Trust No One: The Philosophy of Zero Trust with MFA
I’ve been catching up on the riveting television series drama The Americans, and there’s one character I can’t help but feel sorry for. Stan Beeman is a FBI counterintelligence agent that devotes his life to keeping the United States safe against the Soviets.
With a modus operandi of “trust no one,” he loses his wife and practically everything in his life. But his devotion to his country and his mission isn’t futile, because when it comes to espionage and treason, even the people on the inside could be double agents.
While we’re free from the Cold War era, we’ve entered the Cloud era, which has its own gripping tale. Traditional constructs of on-site employees and on-premises solutions are morphing into remote workers with cloud access. So now our security and protections must evolve by questioning the trust we’ve placed on credentials, IDs, and IP addresses to prove identity.
Are You Who You Say You Are?
Companies are too often lackadaisical with security by only employing a reactive approach of perimeter security. Next-generation firewalls and secure web gateways are there to capture the bad guys (or bots) and at the very least deter them from infiltrating organizations, data, and applications.
As we shift to the cloud, access and security can’t be habitual. We must begin to question the intent and identity even if an address originates from a “trusted” virtual private cloud or network segment. And, are the policies in place able to keep pace with dynamic, scalable, and distributed multi-cloud environments?
These queries land us on “Zero Trust,” a central topic at Black Hat USA 2018 conference, one of the largest cybersecurity events in the world. As a philosophy Stan Beeman practiced back in the 1980s, today, Zero Trust is working its way into an industry standard.
Get to Know Zero Trust
Where traditional security constructs relied on trusted IDs, and IP addresses, the Zero Trust model assumes that by default the network is a hostile place of not only external threats, but internal. Now, corporate networks can’t rely on using perimeter- and endpoint-based controls, approved IP addresses, ports, and protocols to validate applications, data, and end-users. By assuming that malicious intent can stem from an internal source, passing through a perimeter “security checkpoint” isn’t sufficient to identify a threat.
The emergence of this philosophy is well timed as ubiquitous use of the cloud, proliferation of software and applications, third-party system interconnectivity, and other factors change what it means to effectively secure the network. With flashy data breaches and regulations like GDPR placing pressure on today’s security teams, we have to find a way to move protection closer to workloads inside of the network.
Stopping Lateral Attacks
With a single successful phishing attack of an authorized insider, hackers can gain a foothold to move laterally within the network. From there, the malicious actor could move ‘east-west’ into internal system or ‘north bound’ into the cloud for unfettered access to business critical data and applications. Even if the internal networks were broken into “trust zones,” the perimeter constructs would be ineffective since attackers could gain enough information to piggyback on authorized network access policies, or operating as the compromised user with the keys to the kingdom.
Although Zero Trust isn’t a specific approach yet, it comes with a recommendation for all organizations to begin using multi-factor authentication (MFA) to harden administrative access. It works as a significant roadblock at various granular levels of the perimeter by using the principle of least privilege that decides trust based on variables of each request. Even if an attacker were able to get past the MFA, it would at the very least delay lateral movement and increase the likelihood of detection.
As cloud-fronts scale dynamically and the traditional perimeter evaporates, all organizations must work towards defense-in-depth that can stop compromise and attack progression of network-borne threats. Our consultants at Edgeworx use the latest security technologies to keep customer networks safe and free from both internal and external malicious attacks. To learn more, read our blog: Two-Factor Authentication: Proving Identity with Modern Security.