The digital transformation has significantly increased risk exposure for enterprises. With users operating a variety of devices from a variety of locations, there is a greater attack surface with less IT oversight and control.
In fact, two-thirds of workers use their own devices at work. But a disturbing 80 percent of bring-your-own devices (BYOD) are unmanaged, and fewer than 10 percent of organizations have complete awareness of the devices accessing their networks.
Surprising? It’s not for today’s increasingly sophisticated attackers. They are all too aware that the easiest way to steal information isn’t to fight through traditional perimeter controls; it’s to compromise a user account and walk in through the front door.
“Trust, but verify” made sense for US-Russian arms control agreements, but it no longer makes sense for enterprise security.
If your organization hasn’t already, it’s time to implement a zero trust model that puts identity and access management at the core of your security program.
Don’t Get Stuck in the Stone Age With a Castle-and-Moat Mentality
We are all familiar with the classic network perimeter strategy, where trust is based on location and network. This is the medieval castle-and-moat mentality. You focus on defending the network perimeter and assume that everyone and everything already inside the network is friendly.
Users inside the network have private IP addresses and are “trusted,” while remote users employ virtual private networks to access a private IP address on the network.
The problem is that this model was created when employees used corporate computers on corporate networks within company walls.
Many companies have come to realize this is no longer the case, but they try to solve the problem with a partial solution: applying additional layers of protection to only certain critical systems. However, this only serves to create a false sense of security because hackers can and will exploit security gaps and weaknesses in the other, less protected systems.
In today’s corporate environment, the lines between internal and external are blurred— employees can work from anywhere, often using their own devices. At the same time, vendors and other third parties require more access to your corporate network.
Enterprises are increasingly moving data and applications to the cloud: 96 percent of organizations are using the cloud in some capacity, with 26 percent spending over $6 million annually on public cloud infrastructure.
And finally, there are more business systems that contain highly sensitive and valuable information, such as protected health information, credit card numbers, and social security numbers.
Simply put, there are many avenues of access to these systems, and they are being accessed by more users—both internal and external.
Adopting a Zero Trust Model
Because the security perimeter is porous, your organization must adopt a zero trust mindset.
The term “zero trust” was originally coined by Forrester to describe a security model in which no one is assumed to be trusted. “Times have changed. You can't think about trusted and untrusted users," explained John Kindervag, who was a Forrester analyst at the time the model was developed.
Instead of “Trust, but verify,” the new approach says, “Verify everything trust nothing.”
The reality is that many breaches start from within—whether intentionally or unintentionally. As many as two-thirds of breaches are the result of employee negligence or malicious acts, according to the global brokerage firm Willis Towers Watson.
Unlike the castle-and-moat mentality, the zero trust model doesn’t distinguish between internal and external users or devices. It treats everything as external.
Your organization must adopt a zero trust mindset, operating under the assumption that all users, endpoints, and resources are untrusted and always need to be verified.
The key to this approach is to only deliver applications and data to authenticated and authorized users and devices.
How IAM Can Help
The zero trust model begins with identity-driven security that puts a modern identity and access management (IAM) system at the core of your organization’s security program. Key components of an effective IAM system include automated lifecycle management for both internal and external users, comprehensive identity governance, privileged access management, and integrated multi-factor authentication (MFA) capabilities.
With modern IAM in place, your organization can effectively enforce least privilege access that restricts access to only what is absolutely required for an employee or contractor to perform his or her job. This starts with implementing role-based and attribute-based access controls (RBAC and ABAC) to help ensure that users have access only to appropriate permissions.
If more access is needed, it can easily be requested and granted, but with time-based or location-based constraints that further minimize this attack surface by taking contextual factors into account.
Additionally, some modern IAM solutions enable just-in-time (JIT) access, where access can be granted for predetermined periods of time and only on an as-needed basis. This allows for granular, short-term access if a user doesn’t have access to an application or system via their “birthright” access from existing RBAC and ABAC access control policies.
The other part of this equation is preventing unauthorized access in the first place. With today’s threats, single-factor authentication simply isn’t enough, especially given the known weaknesses of traditional username/password authentication. Implementing MFA, especially on all privileged accounts and business-critical systems, is a must.
Of course, not every situation requires the same level of authentication. That’s why it’s important to have an MFA solution that allows for flexible authentication policies that both enhance security for your organization and ease of use for your users.
A crucial part of this is taking contextual factors into account and adapting the level of authentication required based on the risks involved. Risk-based authentication is a form of strong authentication that calculates a risk score for any given access attempt in real time, based on a predefined set of rules. If a login attempt exceeds the risk threshold, then more stringent authentication is required.
It’s Time for Zero Trust
Digital transformation opens up vast opportunities for both enterprises and attackers. To ensure that your enterprise takes advantages of those opportunities for growth while limiting the opportunities for attackers to access your valuable assets, you need to adopt a zero trust model that puts a robust IAM solution with integrated multi-factor authentication capabilities at the core of your security program.