5 Principles to Achieve Zero Trust for the Workforce - Establish User Trust (Part 1)
Editor’s note: The journey to zero trust is a multi-step process that encompasses three key areas: the workforce, the workload and the workplace. Today we explore the first step in this five-part blog series—how to establish user trust in the workforce.
What Is the History of Zero Trust?
The principle of least privilege (PoLP; also known as the principle of least authority) has been an essential aspect of IT security for decades. Born out of this philosophy is the concept of “zero trust.” Zero trust is not a single product, rather it is a security framework based on the model of “trust no one.” User trust is not granted until the user can be authenticated and authorized first. The history of the zero-trust journey coincides with the mass adoption rate of mobile devices (endpoints) and devices connected to the internet (screens, IoT, APIs, application and services) that have access to the corporate network.
In 2008, Cisco reported the number of things connected to the internet exceeded the number of people on earth. Prior to the time mobile adoption hit the tipping point, security mostly revolved around keeping everything behind the firewall with workers and contractors tunneling in through their VPN at the office or their MDM. The corporate network was perimeter-based with weak points around remote workers, trusted vendors, partners and customers.
The four important aspects of external network traffic (source address, destination address, port and protocol) were guarded, however if a connection met the specific requirements — the traffic was granted access and user trust was automatic. Little attention was considered for the internal networks once the external traffic was validated. But then, the world became increasingly mobile first and users were no longer connecting from their computer at the office, rather connecting on the go, often using their own personal devices (BYOD bring your own device). With the new technology came new security breaches.
In 2009, a massive Chinese hack known as Operation Aurora targeted at least 34 global organizations. Google had intellectual property stolen in the hack. It was discovered the Chinese military was behind the attack and wanted to gain access to the email accounts of possible dissenters like U.S. government officials, Chinese political activists, military personnel, journalists and Asian officials. Shortly after, McAfee reported the hackers used a zero-day exploit in Internet Explorer that Microsoft had been aware of three months prior but did not release a patch until after the attack.
It was not until 2011 that the security conversation changed dramatically after a zero-day vulnerability in Adobe Flash resulted in the successful phishing attack of RSA tokens. The hack revealed the weakness of RSA’s token-based 2FA. The U.S. Government and its defense contractors relied on RSA tokens to protect access to documents pertaining to research, plans involving various defense technologies, and credentials for regaining access. At the time of the phishing attacks, millions of tokens had to be manufactured, provisioned, and deployed to customers who had to configure their systems and deploy them internally, which was extremely expensive and labor intensive. At the same time, the hackers access began to show. Companies began to seek solutions to zero-day attacks.
The Zero-Trust Framework
The evolution of the zero-trust philosophy was born from the need to think past the firewall and expand the perimeter to anywhere, to ensure protection from stolen or lost credentials, and to protect access to all applications, for any user and device. When 81% of breaches target identity through phishing and spear phishing of compromised credentials, establishing user trust eliminates an incident before it happens.
Duo Security was formed in 2009, when our founders wanted to make zero-trust technology easy and accessible to all companies big or small, not just banks and global corporations. They developed Duo, a cloud-based mobile multi-factor authentication security solution, based on the principle that establishing user trust would eliminate opportunities for zero-day attacks.
Forrester’s Zero Trust eXtended (ZTX)
In 2010, the U.S. House of Representatives on Oversight and Government Reform issued formal guidelines to harden their systems and guided federal agencies to the report by Forrester analyst John Kindervag. Kindervag introduced the term zero trust in his write-up of “Zero Trust Architecture.”
Today Forrester’s Zero Trust eXtended (ZTX) Ecosystem has evolved into a holistic approach to securing data, network, workforce, workloads and workforce with “monolithic perimeters” into a series of micro-perimeters or network segments to apply granular security controls around them.
- Zero Trust Workforce: Authenticate users and continuously monitor and govern their access and privileges
- Zero Trust Workloads: Enforce controls across the entire application stack, especially connections between containers or hypervisors in the public cloud
- Zero Trust Data: Secure and manage data, categorize and develop data classification schema, and encrypt data at rest and in transit
Google began to publish and share their research around their zero-trust approach to security they dubbed BeyondCorp in 2010. Their mission was “to have every Google employee work successfully from untrusted networks without the use of a VPN utilizing single sign-on (SSO), access proxy, access control engine, user inventory, device inventory, security policy and trust repository. Their steps to implement zero-trust architecture include securely identify the device, securely identify the user, remove trust from the network, externalize apps and workflow, and implement inventory-based access control.
