What is Zero Trust?
The Zero Trust Security Model assumes that no one is to be explicitly trusted — it removes the inherent trust that we have somehow incorporated into our cloud infrastructures. Under the Zero Trust model, all internal and external identities are potential threats to an organization’s network security and should always be verified before access is given.
“Trust None, Verify All”
This is in stark contrast to the “castle and moat” approach that most organizations are still using, where only external identities were required to be verified. Internal users of the network, usually located within the four walls of an organization, were implicitly trusted.
The “castle and moat” approach worked well when most organizations had on-prem networks, but with more organizations migrating to the cloud out of economic and business necessities, this implicit-trust approach needs to be abandoned in favor of the Zero Trust Security Model.
Who “invented” Zero Trust?
John Kindervag is today widely recognized as the “father” of Zero Trust. He first coined the term in September 2010 in a publication where he provided the concept and architecture necessary for implementing the Zero Trust Security Model.
The concept took off after Google adopted Zero Trust security measures a few years after the paper was published, and other organizations soon followed suit.
Why do we need Zero Trust?
The stakes are high
As your organization moves data, applications, and workloads to the cloud, misconfigurations, inadequate security controls, and guardrails will allow internal and external threat actors to gain access to them for criminal intents.
Organizations that experience a breach usually suffer financial and reputational losses. Some, especially SMBs, even go under within six months of a cybersecurity breach!
Cyberattacks on the rise
There is no doubt cyberattacks are on the rise. 2021 saw 1,862 data breaches, which was a new high from the previous record of 1,506 in 2017, according to CNET. As more and more companies adopt cloud technologies to accelerate growth and allow for the new norm of remote work, it is highly likely that we’ll see more attacks.
The old security approach is no longer effective
It used to be that access to applications, and data was only available to employees within four walls of an office. Most organizations adopted a castle-and-moat security approach to keep external traffic from coming in using firewalls.
This approach does not work with the cloud because the cloud is not defined by perimeters. Instead, one of the advantages of the cloud is that it is open and can be accessed from anywhere.
You are responsible for the security of your data
Many people mistakenly believe that Cloud Service Providers (CSPs) are responsible for securing your assets.
That’s not true. Under the Shared Responsibility Model, you are responsible for securing your own data in the cloud. The Cloud Service Provider (CSP) is only responsible for securing the hardware, software, networking, and facilities running the cloud.
You are responsible for securing your information and data, application logic and code, identity and access, and platform and resource management.
The proliferation of IoT devices
As the workforce becomes increasingly mobile, employees are using their own IoT devices, such as mobile phones and tablets to access data and applications on the organization’s cloud.
While this can be controlled by enforcing mandates stating that employees only use employer-issued devices, most do not observe them.
Privately-owned IoT devices may not be properly secured and may even contain malware that the user is unaware of. Therefore, it is important to enforce Zero Trust and adopt a “trust nobody, verify everything” approach.
What Zero Trust is and what it is not
The Zero Trust Security Model is not something that can be bought off-the-shelf, installed, and implemented like many security products.
Instead, Zero Trust is a security framework based on a set of principles that removes implicit trust and enforces a “trust none, verify always” security model to safeguard your cloud infrastructure.
It’s not easy to implement and will require constant revisions and “upgrades” as your cloud infrastructure and operating environment evolves to meet new challenges and adapt to changing requirements.
How about the Principle of Least Privilege? Is it the same as Zero Trust?
The short answer is no.
Here’s the more detailed answer: the Principle of Least Privilege (PoLP) is a key component of Zero Trust, but it is not, in essence, Zero Trust.
The Zero Trust model has other components that govern, for example, how a network should be segmented, how data should be protected, endpoint detection, automation and control, and other considerations.
When organizations want to control access and permissions to applications and data in a Zero Trust environment, the Principle of Least Privilege is perhaps the best policy.
What is the Principle of Least Privilege?
The Principle of Least Privilege (PoLP) is a cybersecurity best practice to control and restrict access to high-value data and assets. The principle applies to identities, applications, systems, and connected devices.
An effective PoLP enforcement secures privileged credentials and applies flexible controls to balance cybersecurity and compliance requirements with an organization’s business and operational needs.
