While the internet lights up with terrifying costume ideas every October, what we find truly scary are the security breaches that have hit major companies in recent months. Luckily, we have National Cybersecurity Awareness month to provide focus and resources toward a safe and secure internet. To celebrate and observe the month, our diverse team of security thought leaders will present ideas, opinions and best practices around security.
Week two brings you Group Product Marketing Manager Ivan Dwyer, who would like to step you through the zero trust journey .
As the cloud transformed IT departments over the past decade, Zero Trust is transforming Security departments in many of the same ways. Teams that may have been at odds in the past, IT pushing for automation, Security pushing for protection, are now coming together with the common goal to enable the business via streamlined workflows for every job. This seismic shift from a cost center to a business enabler elevates the role of the CSO/CISO, and makes influencers and champions out of everyday IT and Security practitioners.
At Okta, we’ve witnessed first-hand the benefits of Zero Trust with many of our customers. While Zero Trust is fundamentally a philosophy that impacts your people, processes, and technology, it starts with your people first and foremost. Your workforce is dynamic, working remotely in the cloud, using a wide range of mobile devices. It’s widely accepted that the traditional network perimeter breaks down in this new world, so the only way to protect your sensitive company resources and data is to make people your new perimeter, with the end goal of a fully adaptive workforce.
Identity is Dead. Long Live Identity.
Getting identity right for your security architecture is the logical first step to take of any Zero Trust journey, unifying all your people – employees, contractors, partners, and customers – in a single, federated environment where all the policies and controls originate.
But identity isn’t just a static record in a database anymore. We need to line up our notion of “Identity” with the dynamic nature of the modern workforce. “Modern Identity” becomes who you are, what device you’re using, where you are, and any other surrounding conditions that may impact your security posture. Alice from the Engineering team, working from her company-issued MacBook in a Starbucks, is an Identity. Bob from HR, working from an unknown Windows machine located in China, is an Identity.
In order to be an effective relying party of modern identity, an Identity Provider must inherently understand these dynamics, and put forth the appropriate authentication workflows that can adapt to the context of each individual request. Alice’s identity logging into a monitoring dashboard may not raise any red flags, but Bob’s logging into the corporate wiki might, so it would reason to introduce an additional factor in the authentication workflow. If a request from Alice were to appear from an unknown device, to a service she’s never touched before, it would be logical to block the request, and alert the Security team.
Only with a dynamic identity profile, that can adapt to changing environments, can we incorporate contextual access controls — the next hill to climb towards the Zero Trust summit.
When Identity is King, Access is the Throne
With the evolution of modern identity, Access Management must be in lock step to effectively adhere to your security policies. Why spend all this effort to build a dynamic identity profile to authenticate and authorize in real-time, only to hand someone a shared password for some generic, privileged user account? That would be a wasted effort, yet so many common methods of access control fall under this legacy thinking.
Much of this is due to the deep history behind the underlying transport protocols, and the compliance standards companies are subject to. Secure transport protocols are traditionally backed by a specific credential mechanism. Linux server access, for example, is done via SSH keys, where our prior heroes Alice and Bob were first made famous. A strong cryptographic element does not make a secure access mechanism, as these credentials can easily be lost, stolen, or misused.
An entire product category exists for this problem set: Privileged Access Management. What these products typically do is wrap a management layer around credentials, allowing users to check them out in order to assume a privileged account to do what they need to do, such as logging into a Linux server using a vaulted SSH key. While certainly a step up from self-management, these products are still rooted in legacy thinking that is not aligned with modern identity and Zero Trust. The credentials are static and they hold privileges in themselves.
When making a contextual access decision at a point-in-time, we need a credential mechanism to match. Again, it would be a wasted effort otherwise. The burning question is this:how can we evolve the access controls when the underlying architecture has no mechanism beyond the credential to further validate a request? The answer lies in time and scope (and the clever technology that the team at ScaleFT brings to Okta).
The way it should work is that every request has a clearly defined authorization scope that aligns with the dynamic identity profile —a user on a device from a location accessing an individual resource at a specific point-in-time. Only once that request is fully authenticated and authorized is a credential issued. What’s important here is that each login represents a new authorization scope which, in turn, is minted a fresh credential, limited in time and scope. Driving the value of the credential itself to zero (no pun intended) mitigates its inherent risk exponentially more than trying to prevent its theft, and will be the only way we’ll ever stop repeating the same breach headline over and over again. To me, that’s Zero Trust in action.
Insight, Foresight, More Sight.
There’s something missing from all this, however, and in the spirit of Cybersecurity Awareness Month, I’m going to look ahead a bit. Contextual access shouldn’t be a binary decision point. Once a request has been fully authenticated and authorized, and a secure connection brokered between endpoints, that doesn’t necessarily mean we should stop there. Things can change. A device can be lost, a vulnerability can be disclosed, a contractor can go rogue, so on and so forth. Designing a Zero Trust system correctly, with what exists today, will enable you to quickly react and respond to these changing environments, but what if we could be proactive in our security controls?
This isn’t as far fetched as it may appear on the surface. We see the beginnings of proactive security with things like Okta ThreatInsight, which can put forth a passwordless experience when a specific request meets certain behavioral conditions. As with anything related to behavioral analysis, it’s a matter of machine learning over time.
I often point to the famous Waymo / Uber case in this regard. From a security standpoint, Google reacted as best one can — they had all the evidence to show malicious behavior, down to the machine-level forensics. But shouldn’t they have noticed something fishy about an employee attempting to download 17,000 sensitive documents, despite having all the privilege to do so? Wouldn’t it make sense for an anomaly like this to, at minimum, raise a managerial approval workflow?
I relish any chance I can get to reference rap lyrics in an Okta Security blog post (Tweet @fortyfivan if you get this one), so gaining the insight into behavioral patterns gives systems the foresight to make even smarter trust decisions.
Okta as the Foundation for Your Zero Trust Architecture
At the risk of sounding like a cliché, Zero Trust is a journey. What’s clear from my learnings, speaking with customers over the past few years, is that making a bet on a modern security architecture today will quickly pay off in spades, just as investing in cloud computing a decade ago has already for so many organizations.
The task ahead may seem overwhelming, but you don’t need to climb the summit on day zero (yet again, no pun intended). Start with the foundation that enables you to build, which is identity. With a modern identity platform such as the Okta Identity Cloud at the core, you can incorporate contextual access controls across your entire corporate network—users, devices, and resources. With the right architecture in place, you’ll end up with a seamless and secure end user experience for your people.
But Melody Hildebrandt, Global CISO of 21st Century Fox said it best, “Okta was key to accelerating our evolution to a zero trust model. This was the identity plane where we could introduce so much of the control that we needed to have in order to assess who a person is. So it was actually a way to accelerate, our thinking around zero trust.”