Saryu Nayyar | Forbes.com »
The traditional method of securing an organization’s computing environment is to put security measures at the perimeter of the network. The intent is to keep out all that’s bad and keep in all that’s good. However, cloud computing, distributed assets, the Internet of Things and mobile and remote users blew up the traditional perimeter. This is causing a serious rethink of the way that organizations protect their critical data and applications.
Traditional security takes the approach that the trust of a user and their device is established when logging into a network, resource or application. Once trust is established, and access is gained, there’s little to no continued challenge to that person’s right to access the asset—or perhaps even other assets on the same network. This approach overlooks the threats of stolen credentials, man-in-the-middle attacks and malicious insiders. Even multifactor authentication (MFA) when logging in can’t eliminate the risks.
The simple notion of “trusted insiders” and “untrusted outsiders” is doomed to fail. This has given rise to the concept of zero trust, which assumes that no person or entity is inherently trusted. Instead, a strict process of authentication plus authorization plus device status check is the first step to gaining access to an asset. Then, continued status verification is required to maintain access. In addition, the target assets are totally hidden from everyone and everything except for the users who are specifically white-listed for approved access.
These principles are the heart of a zero-trust architecture (ZTA), the next generation of enterprise security. As cyber threats continue to rise, private sector businesses are adopting ZTA or developing a strategy to do so. What’s more, the U.S. Department of Defense (DoD) and all Federal Civilian Executive Branch (FCEB) agencies are mandated by executive order to implement a ZTA strategy. They’re required to achieve specific zero-trust security goals by the end of September 2024.
What’s a zero-trust architecture?
The National Institute of Standards and Technology (NIST) provides the following definitions: “Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies.”
The National Cybersecurity Center of Excellence is developing a how-to guide for implementing ZTA for common use cases. The working group calls out four key functions of ZTA, drawn from NIST’s cybersecurity framework.
Identify: This step involves taking inventory of and categorizing an organization’s assets and resources. This will help prioritize those critical assets that should be hidden behind the veil of zero trust.
Protect: Many functions are incorporated here, including verifying the identity of people and nonperson entities, ascertaining their authorization status for accessing an asset and performing integrity checks of access devices and user risk profiles. Once the various checks are done, and all looks good, the person or entity may gain session-limited access to an asset.
Detect: Now, the system will conduct continuous monitoring to look for anomalous behaviors, actions and conditions that vary from accepted baselines and could be potential threats.
Respond: If threats are detected, they must be contained and mitigated to prevent harm. A response could be as simple as dropping a user’s connection to the target asset.
Behavioral analytics is a key detection mechanism.
Behavioral analytics is an important element of the “detect” stage of ZTA. In cybersecurity, behavior analytics is the process of collecting activity data on people and nonperson entities, analyzing it and comparing the results to accepted baselines and peer activities. The process involves activity data being fed into a machine learning system that uses customized models to search for patterns in the data, correlations among datasets and anomalies in the behavior. As an example, an anomaly might be someone doing something that’s against company policy, such as attaching a file containing sensitive data to an email.
When anomalies are found, the “respond” stage of ZTA is activated. Most likely, an alert would be sent to a security operations center (SOC) and may trigger an automated response, such as suspending the suspicious activity or isolating the user account. In addition, the anomalous activity factors into a risk score attached to that user’s or entity’s profile, which in turn ties back to the criteria evaluated for authorization status for access to the asset.
This is best explained with an example. An engineer working for a U.S. defense contractor needs access to mechanical drawings for a weapons system. He works on a team with many other engineers. One day, the engineer brings up the specifications for a new weapons guidance system under development. He attempts to save the file to a thumb drive on his local computer. The behavioral analytics system detects that this is a prohibited action for someone of his position. What’s more, the system compares this action to what all other engineers on that team typically do, and the activity really stands out as anomalous. This automatically triggers an alert to the SOC and disconnects the engineer from the network. His supervisor is notified of the abnormal action. The high-risk nature of this incident factors into the engineer’s online profile. The next time he attempts to log in to this system, the authorization process requires his supervisor to approve or deny his access.
In sum, a zero-trust architecture is an ecosystem of processes built around specific assets. Using behavioral analytics to evaluate risk is a critical piece of this security architecture.
Implementing A Zero-Trust Architecture
Implementing A Zero-Trust Architecture