Introducing Zero Implicit Trust security
Mobile and cloud have rendered the ‘castle and moat’ security model obsolete. Rather than trusting everything that happens on the inside of the perimeter, we should now adopt a policy of ‘never trust, always verify’. And as the author of this long read, Carlo Schupp, argues, ‘Zero Implicit Trust’ would be a better name. Implementing Zero Trust is no walk in the park and requires a certain level of digital maturity of an organization. In fact, the different steps in the zero trust journey can be closely linked to the Digital Maturity Model that TrustBuilder developed.
Read on to learn:
- How the ‘Castle and Moat’ model has to be replaced by Zero Trust
- Why Zero Implicit Trust would be a better name for Zero Trust
- How the journey towards Zero Trust is linked to an organization’s digital maturity
Zero Trust replaces ‘Castle and Moat’ model
Historically, enterprises depended on a ‘castle and moat’ security model, with the enterprise network and datacenter on the inside, and firewalls guarding the perimeter. Anything located on the outside was considered untrusted. Conversely, anything on the inside was considered trusted. However, trust based on network location breaks down when users are mobile, when using cloud and when external partners require access. It creates excessive implicit trust. It is this implicit trust that attackers abuse: once the perimeter is breached, they have access to everything on the privileged intranet. For example, if VPNs are used to extend the enterprise network to remote workers, an attacker only need steal the user’s credentials to gain access to the enterprise network.
The adoption of mobile and cloud means that we can no longer have a network perimeter-centric view of security; instead, we need to securely enable access for the various users (employees, partners, contractors, etc.) regardless of their location, device or network. A Zero Implicit Trust security model responds to this trend and removes the split between a ‘trusted’ internal network and an ‘untrusted’ external network. Identity and access management (IAM) is core technology for achieving Zero Implicit Trust security.
Zero Implicit Trust would be a better term than Zero Trust
Even though the term Zero Trust is widely used and abused in security marketing, it may be confusing: it is not trust that is removed, it is ‘implicit trust’ in all computing infrastructure that is no longer depended upon. A better name for this model would be Zero Implicit Trust, meaning that actual trust levels are made explicit and are continually adapted to enable just-in-time, just-enough access to enterprise resources. The original Zero Trust model was developed by Forrester Research analyst Jon Kindervag in 2009, who argued that we should consider all network traffic untrusted. Since 2009, the rise of cloud and mobile has served as a catalyst for Gartner to echo Kindervag’s Zero Trust framework in their 2017 ‘Continuous Adaptive Risk and Trust Assessment’ (CARTA) framework. CARTA added focus on not just authenticating and authorizing access at the front gate, but on doing this continually throughout the user’s experience through an adaptive, risk-based assessment to identify potential threats. Forrester further developed their Zero Trust eXtended Ecosystem model, led by analyst Chase Cunningham, to replace ‘Next Generation Firewalls’ by ‘Next Generation Access.’ This model elevates the people aspect and makes command and control over who has access to the network and data critical. Put simply, the core principle of Zero Implicit Trust has become to ‘never just trust, always verify first.’ This ensures the right people have the right level of access, to the right resources, in the right context, and that access is assessed continually in a frictionless manner.
The journey towards Zero Trust is linked to an organization’s digital maturity
Implementing the Zero Implicit Trust security model is not a trivial exercise. As customers implemented Zero Implicit Trust architectures, we’ve seen several stages of maturity emerge, alongside our Digital Maturity model. Our maturity model classifies organizations as either Digital Developers, Experience Experts, Connected Companies, Ecosystem Extenders or Monetizing Masters.
Fragmented Identity, typical for the Digital Developer
Many organizations begin their Zero Implicit Trust journey with on-premise directories like Active Directory and with cloud applications that are not integrated with on-premise applications. As a result, IT is forced to manage disparate identities across a number of systems as well as the many applications and services used outside IT’s control. For the user, this also means numerous passwords and other credentials. Without visibility and ownership over these fragmented identities, IT and security teams are left with potentially large windows for attackers to exploit access into individual systems.
