A Brief History of Zero Trust Security
The Forrester Zero Trust model, which has been around since 2009, argues that organisations should regard all network traffic as untrusted, regardless of where it’s coming from. The idea of a trusted internal perimeter leaves the organisation at risk if that perimeter is compromised or an insider turns malicious.
Of course, the situation has evolved significantly since 2009. Thanks to an increasingly mobile workforce and the widespread adoption of cloud services, it’s no longer safe to assume that your data is secure simply because a credential checks out. With most data breaches involving stolen credentials, authorised and unauthorised access can look identical. The traditional perimeter has moved beyond the network to wherever the user is attempting to access the data.
As the way we work has evolved, so has the discussion around Zero Trust. In early 2018, Forrester proposed the Zero Trust eXtended Ecosystem (ZTX), with data being a key component of the model.
Actors accessing or processing the data are also all seen as untrusted by default, and Forrester specifically highlights a second critical component of the ZTX: people. Securing this component involves securing the identity and access around the user. In today’s modern workforce, this is often where the perimeter extends. While next-generation firewalls (NGFWs) and micro-segmentation technology is critical to controlling the network fabric, what is called Next-Generation Access (NGA) provides security at this new people-centric perimeter.
With this in mind, other key components of Forrester’s ZTX include the workloads, networks, and devices associated with users. Greater emphasis is placed on monitoring and automating services within the environment, since accurately assigning privileges—and closely monitoring what is done with those privileges—is crucial to ensuring security. With people acting as the new perimeter, it’s important to pay attention both to where they are gaining access from and what they do with that access.
In 2014, Google published BeyondCorp as a practical application of the Zero Trust framework. BeyondCorp suggests three key ideas: connecting from a particular network should not determine the services you can access; access should be granted based on what’s known about the user and the device; and finally, all access to services must be authenticated, authorised and encrypted.
Under BeyondCorp, securing the user’s access plays a central role in how the model was implemented across their employees, with strong authentication required. In fact, Google recently reported that they hadn’t been successfully phished since 2017 by implementing strong MFA policies. By also looking at device context, better access control decisions can be made that balance security and usability, such as only prompting for a second factor on risky device states.
Implementing an identity-centric Zero Trust model
While the original network-centric Zero Trust model was appropriate for that era, CISOs today need to contend with making access decisions across devices and users not controlled by the organisation. Devices may not be managed, and users may be contractors or partners, so how do we start to think about trust in this world? With identity being the foundation of access management, it’s clear that a Zero Trust security model must start with identity.
It’s also important to look at context when making access decisions, including:
- Who is this user?
- Which app or service are they trying to access?
- Is the device known, or managed?
- Are they logging in from a known location for that user?
- Are they logging in from a known network, such as the corporate network?
Context like this can provide risk signals to determine when to allow access, deny access, or prompt for a second factor. This enables the organisation to implement strong access controls while enabling the user to work without disrupting productivity. Making these access decisions at scale across your employees, partners, contractors, and even customers requires a centralised identity and access management solution.
The need to integrate identity across the ZTX is key to this people-centric security approach. For example, due to the complexity involved in managing a modern distributed environment, ZTX encourages the use of automation and orchestration to scale the command and control of components. Another ZTX component, visibility and analytics, can give organisations the ability to respond to security threats proactively. Centralised and integrated identity and access management solution can help organisations meet this ZTX best practice by providing a consolidated reporting solution that classifies and feeds access and authentication data to these automation and analytics systems, reducing threat dwell time.
How Okta can help you implement Zero Trust
With Okta Single Sign-On, organisations can centralise identity and access control to secure access to apps and services, whether cloud-based on on-premises. Under the Zero Trust model, organisations should never assume a user is who they say they are by default. Okta’s Adaptive Multi-Factor Authentication (MFA) allows for policies based on login context. So should a user request access from a new location, device, or network, additional factors of authentication can be implemented.
Further helping control access is Okta’s Lifecycle Management, which reduces the attack surface through automated provisioning and deprovisioning of apps and services, reducing orphan accounts that leave data exposed. Modern app development often involves the use of APIs, which can expose a huge amount of your data to the web and representing an emerging threat vector. Access to APIs also must not be trusted by default, so Okta’s API Access Management allows you to control security across multiple app development teams, gateway vendors, or instances. Finally, Okta’s centralised reporting provides a sophisticated search of real-time system logs with pre-built application access reports, and integration with SIEMs.
As mentioned, a key feature of this modern people-centric security paradigm is the need to integrate identity across the ZTX. With this in mind, the Okta Integration Network has more than 5,500 integrations out of the box, enabling you to quickly and securely integrate across the Zero Trust eXtended Ecosystem.
The Zero Trust model can serve as a valuable framework, but each organisation may implement it differently. Regardless of your approach, putting modern identity-driven security at the core of your Zero Trust strategy will set you up for success.
For more information on Zero Trust and securing data in a mobile environment, download our whitepaper, Zero Trust with Okta: A Modern Approach to Secure Access