One of the central paradoxes of cybersecurity is that we all say there’s never enough budget, staff, and resources to manage what we have, let alone, keep pace with developments in technology and threats. Yet many security teams continue to try and weave an array of products from multiple vendors into tightly integrated platforms that span remote sites, corporate facilities, and multi-cloud deployments. Clearly, this traditional approach has been difficult from the outset, but now they are hopelessly ill-suited to today’s highly distributed networks. Recent high-profile disruptions and breaches illustrate the challenges of trying to operate multiple products and vendors as an integrated solution. Organizations are all struggling. Everyone from small and medium-sized businesses to global enterprises and local to national public sector agencies is contending with challenges related to complexity and visibility.
At a time when leading cybersecurity organizations and governments are saying it is time to adopt the zero-trust security model, the question is how. What do you need to do to get from the current state of dysfunction to a place where you can ensure least-privilege access?
The principle of least privilege is a foundational tenet of cybersecurity designed to limit user access to the minimum levels of access needed to perform a function. Users are given no more authorizations than necessary, so legitimate users get access only to the resources they need to perform their duties, but nothing else.
Least privilege is one of the key tenants of the zero trust security model, which assumes nothing and no one should be trusted until proven otherwise, and then continuously assessed for risk. Based on continuous identification, authentication of users and their devices, as well as risk assessment, zero trust requires consistent visibility and control across LAN, WAN, data center, and cloud edges. However, when an organization uses non-integrated point products from multiple vendors with multiple dashboards and challenging integrations, the architecture can easily become so complex that it creates more risks than it mitigates.
In my experience, embarking on a least privilege strategy and the adoption of zero trust tactics requires a platform approach with products that are integrated by design. In practice, traditional multi-vendor strategies are simply too complex and incapable of addressing the volume, variety, and velocity of data and threats found in today’s networks. Organizations need a broad, integrated, and automated platform that can identify and mitigate threats at speed and scale.
Zero Trust Network Access (ZTNA) solutions need to be tightly integrated. You can then implement least privilege strategies by identifying and classifying all the users and devices that seek network and application access, assessing their state of compliance with internal security policies, automatically assigning them to zones of control, and continuously monitor them, both on and off the network.
The zero trust model implements least-privilege access by restricting user access to only the resources that are necessary for a given role. It also supports the identification, monitoring, and control of networked devices. Solutions used for zero trust security include network access control, remote access and endpoint telemetry, identity management, and two-factor authentication. Here are some tips to consider.
Maintaining continuous visibility and access control of devices on the network has historically been difficult. Organizations should look for a network access control solution that supports agentless data collection to provide extensive visibility into everything on the network. The solution should be able to accurately discover and identify every device on or seeking access to the network, scan it to ensure that it is not already compromised, and classify it by role and function. By integrating network access control with next-generation firewalls, you can enable intent-based segmentation, which bases segmentation on business objectives, such as compliance with data privacy laws.
To extend Zero Trust access control and user and device access to applications both on and off the network, organizations need an endpoint client. Organizations should look for a client that ensures endpoint visibility and compliance and that can share endpoint telemetry for unified awareness. This data can include device operating system and applications, known vulnerabilities, patches, and security status. For ZTNA, the client agent provides the device posture check and the user identification as part of the verification process as well as creating the encrypted tunnel from the device to the proxy point.
Organizations also need identity management, which serves as the hub of authentication, authorization, and accounting (AAA) with access management, single sign-on, and guest management services. The solution should establish user identity through logins, certificates, and multi-factor inputs and then share these inputs with role-based access control services to match an authenticated user to specific access rights and services.
Multi-factor Authentication (MFA) can be provided through a number of ways including, tokens, one-time passwords, biometrics, or a variety of other form factors encompassing something you know, something you are, or something you have.
By taking a cybersecurity mesh platform approach, organizations can move forward with least privilege strategies that work no matter what stage of implementation they may be at and no matter where their users, devices, or resources may be located. The model of network security reduces the attack surface while providing secure access to applications and dynamic access control. CISOs should consider charting a realistic path to their transition focused on the tips above.