peculiar since Google’s elegant BeyondCorp approach to the zero trust strategy specifically identifies the network as irrelevant. Mostly, this means that their solution adheres to or supports the concept, which is great because this means that security admins have great options to solve their various security problems going forward. But the essence of a true zero trust solution is a platform that delivers three specific capabilities:
- Establishes access control points to individual resources as close as possible to each resource, ideally without interfering with the most direct and efficient path from worker to resource
- Gathers security telemetry from a broad set of third-party security solutions to develop a trust profile for each access request, based on multiple risk factors and behavioral context
- Uses granular policy control to dynamically grant or deny access to each resource in real time, based on continuous contextual analysis and PoLP.
As you continue to explore this topic, keep watching this space for additional insights. Additionally, I recommend this piece by Garrett Bekker of 451 Research and anything by Chase Cunningham. Gartner has also written extensively on this movement, including many reports that discuss Zero Trust Network Access (ZTNA) such as How to Make Cloud More Secure Than Your Own Data Center and The Future of Network Security Is in the Cloud (which also has a timely Chinese Summary Translation).
Once we get past the current limitations of COVID-19, do I think things will return to the way they were before? I highly doubt it. Work-from-home rates have already doubled over the last decade, and this experience has surely pushed that curve even steeper. While this experience undoubtedly hurt productivity for some, many companies and individuals have discovered the benefits of more flexible work hours and completely eliminating their commute. For many, this could become the new normal. All the more reason for IT organizations to get secure remote access right as soon as possible.