Unified identity, typical for the Experience Expert
The first step to resolving the security gaps left open by many fragmented identities is consolidating under one IAM system, across on-premises and cloud. This consolidation, via single sign-on (SSO), is critical to managing access and shouldn’t be limited to solely employees. It should also apply to any user that needs access to a service, including the full extended enterprise of contractors and partners. Layering a second factor of authentication to that centralized identity access point further helps to mitigate attacks targeting credentials. Additionally, unifying identities across servers is key to bringing access policies together into one secure, manageable place for IT.
Many enterprises already use TrustBuilder to unify their user identities. TrustBuilder ID Hub and TrustBuilder.io can serve as a single source of truth for IT organizations. They also serve as an integration point to multiple directory services. TrustBuilder.io makes managing and securing the extended enterprise simpler for IT departments and eliminate the password proliferation that currently plagues users.
Adaptive Access for the Connected Company
Once IT has unified IAM, the next stage in Zero Implicit Trust security is layering, in context-based access policies. This means gathering rich signals about the user’s context (i.e. Who are they? Are they in a risky user group?), application context (i.e. which application the user is trying to access), device context, location and network, and applying access policies based on that information.
For example, a policy could be set to allow seamless access to managed devices from the corporate network, but an unmanaged BYOD logging in from a new location would be prompted for multi-factor authentication (MFA). Or privileged access to critical systems would require authentication using hard tokens and a cryptographic handshake. Furthermore, if users leave or change roles within an organization, automated provisioning can ensure that they have access only to the tools they are authorized for.
Many organizations today are already using TrustBuilder’s Adaptive Authentication. By processing a variety of contextual insights about a user, device, location, network and the application or browser a resource is accessed from, the TrustBuilder policy engine serves up a contextual response. This response is based on an organization’s risk tolerance, which acts as the first line of defense in keeping an organization secure.
The Connected Company of Stage 3 also opens up its applications to customers and third parties via APIs. TrustBuilder Adaptive Authentication enables secure access to APIs whereby a user’s identity may come from a partner’s identity system or a public source.
Ecosystem Access for the Ecosystem Extender
This stage refers to Forrester’s Zero Trust eXtended Ecosystem model. It extends an enterprise’s focus on authenticating and authorizing access to its ecosystem of partners and third-party platforms. This means that authentication and authorization occur not just at the front gate of the ecosystem (the first party in the journey) but occurs continually throughout the user’s journey within the ecosystem.
A party in the ecosystem can now set risk tolerance and allow the risk scoring based on contextual signals to determine the riskiness of a particular access attempt. Trust is no longer absolute: Adaptive Authentication and Dynamic Authorization are constantly re-evaluated. Any change in one of the risk signals may lead to different authorization decisions and may prompt re-authentication of the end-user.
Conversely, when a user has an account with Verified Assertions, the risk level is low, and they can automatically be granted access to APIs of a partner in the ecosystem without bothering them with re-authentication or reregistration.
TrustBuilder allows administrators to use policies to transform the authentication experience, and to completely remove passwords from the authentication flow. Replacing passwords with an alternate parameter as the primary factor for authentication enhances the user experience. So, while security is increased with smart, risk-based access control, the experience for the end-user is ultimately simplified. The experience is frictionless and, in cases where IT has set a policy to allow for it, passwordless.
The stages of digital ecosystem maturity in combination with implementing Zero Implicit Trust security using TrustBuilder can be depicted as follows:
Organizations that embark on this Zero Trust journey, will benefit from undertaking the journey step by step, while evaluating their strategy and the related security risks at every step. This is not a journey that you should necessarily walk alone. Why not benefit from the experience of a trusted guide. Before setting out, we would also recommend you make an assessment of where you stand, for instance by taking a Maturity Assessment.
Are you ready to implement Zero Trust? Contact us to ensure you make this journey safely.