A decade ago, everyone used network segmentation to protect data and services. This was done by putting sensitive services on a private network (an Intranet) and services for customers or other third parties onto a public network (the perimeter network). This model worked, but it meant putting your trust in your network so that people either had to physically be in the office or use a virtual private network (VPN) to gain access. Which also means that would-be attackers had to either join the network physically (using WIFI or gaining physical access) or find a weakness in the VPN.
The New Reality
Enter: SaaS solutions and remote work. IT and security teams quickly learned that internal services behind VPNs could not handle the strain of a remote global workforce. They needed a new way to grant access – one that validated and trusted devices and users instead of the network.
This is what’s commonly referred to as Zero Trust. The continued shift to cloud and a remote workforce has moved the Zero Trust model from being a novel idea to an essential approach for your security. If you’re still using traditional network segmentation as your only means to protect employees not on the network or to protect your cloud applications, you likely have a security problem.
Considerations when setting up Zero Trust
Zero Trust can be implemented in a few ways, and there are many vendors who can assist. They all have fundamental ideas in common. First, knowing what devices and users your organization has, and subsequently their roles, is a must for proper implementation. This means a good configuration management database, as well as strong identity and access management and mobile device management, are vital to your success. Authentication is key, which is why it’s important that you are using multi-factor to authenticate your users. Avoid the use of SMS and rely on FIDO (Fast IDentity Online) implementations as much as possible. Zero Trust allows for conditional access where you can apply role-based access controls to your services. Depending on the tooling, this can include read/write access to SaaS platforms, denial to untrusted or non-compliant devices, or access denial to administrative services from personal devices.
A common failing in Zero Trust implementations is the failure to fully commit. It is a lot of work to turn from a legacy intranet to full SaaS/IaaS cloud solutions. As a result, implementations are often done in stages, which can lead to interim exposure of workload and data. Many times the solution is half implemented, usually failing on insufficient or nonexistent multi-factor authentication or a lack of device authentication.
How Incomplete Implemented Zero Trust Can Go Wrong
Our own Secureworks® Adversary Group performs thousands of penetration tests and Red Team engagements every year. Many of those engagements are for customers somewhere on their Zero Trust journey.
We have discovered that Zero Trust, much like other security technologies and approaches, is only as good as the implementation. Without strong device controls it can be easy to steal credentials, phish for a second factor, and log in to services from untrusted devices. Without strong mobile device management and authenticated/trusted devices access is only a couple clicks away.
Our testing has revealed the following gaps in Zero Trust implementations:
- Using SaaS authentication without device authentication: Many SaaS authentication systems do provide device authentication and/or conditional access, but simply using those services without configuring and testing those features can leave you exposed.
- Poor/weak multi-factor authentication: MFA fatigue and reliance on SMS or other weak authentication methods are common issues that can impair your security posture. Man-in-the-middle attacks are also possible with MFA that is not resistant to phishing, which can lead to a compromised account.
- No device authentication: Without device authentication, there is no way to know what the authenticating device is doing or if it’s secure. This can lead to sensitive data on compromised or vulnerable systems.
Even with strong mobile device management, adversaries can steal a device and perform direct attacks against it. In a popular service offered by the Secureworks Adversary Group, a customer ships a pre-configured laptop to a tester, much like they would provide a laptop to a new employee or contractor, to see how secure it is. In several cases the tester has taken a powered-off, full-disk encrypted laptop and become an administrator within their cloud environments. Using a mix of direct-access hardware attacks and abusing cached credentials, it is possible to collect all the variables needed for successful authentication and access.
Benefits of Zero Trust
The beauty of a well-implemented Zero Trust solution is that it can offer your employees a flexible working environment while also giving your IT team a broader selection of software options. The particulars, of course, come down to how you safeguard both your users and their devices. Strong authentication is crucial, and granting access to resources on the principle of least privilege can empower your staff to work from virtually anywhere while also ensuring that both your workforce and most valuable data remain free from harm. Talk to one of our experts to learn more if you’re interested in testing your Zero-Trust program.