PoLP should never impede or slow work down but allow all stakeholders to perform their tasks efficiently and in a safe manner.
Why is the Principle of Least Privilege important?
82 percent of all breaches in 2022 involve the human element, according to the latest 2022 Data Breach Investigations Report published by Verizon. These breaches include those resulting from social engineering, human errors, and misuse of identities and permissions.
PoLP is important for organizations like yours that want to:
- Reduce attack surfaces and improve your cloud security
- Stop the spread of malware
- Have a good business continuity plan in place
- Streamline compliance and pass audits
How do I implement the Principle of Least Privilege?
1. Identify your data and assets and categorize them
The first step you should take is to identify and categorize data and assets. After gaining visibility into all your data and assets in the cloud, decide which ones are the most important and therefore need the highest level of access permissions and which need less or do not.
2. Who are your users?
Next, you need to decide who your users are and what data and assets they will need access to in order to do their work.
For example, someone in Human Resources won’t need access to your source code repository, and your programmers won’t need, and should not have, access to the payroll records.
At this point, you should take note of which members of the organization will need privileged access. Make a note that these identities will require additional security controls.
You can use Warden IAM, a Cloud Entitlements and Identity Management (CIEM) tool to perform an identity and roles audit. Warden IAM comes with a graphical interface that helps you quickly identify which identities have access to what data and resources.
Warden IAM also lets you see which identities are left unused, inactive, or have overprovisioned permissions. Use the interface to “trim the fat” and remove inactive and unused accounts, then determine if the identities with overprovisioned permissions actually do need those levels of access to do their respective work.
3. Implement Role-Based Access Control (RBAC)
Start off with granting all identities zero access.
Before assigning permissions, you may want to group your users into functional roles by job function or other variables.
For example, you may want to group everyone in Human Resources under HR and all the programmers under Engineering. This way, you can easily assign new hires to their respective roles based on the departments they belong to and easily remove permissions from a single employee if they leave the company without affecting the access permissions for other employees.
From here, you can further finetune access permissions for members of a group. For example, while all members of Human Resources will need access to the employee list, only a select few should have access to the payroll list.
4. Additional security controls
You should ensure that all identities, especially privileged accounts, such as those belonging to the C-suite, have further secured with Multi-Factor Authentication (MFA), or at the very least, Two-Factor Authentication or 2FA.
5. Continuous monitoring
It is important to monitor accounts continuously and accesses to spot anomalies that could indicate that an account has been compromised and/or if sensitive data has been illegally accessed.
One good way to do this is by using Warden Threat Detection’s User Entity and Behavior Analytics, or UEBA, which provides 24/7 monitoring to flag anomalous user behaviors.
Warden UEBA first observes usage patterns to form a baseline. For example, if an employee, Peter, always logs in at 9 AM from home to access his work files, logs off at 6 PM, and doesn’t access files at all after that, it becomes a baseline to monitor Peter’s account.
If Peter suddenly logs in one day at 10 pm from South Africa, for example, to access his files, that can be flagged as a possible compromise and investigated.
6. Continuous reviews and audits
Staff movement within an organization can sometimes be quite fluid. Reassignments, promotions, attrition, and hiring all have an impact on the management of identities.
Use an identity management tool to easily make changes, remove or add identities, and access permissions. Warden IAM’s graphical interface further simplifies such reviews and can significantly reduce the time needed for IAM reviews and audits.
It’s easy to see how the Privilege of Least Privilege is a key component of Zero Trust as it helps enforce a “trust none, verify always” approach when it comes to managing identities and access to applications, data, and resources on your cloud.
It is not Zero Trust per se; other pillars of Zero Trust, such as endpoint security, network segmentation, and so on, also need to be implemented to realize a holistic Zero Trust model.
That said, implementing the Principle of Least Privilege is a great first step in your organization’s Zero Trust journey. Using a tool like Warden IAM and UEBA can make your PoLP implementation easier and help you spend less time on identity reviews and audits, so you have more time for other cybersecurity issues.
Contact us today to arrange a demo and see how Warden IAM can help you secure your cloud and implement the Principle of Least Privilege and Zero Trust.