Nowadays most employees are provided with the ability to work remotely and access their work data and services from virtually any location, on any device, and at any time. While this may be an improvement in terms of offering employees more of a work-life balance, employees still have one *little* thing to worry about: SECURITY. Easier access to more services from more devices and locations translates into an exponentially increased surface of attack, so a comprehensive security strategy must be defined and executed carefully.
Such a strategy should consider aspects like the devices employees are using to access corporate resources (including the security policy that governs Corporate Owned, Business Only (COBO), Corporate Owned, Personally Enabled (COPE), or Bring Your Own Device (BYOD) ownership model), as well as how and where they can access them from. It’s also important to consider where corporate data and services are located (locally and/or in the cloud) and how corporate data is protected in all its states (at-rest, in-transit, and in-use). This ensures employees can only access corporate resources from a known, trusted, secured device, while providing them with a consistent end-user experience across all their different devices, to ensure business is not interrupted.
What is Zero Trust Architecture?
Zero Trust Architecture (ZTA) is a cybersecurity strategy that requires strict and continuous authentication of both people and devices when trying to access resources on a private network, either locally (on-premises) or in the cloud. We previously published a blog post on Zero Trust, highlighting its guiding principle, “never trust, always verify.”
This means that each user and their device are not trusted per se but must be verified first before they are granted access to any corporate resource or service. Additionally, only the minimum required access to said resource is usually granted; also, validation is not a one-off but happens continuously, as the user and device’s security posture and risk can change over time.
There is no one standard definition of what a Zero Trust Architecture is or should be, ISEC7 uses a 7-pillars approach to categorize all the different layers, modules, and functionalities that Zero Trust Architecture can possibly include.
1. User Identity
The first pillar is about the user identity. Usually, a user authenticates and then gets access to several resources, including data and services, with a specific level of access depending on his role and privileges (or permissions). However, their security posture and associated risk can change over time. Therefore, a one-off authentication is not good enough, but rather user activity and access requests must be monitored with a continuous authentication process, to protect and secure all interactions between said user and the corporate infrastructure. Should their security posture change, then the access request will be reevaluated and eventually either denied or elevated using complimentary authentication, based on pre-defined Conditional Access rules.
A framework like Identity and Access Management (IdAM), including various well-known security processes, policies, and technologies, can be used to help manage digital identities and control access to corporate resources. That security effort mainly focuses on authentication and authorization.
In the first layer, authentication, the user will need to be properly and undoubtedly identified, ensuring said person is who they claim to be, using a combination of well-proven security technologies, including Single Sign On (SSO), Multi Factor Authentication (MFA), Certificates (e.g., smartcard) or Biometrics (e.g., fingerprint, face recognition), or a combination of these. In large environments spread over different countries or regions and in hybrid deployments where corporate resources are located and accessed both on-premises and in the cloud, Identity Federation can also be used, allowing the use of credentials from different domains or organizations (e.g., partners, customers).
In the second layer, authorization, the user will then be provided access to the right resources with the right permissions. Role-Based Access (RBA) and corporate policies are typically used to determine which access a given user needs to be granted for a specific resource or service. For example, for a CRM used to process Sales orders, one salesperson could be granted the right to generate new orders while another like a manager would be able to review/validate them.
Also, for organizations to be able to manage identities and permissions (also referred to as access privileges) in a multi-cloud deployment, from a single pane of glass, a Cloud Infrastructure Entitlement Management (CIEM) solution is recommended, as it will help with monitoring and detecting permissions that might represent a potential risk for said environment and take mitigation actions.
The second pillar is about the device or endpoint through which the user accesses corporate resources. Not only is the user required to properly identify when accessing a resource, but also its device – be it a desktop computer, laptop, or mobile device – and make sure said device is and remains compliant.
For that, it is mandatory to have an up-to-date view of the device’s security posture, including its status and
global health, to make real-time decisions like whether to grant access, as well as proactively suspend access to said resources.
Trusted, Managed and Compliant Device
For that, a Unified Endpoint Management (UEM) solution would typically be used. Also referred to as Mobile Device Management (MDM) or more recently Enterprise Mobile Management (EMM), UEM is the latest evolution in terms of mobile device management and provides a global view and control over all the endpoints interacting with an infrastructure.
The device would first need to enroll with the UEM solution either manually, requiring user interaction (for example, for personal devices), or automatically (for corporate-owned devices), a phase during which it will be authenticated and registered in the system so it can later be managed. Then the device can be provisioned with specific services (e.g., corporate Wi-Fi, VPN access) and applications, but also have enforced security on it (using policies), defining what can be done on it, and eventually taking mitigations in case it gets lost or stolen. This also provides a reporting capability, useful to determine which devices are active and which services are used, optimizing license usage and costs. Also, the device posture and status will continuously be monitored, for example to confirm it is not jailbroken (iOS) or rooted (Android), and running the latest Operating System (OS) version, and enforced in case it no longer is (e.g., block access to corporate resources), following established company policies.
