+1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Can PAM Coexist with the Zero Trust Security Model?

Written by Joseph Carson

September 26th, 2019

What is the Zero Trust security model and why was it introduced?

The concept of Zero Trust security isn’t new; the term was coined by Forrester back in 2010 and was initially synonymous with a network security approach known as micro-segmentation. Micro-segmentation is a way to create secure zones in data centers and cloud deployments that allow you to isolate workloads and protect them individually.

This approach is attractive because the traditional security perimeter was no longer proving an effective cyber security control. Fast growing technologies, such as cloud, mobile and virtualization, made the security boundaries of an organization blurry. For years organizations protected their valuable and sensitive data by building a fence around those assets, and all the data that flowed in and out was either via a single internet access point or on physical devices. This meant that a traditional perimeter was an effective measure as the boundaries were known and controlled. As long as internet access was managed, it was possible to protect, monitor, and control the data that flowed through it.

If your users are accessing more IT services outside the security perimeter than inside, how protective can the perimeter really be?

Organizations protected internet access with firewalls, VPNs, access controls, IDS, IPS, SIEMs, email gateways, and so forth, building multiple layers of security at the so-called perimeter. On physical devices, systems management and antivirus protected those systems and kept them updated with the latest security patches. This traditional “defense in depth” security approach has been used for almost 30 years, but in today’s world it’s no longer enough. After all, if your users are accessing more IT services outside the perimeter than inside, how protective can the perimeter really be?

Trust, in the past, was something that we heavily relied upon. Once an employee had a corporate laptop and authenticated, they were then expected to do their job and not abuse the trust entitled to them. However, cyber-criminals took advantage of that exact flaw in the security model by abusing trusted user identities and compromising their credentials to gain access to company systems and sensitive information under the guise of authorized employees.

Today, trust is being abused by cyber-criminals targeting unsuspecting employees personal accounts to gain access, later elevating to privileged accounts that can move around corporate networks undetected, and roaming around the network for months or even longer. Once attackers gain access to the internal network they typically have access to the entire network as everything inside the network is automatically trusted. This is why the Zero Trust security model was introduced—to address a new stance on trust: never trust and always verify.

How has Zero Trust evolved since 2010?

Security product vendors have been steadily jumping on the Zero Trust bandwagon over the past nine years to the point that Zero Trust has ballooned to include almost every type of cyber security technology under the sun. Finally, Forrester took an important step toward reigning in the definition of Zero Trust by publishing their inaugural Zero Trust Wave report: “The Forrester Wave: Zero Trust eXtended (ZTX) Ecosystem Providers, Q4 2018.” In the report, Forrester’s framework is based on technology controls and defines 7 controls that are the basic tenets of ZTX: network security, device security, identity security, application security, data security, security analytics, and security automation.

Gartner jumped into the Zero Trust conversation with their Continuous Adaptive Risk and Trust Assessment (CARTA) approach, and its “7 principles,” proposing that Zero Trust is only the first step in the process. CARTA is based on the balance between risk and trust; high-value assets represent business risk and, therefore, require a higher degree of trust from anyone trying to gain access.

Organizations that implement the Zero Trust security model quickly find that it’s the opposite of how they have traditionally approached network security

The challenge with these approaches is that they’re so broad and comprehensive it’s difficult to know where to start. Where is your biggest risk? What do attackers see as the low hanging fruit? What can you do to eliminate the most risk as quickly and affordably as possible? To add to the challenge, organizations that implement the Zero Trust security model quickly find that it’s the opposite of how they have traditionally approached network security. Switching from trusting everything to trusting nothing—and always verifying—has increased friction for employees and had a negative impact on productivity.

Although Zero Trust is firmly associated with security, in reality it breaks the balance between security and productivity. And it does so at a time when we need security to help the business be productive and free of friction, enabling employees to do their jobs effectively and efficiently.

Our take on Zero Trust Security

Thycotic’s approach to privileged access security aligns well with the concept of Zero Trust and incorporates elements of both Forrester’s and Gartner’s approaches. The overarching Zero Trust concept of “never trust, always verify” is essentially about controlling access. And privileged access is the riskiest type of access. It’s why Forrester estimates that 80% of security breaches involve misuse of privileged credentials.

And Gartner ranks privileged access management as the #1 security project for 2019, for the second year in a row, because there are very straightforward and effective steps you can take to reduce your privileged access risk. If you can effectively control and monitor privileged access, then you’ll mitigate the most cyber risk in the shortest possible time.

