Is your zero trust strategy set up to fail?

Gal Helemski at PlainID argues that a new approach to zero trust is needed, one where continuous evaluation and validation is implemented across all tech stack interactions to mitigate data breach impacts

 

Zero trust is no longer a ‘nice to have’ for cyber-security leaders. Shifting workforce dynamics, evolving digital business models and an increasingly complex technical landscape featuring hybrid legacy and cloud infrastructures built on microservices, have combined to create a multiplicity of potential attack surfaces.

 

As a consequence, the volume of cyber-attacks and data breaches involving unauthorised access to networks, applications and systems is surging. Indeed, according to a recent study, offering employees remote work options resulted in data breaches for 62% of organisations.

 

In response, cyber-security leaders are striving to implement zero trust controls in a bid to reduce the risk of data breaches, ransomware and insider threats. However, the success of these efforts are being undermined by a variety of factors.

 

Zero trust: getting first principles right

Historically, zero trust frameworks have focused on solving authentication challenges associated with endpoint and network access security. However, the exponential increase in identity-related breaches means that today’s organisations now need to implement a comprehensive authorisation framework. This must make it possible to authenticate users and devices on an ongoing basis and must continuously monitor users post-authentication.

 

Yet the findings of our recent CISO Zero Trust survey show that many UK and US organisations have not implemented this foundational capability. Only 50% said authorisation features in their zero trust programme, an omission that potentially exposes their infrastructure to threat actors.

 

The survey also found that less than a third (31%) of organisations had sufficient visibility and control over authorisation policies intended to enforce appropriate data access. A further 45% said that the lack of technical resources was proving a challenge when it comes to gaining true visibility and control of their network or optimising enterprise authorisation and access controls. Worryingly, 41% of organisations also say they are using unmanaged and ungoverned OPA-based solutions to authorise identities.

 

Indications are that while many organisations may well be implementing a form of zero trust, they often lack the complete toolset or capabilities required to extend zero trust from authentication through to final access point and target data set. Added to which, they don’t have true visibility or control of their network and are utilising legacy home-grown solutions that were never designed with today’s fast evolving threat landscape in mind. 

 

Understanding the limitations of zero trust

Technologies dedicated to addressing aspects of zero trust in relation to network access control and advanced authentication abound. However, the protection features provided by solutions like gateway integration and segregation, secure SD WAN and secure access service edge (SASE) are primarily network centric.

 

Today’s increasingly complex operational realities mean that, in addition to network access, zero trust also needs to be applied to application access and access to intra-application assets. In other words, achieving genuine zero trust protection means organisations will now need visibility of all resources, applications and networks. Indeed, protecting hybrid working environments depends on it.

 

Unfortunately, implementing limited access controls can create a false sense of confidence and significantly increase an organisation’s exposure to risk.

 

Authorisation with agility and end-to-end capabilities

Relying on authentication alone, which verifies a user’s identity before granting them access to data, network, system or device, is no longer enough. Organisations must also implement authorisation that follows every digital interaction that happens post-authentication, granting or revoking user permissions to resources in real-time. 

 

Unfortunately, authorisation can prove a broad and complex challenge for organisations unless they utilise a comprehensive authorisation solution that makes it possible to initiate identity aware security at every layer of the enterprise’s computing infrastructure and to maintain central policy visibility, manageability and policy governance.

 

In response to the rising demand for risk-based authorisation and identity aware security, today’s next generation dynamic authorisation solutions now provide a way forward for enterprises that need to grant fine-grained access to application resources, data assets and any other asset in real-time and at the point of access.

 

Moving forward with dynamic authorisation

Providing a more technically advanced approach to zero trust, dynamic authorisation drives two processes that are essential to zero trust: runtime authorisation enforcement, and high levels of granularity.

 

For example, when a user attempts to access a network, application or assets within an application, this will trigger the evaluation and approval process of a number of key attributes. These include: user level (their current certification, level, role and responsibilities); whether users can access confidential and personally identifiable information (PII); and other asset attributes such as data classification, location assignments and any relevant metadata.

 

Other factors that are assessed include the location the user is authenticating from (internal or external system), the time and date of authentication, and technical aspects such as the risk level of the system.

 

Considering all these and any other relevant attributes, the policy engine makes a decision at the point of access during runtime, making a new decision in real-time. every time access is attempted Utilising risk-based intelligence to add context to each access decision rather than relying on ‘as-based-on’ attributes which have been predefined by the application.

 

By implementing dynamic authorisation, organisations can manage hundreds or thousands of policies centrally, through a single pane of glass. This makes it easy for security professionals to add, update and quickly deploy new policies and it enables the fine-grained access control that ensures users gain smooth access to the correct data.

 

Addressing zero trust security gaps

Today’s next generation authorisation solutions enable organisations to implement an end-to-end zero trust architecture that hardens protection against every possible threat vector. 

 

Providing rigorous identity-aware security at every layer of the enterprise makes genuine zero trust protection a reality by delivering continuous evaluation and validation across all tech stack interactions to mitigate the risk of data breach.

 

A comprehensive risk-based authorisation and identity aware security framework enables organisations to address zero trust security gaps and elevate their overall security posture.

 

---

 

Gal Helemski is cofounder and CTO at PlainID

 

Main image courtesy of iStockPhoto.com