Saryu Nayyar | forbes.com »
Perimeter-based security practices, designed and based on the concept of “trust but verify,” have been rendered obsolete now that IT infrastructures have become borderless. Bring your own device (BYOD) practices, cloud services, mobile everything and digital transformation have created a vast attack surface that cannot be walled off.
In response, organizations are moving from “trust but verify” to zero trust architectures. A zero trust information security framework assumes organizations should not trust any entity inside or outside of their IT infrastructure at any time.
As cited in a Cyber Security Hub article, zero trust architectures are based around the idea of “never trust; always verify” and are “designed to address lateral threat movement within the network by leveraging microsegmentation and granular perimeters enforcement, based on user, data and location.”
Therefore, implementing zero trust requires the ability to process vast amounts of telemetry data. Behavior analytics makes it possible to understand and take action on activity in real time. For example, the combination of analytics and zero trust can eliminate one of the largest problems that plagues cybersecurity, which is the use of passwords.
It all begins with context. By collecting context from disparate sources, including structured data, unstructured data and identity information, it’s possible to know who people are, who machines are, what access entitlements they have, and what they are doing in terms of activities and transactions.
All of this security soup can be linked together using algorithms and compared with each user or entity’s baseline behavior patterns — and even those of their peer groups — to generate a continuously updated risk score that increases when anomalies occur. This risk score can be used to create alerts, drive orchestration patterns and provide intelligence to downstream systems.
Zero Trust Use Cases
Let’s consider some zero trust use cases and how they can be achieved with analytics.
Device and user inventory and fidelity, or understanding who or what is on the network, is a top concern for organizations we work with. User fidelity includes knowing who is on the network, if they are who they say they are and what they can access. For example, if a user is accessing an IT resource, do they need to have access, and if they do, should they be given access under every circumstance?
One large healthcare company we work with wanted to improve their user experience and eliminate friction on a customer-facing mobile application by making it passwordless in low-risk scenarios. Their customer portal services about 13 million users.
They wanted to collect behavior and profile information from the application to establish and return risk context to make real-time decisions about when and how to challenge users for authentication.
By applying analytics to telemetry about the user and device context — including behavior information location and keystroke pattern — a risk score can be generated. This risk score determines whether the user should be granted access or allowed to execute a transaction, or if they should be challenged for some form of identity credential.
In this case, the zero trust model significantly increased usage of the application by reducing friction and improved security over customers’ personally identifiable information. So, it was a huge success for the company.
Another customer wanted to provide remote employees access to a sensitive application but had geolocation concerns. Specifically, they needed to enforce access policies that would grant or deny remote access based on the user’s location and type of device. In this case, analytics provided the context needed to determine whether to allow or deny access — or grant partial access (read-only) to the application.
The National Institute of Standards and Technology’s Computer Security Resource Center recently published a paper on zero trust that lists some of its most common use cases, which include enterprises with satellite facilities, multicloud enterprises, enterprises with contracted services and/or nonemployee access, collaboration across enterprise boundaries, and enterprises with public- or customer-facing services.
Getting Started With Zero Trust
There are five main steps for implementing zero trust security: identifying sensitive data, mapping the flows of sensitive data, architecting zero trust microperimeters, continuously monitoring a zero trust ecosystem with security analytics, and embracing security automation and orchestration.
Like any IT project, it’s best to limit the initial implementation of zero trust to a specific use case. This enables any stumbling blocks to be limited in scope and their impact on business operations. Also, working with technology partners experienced in deploying enterprise zero trust architectures can help avoid common pitfalls associated with do-it-yourself deployments.
Security-savvy organizations are recognizing the benefits of a zero trust architecture for shrinking their attack surface, as well as reducing friction for low-risk users, assets and activities. Meanwhile, the vast sources of data continuously being generated by devices and applications now make it possible to establish the context needed to operate on the “never trust; always verify” security principle.
What’s required, however, is specialized analytics that can transform lots and lots of data into intelligence that is actionable. Put another way, to implement zero trust architectures, we need to understand how risky something is — or how risky someone is — in order to apply the appropriate level of control to each user, entity and request.
Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.
External Link: The Role Of Security Analytics In Zero Trust Architectures