However, it is crucial to ensure that the device always remains secure, and for that, it must be monitored constantly to detect any
threat or suspicious behavior that might indicate an incoming cybersecurity risk or attack. In order to deliver a proper protection against
malware, detect any suspicious activity, and respond to cyberattacks in general, we need to deploy behavior-based threat defense
software which, instead of relying on a list of known malicious files like traditional antivirus software does, would watch what happens on the system all the time to detect any change of
behavioral pattern that could indicate a potential threat. Such solutions are commonly referred to as Mobile Threat Defense (MTD) solutions for mobile
devices, and Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) for desktop computers and back-end
Mobile Threat Defense (MTD): Block malware infections, check application integrity, detect unsecure network connections, prevent phishing attacks (e.g., suspicious URLs sent via email or SMS) and notify back to UEM solution to enforce compliance actions.
Endpoint Protection Platform (EPP): Prevent file-based threats like viruses, malwares, and trojans alike from executing on an endpoint by identifying them using behavior-based security.
Endpoint Detection and Response (EDR):
Detect more sophisticated attacks, for example, involving scripts or memory access, before they can unfold, and this by continuously monitoring all activities and collecting specifics on
endpoints, including network requests, registry, memory dumps, and system calls.
Extended Detection and Response (XDR): Expands on EDR (which is focused on the security of endpoints only) by identifying and addressing cybersecurity threats across the whole organization, for all its components, including network environment, applications and workloads, cloud-based data storage, etc. This provides the Security Operations Team (SOC) with a comprehensive, holistic view of the cybersecurity posture of the whole organization.
3. Applications & Workloads
The third pillar contains all the applications, systems, and services running in an infrastructure, either locally on-premises, externally in the cloud, or both in the case of hybrid environments. All these components must be secured, including software containers, virtual machines, and the hypervisors they are running on top of.
This begins with maintaining an inventory or repository of all applications running in your environment including internally developed and COTS applications. For these applications, it is critical to build out a Software Bill of Materials (SBOM) to ensure that you have a comprehensive knowledge of open source and 3rd party software running in your infrastructure. The importance of this has been highlighted recently with the breach of a well-known cybersecurity company and has become a requirement for federal agencies with the Executive Order on Improving the Nations Cybersecurity. Many organizations will implement a software factory or center of excellence where development work can be centralized following SecDevOps practices. Application code should be continually updated and maintained with approved pre-vetted application code/binaries. There are many tools on the market designed to help develop teams with maintaining security as part of their CI/CD process, ensuring security testing, vulnerability scanning, and best practices are followed throughout.
The fourth pillar is about protecting the corporate information being accessed, transmitted, used and/or stored by the employees on their devices.
Data must be protected from any unauthorized access, whether it resides locally or in the cloud. Then, it is crucial to protect that data while at rest that is stored locally on a computer hard disk, an internal back-end storage server or at a provider in the cloud; this is achieved using strong encryption like Advanced Encryption Standard (AES) algorithm with a 256-bit key, which is currently considered the strongest level of encryption for data-at-rest for commercial use, and the only algorithm approved by the U.S. government for storing classified information.
For cloud storage, though, where some data privacy concerns may arise as the data is technically under the hands of a third-party, Zero-Knowledge Encryption can be used, offering superior privacy and data protection as the encryption key used to encrypt and decrypt the data are never shared with the storage provider but only reside on the endpoint; even if that data would be stolen during a cyberattack resulting in a data breach, no useful information would be usable as it is all encrypted.
Also, ZTA provides the minimum access required to the data or resources, following the principle of least-privileged access, defined by the granular policies.
Third, it is important to detect and prevent any loss or unauthorized exfiltration of data in any form, which is achieved implementing Data Loss Protection (DLP) solution. There are different ways to implement it depending on the type of devices (e.g., desktop vs. mobile), ownership model (e.g., corporate-owned vs. personal), and usage (e.g., business only).
The solution will first categorize discovered documents that match the company-defined policies, such as documents that contain corporate information (e.g., company name, address, VAT number) or regulated information (e.g., social security number, healthcare information). This is the first step to determine which documents are sensitive and need to be watched closely.
On desktop computers, it will typically consist of an agent, that will first perform an inventory, to categorize containing sensitive and/or regulated data according to company-defined policies. Then it will detect and prevent data exfiltration, for example uploading a document to an external and/or non-authorized website, sending an email that contains sensitive information in the body or as an attachment, or copying files to a removable media (e.g., USB drive).
On mobile devices, data is handled differently, so detection and prevention are typically done at application level instead, ensuring sensitive corporate data cannot be shared nor sent outside of the defined boundaries.
