14 steps to enforce a Zero Trust security model
Many organizations have understood that they need a new approach to digital workplace security – and that this should be a top priority. “Most security experts agree that the way to go is to enforce a so-called Zero Trust security model, which means that you always verify identities before trusting them. One of the steps to enforcing Zero Trust is to partner up with a vendor such as Nexus,” says Magnus Malmström, CEO of identity company Nexus Group.
With the conventional security model, you implement perimeter protection, and then blindly trust anyone and anything inside that perimeter. You might also use anti-virus software and password-based credentials as extra layers of protection.
“But cybercrime has become a huge threat to democracy and to the infrastructure of our societies, and industrial espionage is one of the biggest threats to your organization. This means that the conventional security model is no longer reliable,” says Malmström.
Don’t trust anyone or anything
Most security experts agree that you need a dynamic and active security architecture to protect your organization against evolving and ever more sophisticated cybersecurity threats.
“They also agree that it’s imperative you don’t trust anyone or anything before verifying their identity. You should always authenticate and authorize every user, device, and network flow before you grant them access to any digital resources. Passwords are no longer sufficient; every user or device needs a digital identity that can be trusted,” says Malmström.
This new, alternative security approach is known as the Zero Trust model, Zero Trust network or Zero Trust architecture. The name Zero Trust was coined in 2010 by John Kindervag, who at the time was a principal analyst at Forrester Research Inc.
“So, how do you create and enforce a Zero Trust architecture? You take these 14 steps,” says Malmström.
1. Analyze the current state of your organization’s identity management
Enterprises are typically built up through many acquisitions, which means that they have a lot of legacy systems. They also usually have many locations and rely on outsourcing to various degrees.
“This means that enterprises often have several identity and access management (IAM) systems and mobile device management (MDM) systems,” says Malmström.
To find the gaps in your current IAM environment, evaluate its maturity, and incorporate these findings into your security strategy, you can use the Forrester Identity Management Maturity Model. The model defines five maturity levels, ranging from non-existent identity management (level 1) to optimized identity management (level 5).
“Our experience at Nexus is that many enterprises are on level 2, which means that the identity management process is intuitive and undocumented. On level 2, the process usually looks like this: when a new employee joins the organization, they meet with an IT admin who sets up their email and other applications. The IT admin knows exactly what needs to be done, without following any formalized process,” says Malmström.
When an employee resigns, the IT admin in a level 2 organization manually deprovisions them from all the applications.
“Level 2 enterprises often have over 30 identity stores used by multiple applications – and the same user is duplicated in each identity store, with no connection between the duplicated identities,” says Malmström.
2. Have the IT and HR departments team up
The IT department shouldn’t manage the Zero Trust transformation alone – the HR department has the potential to play a key role.
“Onboarding and offboarding of employees, as well as organizational changes, are key events in an organization’s identity management process. For instance, the onboarding process is a terrific opportunity to achieve a strong level of identity assurance for employees. A similar approach should be adopted when it comes to introducing new endpoint devices – such as smartphones, laptops, desktop computers, tablets, thin clients, and printers – to the network,” says Malmström.
3. Allocate budget for the transformation to a Zero Trust model
With the increasing cybercrime threat, most enterprises are willing to increase their IT security budget.
“Be the person who takes responsibility and makes sure that budget is allocated for your organization’s Zero Trust transformation,” says Malmström.
4. Partner with an identity company such as Nexus
The basis of the Zero Trust model is to create a trusted digital identity for each person and thing your organization interacts with.
“Partnering with an identity company such as Nexus lets you do this. It also lets you create a self-service driven and audit-friendly process that protects all your resources with multi-factor authentication,” says Malmström.
5. Decide which area to start with
If you have a complex IT environment with legacy systems, the move to Zero Trust will be a multiphase, multiyear project.
“Decide which area to start with, and if possible, go for a greenfield environment: this is the perfect place to start your Zero Trust journey,” says Malmström.
6. Use security keys as the root of trust and allow controlled identity derivations
Each person or thing should have a so-called security key as their main credential to verify their identity. This security key can come in different forms: for connected, device, it’s embedded. For people, it can be embedded on a smart card or on a YubiKey, for example.
“Connected devices have it easier than people: they always have their security key with them wherever they are, and they can use their security key for all the applications they need. Meanwhile, people are tied to their desktops by smart cards and YubiKeys,” says Malmström.
To increase user convenience and mobility, you can derive strong digital identities from the security keys via a seamless self-service process. This allows secure access from smartphones, tablets, and laptops, and can also be combined with security features such as biometrics or geo-fencing.
7. Let your HR system be both the start and end point of your IAM process
The HR department is the first to say hello and the last to say goodbye to employees and contractors.
“This means that your HR system is the natural start and end point of your IAM process for people. A single click in the HR system can grant the right access at the right time to the right person – and one click can take away all access rights to all your digital and physical resources. One click in, and one click out,” says Malmström.
8. Implement federation-based access
If you use federation-based access that is based on both SAML (Security Assertion Markup Language) and OpenID Connect, you can support access to all kinds of resources and enable single sign-on.
9. Use a hardware security module (HSM)
An HSM is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing.
“You can use an on-premises HSM or a cloud-based version,” says Malmström.
10. Consider using Azure Active Directory (Azure AD)
Azure AD is Microsoft’s cloud-based identity and access management service.
“This is a great service, especially for organizations that have a Microsoft environment,” says Malmström.
11. Play with Windows Autopilot
Windows Autopilot is Microsoft’s technology for setting up and pre-configuring new devices. You can also use Windows Autopilot to reset, repurpose, and recover devices.
“This means that Windows Autopilot can play an important role in managing the security profiles of your endpoint devices,” says Malmström.
12. Explore the Automatic Certificate Management Environment (ACME) protocol
If you use ACME as the communication protocol for automating certificate management for web servers, you can deploy public key infrastructure at a low cost.
13. Include physical access control in the scope
If you include physical access control in the authorization processes, you ensure full control.
14. Use trusted third-party identities where available
If you have customer portals in countries with trusted third-party identities, use those identities.
“Your customers shouldn’t only be using passwords to access your customer portal. Preferably, they shouldn’t use their social media profiles either – these kinds of profiles are easy to spoof,” says Malmström.
Published 10/5 2019