Kamel Heus at ThycoticCentrify explains why Zero Trust needs a focus on machines as well as people.
The Zero Trust approach to identity management and access control has grown significantly in popularity over the past few years, with many businesses now choosing it as the foundation of their defences. The reason for this is simple, Zero Trust’s central tenet of ‘never trust, always verify’’ delivers much more robust levels of protection than outdated ‘trust, but verify’ approaches of the past, keeping sensitive data safe and making it easier to ensure regulatory compliance.
Despite this, far too many businesses continue to struggle with their key identity-related security controls. According to recent research by the Identity Defined Security Alliance (IDSA), not only are credential-based data breaches still prevalent throughout the business world, with over 90% of respondents experiencing an identity-related attack, they are also preventable in 99% of cases.
Compromised credentials allow cyber-criminals to sidestep security measures. In many successful breach attempts, compromised credentials are the main culprit. Weak, default or stolen usernames and passwords all give hackers easy access to networks and the sensitive information that lies within. Events of the past 12-18 months have further heightened the risk of such breaches. The COVID-19 pandemic forced a huge shift to remote working, significantly expanding the threatscape and stress testing existing identity and access management (IAM) practices as businesses tried to quickly balance productivity and security, often with mixed results.
However, in modern IT environments, people are far from the only identities to consider. In fact, in many instances they only make up a small proportion of total users. The majority of users tend to be non-person, or machine identities, consisting of microservices, applications and workloads, amongst other things. Yet despite this, the organisations in question continue to dedicate the majority of their time, effort and resources to access controls for human users only.
While there may only be a handful of privileged human users within an organisation, the number of machine identities associated with them can be much higher, creating a bigger footprint as a result. This is especially true in DevOps and cloud environments, where privileged task automation plays a key role in day-to-day activity.
A new approach to IAM is needed
Delivering effective IAM services in the face of these competing challenges requires multiple, often interdependent changes. To ensure success, those responsible for IAM within their organisations must manage these through a well governed, well executed security program.
Ultimately, these new types of machines and modern cloud-native application architectures are forcing organisations to rethink their approach. Otherwise, they risk exposure to vulnerabilities and blindspots that cyber criminals won’t hesitate to exploit.
A recent Gartner report confirms that, “uneasy feelings of not being in control and the lack of accountability are often well-founded.” The report, titled “Managing Machine Identities, Secrets, Keys, and Certificates” lists the existence of shadow IAM deployments; the occurrence of ghost Secure Shell (SSH) keys across different devices and workloads; and the absence of guidance around the use of machine identities as just a few examples of how companies are struggling to deal with machine identities.
So what’s the solution? Gartner recommends returning to the drawing board, where an effective, enterprise-wide identity management strategy can be developed. Such strategies should include steps like defining a common nomenclature for a machine identity, distinguishing between how machine identities are stored in central and local identity repositories and the credentials the machines use, assessing the different technologies that can assist in managing machine credentials, and establishing ownership of the machine and credentials.
Zero Trust authentication for human and machine users
Once the steps above have been put in place, organisations must aim to implement a more dynamic approach to passwords that addresses key security issues without impacting overall usability. When implementing ephemeral certificate-based authorisation, the target systems are accessed without the need for permanent access credentials. This approach establishes a “zero standing privilege” stance based on Zero Trust principles, ensuring all access to services must be authenticated, authorised, and encrypted for a short time frame only.
For each individual session (whether machine or human), the ephemeral certificate is issued from the certificate authority (CA), which serves as the trusted third party and is based on industry standards such as the temporary X.509 certificate. This encodes the user identity for security purposes and has a limited lifespan, avoiding the risk of man-in-the-middle attacks, controlling access to the target system based on user roles, and not leaving privileged sessions open, where they can be exploited.
Established security policies and access requirements are then used to generate rules for specific roles. The CA obtains these rules from the traditional enterprise directory (e.g., Microsoft Active Directory) and uses them to determine proper authentication. Such an approach eliminates the need to set up access for every individual machine/user, whilst enabling streamlined updates to groups of machines/users.
According to the IDSA, over 50% of businesses are yet to implement any form of identity-related access control across their networks. However, doing so offers one of the best defences currently available against the multitude of cyber threats out there. As part of this, understanding that an identity-centric approach to security based on Zero Trust principles must apply to both human and machine users is critical to keeping sensitive data protected in the modern business landscape.
Kamel Heus is Vice President, EMEA at ThycoticCentrify
Main image courtesy of iStockPhoto.com