For decades, access to corporate digital resources was restricted only by perimeter protection technologies such as firewalls and intrusion detection systems, and by passwords for user authentication.
Passwords soon proved inadequate to prevent unauthorised access and two factor authentication (2FA), such as tokens or one-time codes sent in a text message, was introduced. 2FA greatly increased security, but still suffered from a fundamental weakness: it was typically only used to secure the perimeter. Once the accessing agent passed the authentication, it was trusted and granted unlimited access to the protected resources.
Perimeter security, when accessed via 2FA, can be adequate when the perimeter is limited and clearly defined. But today, resources are spread across in-house data centres, public and private cloud.
It is much more difficult to define and protect the perimeter in that environment. This is leading many organisations to adopt a zero trust mindset, pursue the principles of zero trust, and then implement solutions accordingly to secure their assets.
With zero trust every attempted access is subject to strong authentication, the accessing device is checked for authority to access and, most importantly, once these tests are passed that user, (and that device) can access only resources previously specified.
RSA offers multiple tools that provide and support zero trust security.
RSA’s SecurID Suite combines multi-factor authentication with access management and identity governance; and RSA NetWitness is a security information and event management (SIEM) solution that spans all IT environments: cloud, on premises and virtual.
ZERO TRUST AND WHY IT IS NEEDED
The limits of perimeter security
In today’s world where resources are spread across multiple locations it would be impracticable to apply perimeter controls to each individual resource. Applying a consistent policy across environments supported by multiple vendors is even more challenging.
And in today’s virtualised data centre environment, where the majority of traffic is east-west and workloads move between different environments, the idea of a secure perimeter is becoming obsolete.
Finally, perimeter security can offer no protection against a threat that originates within the secure perimeter such as an insider gone rogue.
Meet zero trust
The term zero trust was coined by Forrester in 2010 is based on the premise that nothing is inherently safe, and everything must be continuously verified. “Trust nothing. Verify everything.”
Zero trust leverages different access control, data protection and data governance technologies, principally:
– multifactor authentication for robust verification of user identity;
– access device identification and verification;
– access policy enforcement;
– Security Information and Event Management and threat intelligence to continuously monitor the zero trust protected environment, identify and respond any threats detected.
Recently, the National Institute of Standards and Technology (NIST) published (Special Publication) SP800-207, Zero Trust Architecture, which describes in detail the principals, design, and technologies recommended for pursuing Zero Trust.
Zero trust in action
The key features of zero trust that extend it beyond these component technologies are that the level of protection is determined by the nature, and value of the asset being protected.
There is no one-size-fits-all approach in zero trust. It requires a new mindset, a new approach to IT security: one based on the value of assets to be protected, rather than simply striving to build an impregnable perimeter – an exercise that, in today’s world, is doomed to failure.
The growth of zero trust
Acceptance and uptake of zero trust is growing rapidly. According to Cybersecurity Insiders’ 2019 Zero Trust Adoption Report (published January 2020), 78 percent of IT security teams are looking to embrace zero trust, with more than a third having made measurable progress.
Cybersecurity Insiders also found 47 percent of enterprise IT security teams lack confidence in their ability to provide zero trust with their current security technology.
In the UK the National Cyber Security Centre is working on a set of zero trust architecture design principles, available on GitHub. Details of its beta version were announced in a blog post on 29 October.
ZERO TRUST THE RSA WAY
There is no all-encompassing zero trust security solution. Zero trust is pursued through applying combinations of technologies, sometimes differently than initially intended at the time of purchase. Two essential elements are sophisticated and robust identity and access management (IAM), and security information and event management (SIEM).
RSA SecurID Suite is an IAM solution that goes beyond identity verification to determine access based on multiple parameters including the role, history, and behaviour of the user and the business context and risks associated with the assets and resources to which they request access.
It enables organisations of all sizes to mitigate identity risk and maintain compliance without impeding user productivity. Its quick configuration options enable access policies to be quickly implemented in response to changing business needs and regulatory requirements
RSA NetWitness Platform extends the capabilities of security information and event management (SIEM) systems; enabling security teams to rapidly discover compromises, understand their full scope and respond before threats impact the business.
It applies advanced technology to detect, prioritise and investigate threats in a fraction of the time of other security products. It exposes the full scope of an attack by connecting incidents over time, prioritising incidents quickly, and delivering deeper insights from both automation and machine learning.
IT’S TIME FOR ZERO TRUST
Today’s complex IT environments combined with a rapid increase in the number and sophistication of cyber attacks has created a perfect storm of security challenges that traditional perimeter security is unable to address.
One answer, as evidenced by its growing uptake, is zero trust security. However, when developing a zero-trust strategy and selecting the technologies to implement it, organisations should be mindful that not all security technologies meet the requirements necessary for pursuing zero trust.
Tightly integrated IAM is essential for robust zero trust security: to identify the person seeking access, to confirm their rights to the device being used for access, and that both are authorised to access the resource requested.
RSA has solutions that enable organisations to implement and maintain robust zero trust security. Contact RSA to learn more.