Zero Trust means strong, frictionless PAM and other controls
Article by ThycoticCentrify chief security scientist Joseph Carson.
It’s no secret that cybersecurity has a reputation for generating friction. But as we saw with working from home – and will continue to see with hybrid working – strong security controls are necessary. Threat actors are increasingly taking advantage of flexible working environments where users log in from different locations and use a mix of work and personal devices.
Organisations must continue to step up their security controls to mitigate these risks. And Zero Trust strategies – implemented via a range of identity verification and privilege management solutions – offer an effective and adaptive approach. If only friction can be minimised to keep everyone productive! The fine balance between productivity and security is crucial.
To visualise how strong controls may or may not generate friction, imagine an organisation’s information infrastructure as something like a bank’s safe deposit box service, with security guards on the door.
The strictest control would be to have the guards check the ID of each and every customer, demanding reliable, government-sanctioned ID – passports and driver’s licenses, not library cards. This approach has the highest chance of keeping out those who are not authorised, but it causes the most friction and can be frustrating for legitimate visitors.
A frictionless version would be to have the guards assess all the visitors by sight only. Anyone who seems legitimate is nodded through; anyone who appears suspicious needs to present their ID. This creates a much better visitor experience but creates risk if the guards cannot accurately identify everyone coming in.
A third option that also presents a frictionless experience is to continuously monitor how visitors use their access once they are in the safe deposit area, with individuals being challenged if they try to visit other areas or tamper with other boxes.
Think of Zero Trust as a digital polygraph test
While helpful to see how security controls might work, these scenarios may not all be effective in a physical setting. In a digital environment, however, any or all of these approaches can be effectively implemented with a Zero Trust strategy.
Obviously, employees don’t want to be constantly interrupted by security controls. Equally, organisations looking to minimise friction still want to accurately identify users and exclude unauthorised actors. Finding ways to move security controls into the background, but still be strong and effective, is the way to keep productivity and security balanced.
The solution to achieving this balance is a Zero Trust strategy using a risk-based approach with verification measures that vary based on factors such as the user’s device or the systems and information they access. Think of Zero Trust as a digital polygraph test that adapts to the risk potential of each interaction and – if implemented properly – authenticates users with as little friction as possible.
Key to Zero Trust is the ability to adapt security measures and verify authorisation at every point, and there are many technologies and techniques that can minimise impact to users. Single sign-on (SSO), for example, significantly reduces friction because users only have to be verified once to gain access to different systems and information. With SSO, however, it is important that passwords are not the only security controls.
PAM, EPM and MFA’s role in Zero Trust
Strong privilege controls are a vital element in reducing risk. A comprehensive Privileged Access Management (PAM) solution allows organisations to adopt the principle of least privilege so that users can only access the data and applications they need. In particular, PAM controls the privileges of admin accounts which adversaries target to gain full access to systems. It also controls access to valuable or sensitive information by privileged users who are targets for cybercriminals.
Endpoint privilege management (EPM) is an important tool that addresses risks associated with local admin access exploited by ransomware and other threats. EPM combines application control and PAM, so only trusted applications can be run on user devices. It allows security to be adaptive and evolve to address new threats as opposed to relying on usernames and passwords and trusting users to always do the right thing.
Multi-factor authentication (MFA) is also an effective way to enforce adaptive authentication and has become very user-friendly in recent years, thanks to biometrics. When users act suspiciously, such as attempting to access assets they don’t usually need or logging in from new devices or locations, they can be challenged and have to verify themselves.
With MFA, behaviour can be continuously monitored in the background, and additional verification is required when a user exceeds their risk score limit.
A mindset to guide organisations on a journey
Zero Trust is not a single solution but more a mindset to guide organisations on a continuous journey of stepwise improvements. Each organisation needs to determine which controls will achieve the biggest risk reduction based on a clear understanding of the value of their assets and a dynamic assessment of potential risks and impacts.
Equally, organisations need to maximise productivity at every step. Security controls need to be as frictionless as possible, particularly in a hybrid working environment. At the same time, they must present the biggest possible barriers to attackers to either prevent their exploits or increase the chance that they will be identified and stopped before achieving their goals.
About the author
Joseph Carson is the chief security scientist & advisory CISO for ThycoticCentrify, a leading provider of cloud identity security solutions formed by the merger of privileged access management (PAM) leaders Thycotic and Centrify. Carson has over 25 years’ experience in enterprise security, is the author of “Privileged Account Management for Dummies” and “Cybersecurity for Dummies”, and is a cybersecurity professional and ethical hacker. He is a cybersecurity advisor to several governments and the critical infrastructure, financial and transportation industries.