- Perimeterless Design: Connecting from a particular network must not determine which services you can access
- Context-Aware: Access to services is granted based on what we know about you and your device
- Dynamic Access Controls: All access to services must be authenticated, authorized, and encrypted
“The first step to moving from a privileged corporate network (usually with a VPN at its core) to a zero-trust network is to know your people and know your devices.”
—Max Saltonstall, Technical Director of Google’s office of the CTO
In 2017, Garner introduced their zero-trust principals—the Gartner CARTA model (continuous adaptive risk and trust assessment).
- Shifts away from one-time binary decisions with context-aware security platforms
- Advocates for microsegmentation using granular policies and controls
- Is always checking to continuously discover, monitor, assess and prioritize digital risk and trusts—reactively and proactively
- Performs risk and trust assessments early
- Moves to a Software-Defined Perimeter (SDP)
Cisco defines the journey to zero trust as three key areas: the workforce, the workload and the workplace.
Zero trust is a modern approach for establishing user trust and securing organizations that:
- Have remote or mobile workers
- Use cloud applications
- Need to secure BYOD access
STEP 1 — ESTABLISH USER TRUST
Can you verify your users are who they say they are? Do you know how many shadow devices (personal devices that are not known) are accessing your network? At the heart and soul of the zero-trust journey is the basic concept: trust no user or device inside or outside the perimeter by default. A zero trust‐centric model is focused on authenticating and authorizing every user and device before granting access to any application. Authenticating users, knowing who they are, where they are, and what devices they are using (and requiring they prove it) and setting granular policies to control access to applications and networks makes up the bulk of security required to achieve and adopt the foundation of zero-trust security.
HOW DO I AUTHENTICATE A USER AND ESTABLISH USER TRUST?
Passwords are extremely vulnerable to hackers as a single factor by themselves. With multi-factor authentication (MFA) a user’s identity can be authenticated and user trust (authorization) established by using two or three factor combinations.
- Something you know (e.g., passwords)
- Something you have (e.g., your smartphone)
- Something you are (e.g., biometrics, like fingerprints)
DUO’S MULTI-FACTOR AUTHENTICATION
We developed Duo Beyond's multi-factor authentication (MFA) solution based on the belief that zero-trust security does not have to be complicated for users to deliver compliant and effective security; it can live securely in the cloud and be accessible; it can extend the perimeter to any application or device including personal devices (BYOD) with built-in zero-trust; and does not require a rip and replace of legacy system, yet overcomes legacy limitations. Duo helps users meet HIPAA and NIST compliance regulations and is approved by the Department of Homeland Security and FedRAMP In-Process. Duo combines multiple security solutions into one.
AUTHENTICATION VS. AUTHORIZATION
There is a difference between authentication and authorization. For example, Joe P. can go into a bank and say, “I am Joe P. and I work for Mr. X and he wants me to withdraw half of his savings.” Joe P. might be able to authenticate with some credentials, but the bank will not automatically give Joe P. half of Mr. X’s savings until they get authorization from Mr. X. Multi-factor authentication answers the following questions and has granular user policies that can be set to restrict authority and enforce zero-trust protection.
- Is the user who they say they are?
- Do they have access to the right applications?
- Is their device secure?
- Is their device trusted?
Duo’s approach to zero-trust security is different in four ways:
- Speed-to-Security: Duo delivers all the zero-trust building blocks under one solution that is extremely fast and easy to deploy to users. Some clients can be running in a matter of minutes depending on their specific use case.
- Ease of Use: Users can self-enroll as simple as downloading an app from the app store and signing in. Maintenance and policy controls are easy for admins to control and gain clear visibility.
- Broadest Coverage of Applications: Our product is designed to be agnostic and work with legacy systems so no matter what IT and security vendors you use, you can still secure access to all work applications, for all users, from anywhere.
- Lower Total Cost of Ownership (TCO): Because Duo is easy to implement and does not require replacing systems, far less resources in time and cost are required to get up and running and begin the journey to a zero-trust security model.
Multi-factor authentication is the first step to implementing a zero-trust framework. In next week’s blog we will review the second step to achieving zero trust: how to gain visibility into devices.
Zero Trust Evaluation Guide: Securing the Modern Workforce
We’ve released a new guide to help you understand the different criteria for a zero-trust security model. Secure your workforce - both users and devices, as they access your applications.Download Guide