How to achieve a Zero Trust security model

Many organizations have understood that they need a new approach to digital workplace security – and that it is a matter of top priority. Cybercrime is the largest threat to our democracy and to our society-critical infrastructure, but also to your assets, confronted by industrial espionage. 2020 will mean larger budgets to enhance security, and it is time to embrace the “never trust, always verify” concept. Thus, the impact will be both a strategical and cultural transformation. “Vendors like Nexus are your best technology partner choice for a smooth start into the Zero Trust journey”, writes Magnus Malmström, CEO of identity company Nexus Group.

In the conventional security model, you implement perimeter protection, and then you blindly trust anyone and anything that’s inside your perimeter. According to the conventional security model, you may use anti-virus software, firewalls and use password-based credentials as an extra layer of protection.

Don’t trust anyone or anything

The Zero Trust network, or Zero Trust architecture, model was created in 2010 by John Kindervag, who at the time was a principal analyst at Forrester Research Inc. Most security experts agree today that a dynamic and active security architecture will be required to protect against the constantly evolving sophisticated cybersecurity threats. It is imperative to cut off all access and only trust the authentication factors until it is proven that you are who you claim to be.

In a Zero Trust architecture, you don’t trust anyone or anything before verifying who they are and what access rights they may have. This can’t be accomplished until every device, user, and network flow is authenticated and authorized. Passwords have played out their role, and many organizations seek the concept of a corporate key. A security key that can be embedded into automation, used in all scenarios and that offer a rich user convenience.

It’s straight forward from a conceptual point of view: every user or device needs a trusted identity. For the digital workplace, the HR department has the potential to play a key role. The onboarding, organizational change and offboarding are all key events during a people life cycle in a corporation. For instance, the onboarding is a great opportunity to permit strong level of identity assurance in people. However, it is not only about people, a similar approach is needed as new endpoints are introduced in the network. Recently, through DevOps and continuous development flows, a very dynamic environment has also been gained, with the need to protect endpoints, such as conference room equipment.

Reality complicates theory

During the last years there’s been a lot of buzz about identity and access management and a passwordless society.

However, reality complicates theory: Enterprises are typically built up through many acquisitions, which means that they have a lot of legacy systems. They usually also have many locations and rely on outsourcing in various degrees. There are often different identity and access management systems, and enterprise devices management systems for different systems and locations, which makes the security architecture of one trusted identity for things and people a true challenge for any organization, but for large organizations in particular.

Forrester Identity Management Maturity Model

To address these challenges and allow a model to work against, Forrester developed the Forrester Identity Management Maturity Model. With this model, one can identify the gaps in the current Identity and Access Management (IAM) environment, evaluate the maturity, and incorporate those findings into the security strategy.

The Maturity Model goes from Nonexistence (level-0) to Optimized (level-5) and based on Nexus’ experience, many organizations are on level-2, where the process is intuitive, not documented and occurs only when necessary. An employee on his/her first day must meet an IT person and get his/her email and other applications set up. IT admin knows exactly what needs to be done. Whenever an employee resigns, the IT admin must manually deprovision the user from all the applications. On this level it is not seldom they had more than 30 identity stores used by multiple applications — and the same user is duplicated in each identity store with no correlation handling.

Digital identity is growing as user experience evolves

A digital identity is a collection of electronically captured and stored identity attributes that uniquely describes a person within a given context and that is used for electronic transactions. Identity management means systems and processes that manage the lifecycle of individual digital identities. Security-sensitive organizations tend to trust in smart cards and multi-factor authentication infrastructure, independently if it is a digital identity placed on a Yubico security key or a true smart card security key. For those organizations, it is easier to start addressing the one-identity concept and allow to always verify the identity. There is however a strong trend to build on the mobility of derived identity. This is a big deal for users of smart cards, since it opens up the whole world of mobile devices through a seamless self-service process. Employees are no longer tied to their desktops for secure access. For highly secure enterprises, this marks the beginning of a more mobile, secure and digital workforce and can be combined with mobile security features like biometrics or geo-fencing.

Having read this far, you have laid the foundation for Zero Trust. Through modern technology and open standards it is possible to verify the identity against all available resources.

The technologies behind Zero Trust and how to start the Zero Trust journey

  • You partner with an Identity and Access Management (IAM) solution provider. This lets you create one trusted identity for multi-authentication and with a self-service driven and audit-friendly business process to protect all your machines, applications and physical resources.
  • You use the smart card as the root of trust but allow controlled derivation to a strong digital identity that allow greater user convenience, and support smart phones, tablets and laptops. At this point you have laid the foundation for always verifying the digital identity against all resources.
  • You let your HR system be both the start and end point of the process, since the HR department is the first to say hello and last to say goodbye to employees and contractors. This means that a single click in the HR system grants the right access at the right time for the right person – and that one click takes away all access to all your digital and physical resources. One click in, and one click out.
  • You decide on federation-based access based on both SAML and Open ID Connect that allow the identity to be used in single sign-on scenarios, and support access management to all kinds of resources.
  • You include physical control access into the authorization business processes to ensure full control.
  • Seek a greenfield environment. Play and learn. Those are the perfect places to go to Zero Trust. There’s where you start your Zero Trust journey. If you have a complex IT environment and legacy systems, a move to Zero Trust is most likely to be a multiphase, multiyear project.
  • Explore Automatic Certificate Management Environment (ACME) protocol as the communications protocol for automating certificate management to web server endpoints, allowing automated deployment of public key infrastructure at very low cost. There are several open source ACME clients available like acme.sh, WinCertes, dehydrated, Certbot.
  • The majority of Nexus’ customers have Microsoft environment. They, in particular, should look in to using Microsoft Azure AD, and the conditional access to enable Zero Trust by empowering the IAM solution and to bring the identity as the new control plane. Look also in to Microsoft Autopilot, as it will play an important role to manage the security profiles of the endpoints.
  • If you have customer portal access in an area where they have trusted third party identities like eIDAS approved, make sure to use them and terminate your use of usernames and passwords. Moreover, question where you use social media log-in, as those accounts are easy to fabricate.
  • Use a Hardware Security Model (HSM) on-premise, or a cloud HSM to allow crypto processing and for digital signatures and authentication. It can encrypt, decrypt, create, store and manage digital keys used in IAM solutions.

Team up to make it happen

More good news: if you start in one area it will only take a few months to implement – not years.

So, who will take the lead in your organization? Who makes sure the budget increases in 2020?

If you are head of IT or HR, team up, and you make it happen.

Magnus Malmström, CEO of Nexus Group