In a guest article, Martin Kulendik, Regional Sales Director DACH at Silverfort, shows best practices for a new identity-based Zero Trust approach.
Trust no one, device, identity, or network resource. Zero trust has now become one of the most crucial security models. The concept is simple and intuitive: implicit trust is a vulnerability that attackers can exploit for lateral movement and access to sensitive data. The Zero Trust approach attempts to mitigate this risk by eliminating implicit trust from the corporate environment.
Zero Trust always assumes that a security breach has already occurred. For example, an attacker bypassed some of the defenses in place and gained a foothold in the enterprise environment. In the next phase of the attack, the hacker moves sideways through the network, accessing additional resources until they find valuable data or assets. The Zero Trust model significantly limits the damage when a hacker is in the corporate environment.
To date, Zero Trust has primarily been implemented at the network layer by rebuilding the network infrastructure and dividing it into multiple micro-perimeters with segmentation gateways. Recently, however, another zero-trust approach that focuses on the identity layer rather than the network aspect is gaining traction.
Network-Based vs. Identity-Based Zero Trust
Zero Trust is designed to prevent malicious access to resources within the corporate environment. While a device performs such access on the network connection, it also requires user authentication to access the resource. If this user account is compromised in an implicit trust environment, a hacker can freely access any resource or move laterally in the network. Both network segmentation rules and risk-based authentication policies are helpful tools to block malicious access attempts.
How identity-based Zero Trust works in detail
Identity-based Zero Trust relies on assessing risk and enforcing secure access controls whenever a user attempts to access a corporate resource. In addition, the risk associated with the access request is continuously analyzed, and adaptive, risk-based policies are enforced throughout the network, both on-premises and in hybrid environments. Access to the resource is granted only after a detailed risk analysis of the user’s authentication activity and is valid for a specific access request. This risk analysis should be carried out for each access attempt.
Today’s enterprise environment encompasses multiple types of resources: physical servers, SaaS applications, cloud workloads, file shares, on-premises applications, and many others. Identity-based zero trust means that the following criteria are met:
- Each user account is considered compromised, i.e., untrustworthy, until proven otherwise.
- A user account is trusted after it has been validated and only for single resource access.
- If the user tries to access another resource after a validated access request, they must be validated again. For example, a remote user connected to the corporate VPN using authentication. Once in the internal environment, this user now tries to access a file server. Identity-based zero trust would never assume that this user account is trustworthy based on a mere successful VPN authentication, but always check this access and user for trustworthiness.
The identity-based Zero Trust evaluation process includes:
all access requests made by all user accounts to any local or cloud resource and create a comprehensive audit trail.
For each access attempt, the probability that the user is compromised is evaluated. This risk determination is based on user behavior, the audit trail, and various contextual parameters.
Real-time access policy enforcement:
Authentication is tightened with multi-factor authentication (MFA).
The benefits of identity-based Zero Trust
An identity-based Zero Trust approach has effective implementation, management, and security advantages:
Simple and easy to implement:
Unlike network-based Zero Trust, no infrastructure changes and associated downtime are required. There is no need to remove and replace anything in the area.
Focusing on the user. Not the network segment ensures that risk analysis is performed on each resource access, in contrast to a network-based approach that can only enforce this check at the segment gateway and no insight into the essential resources within the segment itself.
Improved ability to detect anomalies and threats:
An attacker’s movement within the corporate environment is uncommon compared to legitimate users. Performing security checks on each resource access increases the likelihood of discovering hidden malicious activity.
Security officers must monitor, analyze and enforce an access policy on every access attempt in real-time: for every user, every resource, and every access interface. Security is an essential requirement, without which organizations are only partially protected, and the value of the Zero Trust model is nullified. For this reason, organizations should consider implementing a unified identity protection platform.
Unified Identity Protection: Identity-Based Zero Trust in Practice
Suitable Identity Protection is specifically designed to protect against identity-based attacks that use compromised user credentials to access corporate resources.
Unified Identity Protection consolidates security controls across enterprise networks and cloud environments to mitigate identity-based attacks. These include homegrown and legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access, and more. The solution continuously monitors all user and service account access in both cloud and on-premises environments,
With the flood of sophisticated attacks, traditional security approaches alone are no longer sufficient to ensure corporate security. It can be assumed that attackers are already in the network unnoticed. An entire Zero Trust approach that includes the identity layer can significantly strengthen the defenses to protect valuable data and assets.