How the Zero Trust security model works

Zero Trust assumes any user or system that accesses the network, services, applications, data, or systems starts with no trust. To gain authorized access, trust must be earned by the prospective user through verification. For example, verification can require two-factor authentication. In this instance, a user provides a password but then must take an additional step by using an authentication application. When new devices are introduced on the network, and before they obtain access to any resources, they must identify and verify themselves based on certain security controls. The more sensitive the resources to be accessed, the more security controls they must satisfy.

  • Untrusted networks, devices, and BYOD devices should always be Zero Trust with continuous identity verification
  • Trusted networks, devices, and users should start with Zero Trust, allow them to build trust, and revalidate when the security posture changes or the risks increase

However, Zero Trust should not be the final goal. It is an initial step to a dynamic or adaptive security model, such as the Gartner CARTA approach. In this model, when the threat is high, the security fence increases, and when the threat is low, the security fence automatically decreases. Managing this dynamic requires the efficient use of threat detection and intelligence to track activity.

Combining digital identity, multi-factor authentication, biometrics, behavioral analytics, and privileged access, you can build a dynamic security fence using a trust score or risk framework for digital identities to alert and/or challenge access when behavior changes or becomes suspicious. And then you can use internal trust definitions or external threat intelligence to determine when security controls should be more sensitive.

For example, when a new variant of malware or ransomware emerges in the wild and exploits known vulnerabilities which have not yet been patched, the dynamic security measures can increase the security sensitivity. That way when a human or system detects a privileged access request from an unknown source, it can prevent access until additional security controls are satisfied, such as peer review or alternative approval workflows.

Thus, privileged identity management and adaptive security can continuously check trust levels, and when a user or system makes too many unusual or anomalous changes, the privileged identity management solution will automatically challenge for additional identification of the human or system.

“Zero Trust has an important role in improving security and reducing business risk but it’s only an initial step in this process.”

In this short video filmed at InfoSecurity Europe, I discuss cyber security and vendor relationships, and Zero Trust is introduced at minute 3:02:

Implementing PAM to achieve the principles of Zero Trust

Like Gartner, we recommend taking a risk-based approach to implementing Zero Trust security and privileged access management. And Forrester’s ZTX technology controls provide a good road map for key areas to address. The lowest hanging fruit in the PAM world, and a great way to remove lots of risk quickly and easily, is by changing default IDs and passwords for built-in privileged accounts. This maps to the ZTX identity security control.

Another quick win that maps to the ZTX device security control is implementing least privilege controls on endpoint devices like laptops and workstations. Local admin accounts on these devices should be locked down, and any application or task that requires elevated permissions should only be granted access via workflow approval.

The next big area of risk to address is controlling privileged access to your most business-critical systems, applications, and data. This maps to the ZTX identity, application, and data security controls. Determine which privileged accounts have access to these systems, who has access to those accounts, plus when and from where they typically use their access. For these high-risk accounts, keep the credentials in an encrypted vault so they can’t be shared or reused, use at least two-factor authentication to access the vault, rotate credentials frequently (if not after every use), and restrict the time and locations from which access is allowed.

Because attackers often try to create new privileged accounts in order to move laterally and avoid detection, you need to strictly control the process that governs how and why new privileged accounts are created. This maps to the ZTX security automation control.

Users are encouraged to follow the rules when they know their behavior is being monitored

All privileged account activity for critical systems should be monitored and recorded. This maps to the ZTX security analytics control. Users are encouraged to follow the rules when they know their behavior is being monitored, and recorded session data is invaluable when investigating the cause of a breach.

Classifying trust dynamically and making it adaptive to business risks

Cyber security classifications of trust and accepted risk should be adaptive. This means you need to create policies or rules across the enterprise for identities, services, applications, data, and systems. For example, you can have an “always verify” and “always monitor” policy for third-party vendors or contractor identities. Internal employee classifications would be adaptive based on the sensitivity of the data being accessed. An “always verify” policy would require credentials and multi-factor authentication, while an “always monitor” policy would audit and record all activity.

Moving beyond Zero Trust to adaptive risk-based security

Zero Trust is about ensuring only appropriate access is granted to critical assets. Organizations typically start their journey to Zero Trust security by prioritizing high risk areas, such as supply chain, contractors, temporary employees, sensitive networks, and privileged accounts, and reducing the risk of attackers abusing accounts that may have less security or visibility.

Zero Trust is the baseline from which organizations can build trust scores they can use to determine how much security is required for appropriate access to internal networks and systems. This concept can be applied and enforced very broadly, for the entire network and all of its assets, or very specifically, creating different levels of trust and verification at the micro-segment or individual asset level, depending on the level of security and control needed.

Your privileged accounts are a favorite target of hackers.

Free Tool: Discover and secure ALL your Windows privileged accounts fast.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS


The following two tabs change content below.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.