Also in some cases, with extreme requirements in term of data protection and security, like the military, police forces, or federal agencies, it is mandatory that no corporate data is ever present on the device locally (data-at-rest) nor sent over unsecured networks like the Internet (data-in-transit), and in case of BYOD deployments, achieve 100% separation between personal and corporate data for BYOD devices. For that purpose, the next step is to use a virtualization solution, where a secure workspace or container app is present on the device, and only graphics are sent in an encrypted pixel stream, so no actual data is neither transmitted over unsecured networks, nor stored on the device. Such solutions are called Virtual Device Infrastructure (VDI), and more specifically Virtual Mobile Infrastructure (VMI) in the case of mobile devices.
Finally, when employees need to share corporate documents, not only internally but specifically external, for example with customers and partner companies, a Enterprise File Sync and Share (EFSS) Solution should be used to enforce data protection policy and not lose visibility nor control over these data. Such solutions usually use Digital Rights Management (DRM) technology to protect the documents, so they can only be opened by certain people, during a certain time, and with a limited permissions (ex: read, edit, print…); they can also contain watermark (to prevent data leak) and the location of the device from which the document is opened from can be reported. On top of that, it is recommended to use Conditional Access, and additional factors like device, location, application, or real-time risk level to determine whether a user will be allowed to access a service, be blocked, or be allowed, but only after validating additional checks.
5. Network Environment
The fifth pillar is about protecting the corporate network and environment by controlling, isolating, and segmenting all its different components, both from a physical (hardware) and logical (software), using specific policies and applying advanced access controls.
This is achieved using network segmentation, a security technique that divides a network into smaller, separate pieces called sub-networks, allowing IT personnel to compartmentalize them and provide separate security controls and services to each of them independently.
Protect Resources in the Cloud
More and more customers are moving from on-premises infrastructures to cloud-based deployments, but how to protect communications today between employees’ devices and cloud-based services or SaaS applications, reachable directly over the Internet? In such a scenario, Cloud Access Security Brokers (CASB) software can be used to act as an intermediary between the endpoints (e.g., a mobile app/device) and SaaS applications (e.g., Office 365, Salesforce.com, etc.), can monitor traffic, and allow organizations to enforce data protection and access control policies. Combined with a secure web gateway, it allows one to control traffic from the Internet onto the cloud SaaS applications.
Protect Resources in Hybrid Environments
For customers with both on-premises and cloud-based environments (called “hybrid environment”) usually interconnected in some way, Zero Trust Network Access (ZTNA) is recommended. That security component only allows traffic from authenticated users, devices, and applications. Also, all traffic is continuously inspected and analyzed using Machine Learning (ML), providing real-time threat protection to both prevent endpoints from connecting to unsafe Internet destinations and also determine whether user actions are expected or anomalous behaviors, if combined with User Entity and Behavior Analytics (UEBA).
6. Automation, Orchestration & Response
The sixth pillar is about providing an automated security response to technical issues and security threats. For that, it is recommended to implement a Security Orchestration, Automation, and Response (SOAR) solution that will collect inputs monitored by the Security Operations Team (SOC), for example security threats, and respond to them proactively when needed. This is achieved with little to no human assistance, using defined processes and security policies, usually powered by Artificial Intelligence (AI) technologies like Machine Learning (ML). This will greatly improve the overall level of the organization’s security, while drastically reducing average incidence response times.
7. Visibility & Analytics
Finally, the seventh and last pillar of our ZTA architecture model is about the analysis of the different events and activities as well as user and device behaviors, using the power of Artificial Intelligence (AI) and Machine Learning (ML). They detect any unusual pattern that would indicate a potential technical issue and/or security threat, and if so, take remedy actions accordingly, in real-time.
For that, it is recommended to implement a User Entity and Behavior Analytics (UEBA) solution that, using a combination of algorithms and Artificial intelligence (AI) technology like Machine Learning (ML), will help detect suspicious behaviors of both users and devices. This ultimately delivers optimal security by bringing automated intelligence to analyze behavioral patterns inside the network/environment and detect any unusual and/or suspicious activity. It would provide continuous validation and real-time Machine Learning (ML) analysis of user identity, device security posture, and risks, before granting access to the network and environment, which would also be protected using ML-based threat protection – just to mention a few improvements.
It is critical to educate your employees on the basics of security and best practices, especially in today’s remote and hybrid work environments; employees should know why these measures are put in place and how they relate to their remote and hybrid environments. Knowing the pillars of Zero Trust architecture, as well as understanding how and where their personal work information is stored, and the impact associated with any possible security risks. When reviewing your security posture, please don’t hesitate to reach out to the team at ISEC7; we can complete a security assessment and help you navigate the best options available to you to help strengthen and protect your infrastructure. ISEC7 has worked extensively with organizations large and small in both the private and public sector to enhance their security posture and fortify their ecosystems through the industry best practices, a curated product suite, and most importantly training.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group