Federal Zero Trust, Identity Assurance, and the Red Queen
With the release of NIST SP 800-207, many cyber security professionals are reviewing their environments, and examining how Zero Trust principles and practices can enhance and aid their architectures. Among the many tenets of Zero Trust, ensuring dynamic policies are incorporated into the authentication and authorization of accounts requesting access to resources is critical. This ensures the authentication of an organization's workforce can adapt to changing and emerging threats and needs. In short, the key for cybersecurity professionals is to make sure they avoid the Red Queen.
The Red Queen Effect
The Red Queen effect is a concept borrowed from the Biological Sciences. The concept revolves around the need for prey to keep pace with predators through adaptive responses to camouflage, speed, agility, ect. For predators, they need to adapt twice as quickly if they look to gain an edge in this timeless struggle.
The name comes from Lewis Carroll’s "Through the Looking Glass" where the Red Queen is chasing Alice.
'Well, in our country,' said Alice, still panting a little, 'you'd generally get to somewhere else — if you ran very fast for a long time, as we've been doing.'
'A slow sort of country!' said the Queen. 'Now, here, you see, it takes all the running you can do, to keep in the same place.
If you want to get somewhere else, you must run at least twice as fast as that!'
— Lewis Carroll, "Through the Looking-Glass"
What cybersecurity professionals can learn from the Red Queen effect is the need to be dynamic and to avoid static solutions. This has been a key takeaway from the last decade, where traditional IT practices of strong perimeter defenses, and static IT security practices have led to compromises and breaches.
The other takeaway is the pressure dynamic security practices and solutions place on attackers; forcing adversaries to put forth significantly more effort to compromise systems protected with a Zero Trust architecture.
Dynamic Cybersecurity Solutions
So what does it mean to have dynamic solutions in a Zero Trust landscape, and how does this relate to Identity Assurance; one of the most targeted and vulnerable pieces within the enterprise?
Over the past decade, identity practices have been built and positioned around leveraging strong multi-factor authenticators (MFA). For the US Federal Government, this has led to development and deployment of one of the strongest enterprise capable authenticators with the x.509 smart card. Often referred to as a PIV or CAC card, these smart cards are powerful multi-factor authenticators providing strong identity binding to authorized individuals. But while a smart card is an excellent example of a smart authenticator, the authentication these cards provide is still rooted in static authentication workflows.
When a user leverages their smart card to authenticate, what they assert is proof of possession of the private key embedded within their PIV or CAC. Once this proof is established, a typical smart card authentication workflow allows the user to proceed. While much stronger than a simple username and password, this is still an example of a static authentication, as it does not contain any dynamic security controls embedded within the authentication workflow.
Smart Policies for PIV and CAC Cards
What is needed is to enhance smart card authentication through a dynamic authentication workflow which allows for smarter policies to be implemented before the user is granted access to a resource. Here, not only would the user need to perform a traditional certificate authentication, but the broader security posture of their workstation, account type, and even their browser would be examined to determine the overall health of the authentication request.
Once the overall health of the user’s broader identity is validated then, and only then, the user would be allowed to proceed to the protected resource. By enhancing certificate authentication with this smarter authentication workflow, PIV and CAC authenticators can be modernized into a Zero Trust architecture.
Get Stronger Authentication with Zero Trust Policies
This need for dynamic authentication workflows extends beyond smart cards, and applies to authentication in general. Through the looking glass of Zero Trust, we can see the benefits of smarter authentication workflows and inline policy controls to address a number of organizational needs and requirements.
Dynamic authentication can help organizations to:
Ensure only approved browsers are used to access resources, and quickly enforce browser updates should critical vulnerabilities be discovered
Prevent older or outdated Operating Systems from being used
Limit or control mobile device access to resources
Enforce or prevent specific versions of Java and Flash
Limit Privileged Account access to domain controllers or critical servers only
Set special permissions around local administrative accounts
etc.
What makes these controls valuable is the ability for an organization to quickly react to security incidents, and adapt their authentication workflows to minimize risk on a global, application, or individual account basis. This keeps the authentication workflow from relying solely upon static security practices, and helps an organization to keep pace with the Red Queen.
Examples of the Red Queen in Action
Endpoint device management is something that has been in place in many organizations for a number of years. It is easy to look at dynamic authentication and Zero Trust recommendations and question whether these solutions are necessary in an environment where workstations and mobile devices are fully managed.
While endpoint management, whether through a mobile device management (MDM), enterprise mobility management (EMM), or some other management platform, can be a valuable component of an enterprise architecture, these solutions do not necessarily provide the same level of agility and flexibility as a Zero Trust-based authentication workflow.
Mobile Device Management Policies
The perimeter is shifting. MDM policies only apply to those devices protected by the MDM profile set by the organization. Partners and other third parties, who may still require access to protected resources, typically cannot be forced to install an MDM on their mobile device, forcing an organization to issue a managed mobile device to these individuals, driving up hardware costs.
There also remains the challenge to ensure only MDM configured mobile devices can gain access to protected resources. These challenges often lead to a number of unknown or unmanaged devices gaining access to protected resources with no insight into the device health and hygiene of those mobile devices, exposing an organization to greater risk.
Verifying Device Trust
With Zero Trust dynamic authentication, device health and device trust or the security posture of a mobile device can be evaluated, and those devices that are out of compliance can be prevented from successfully authenticating.
Oftentimes, the security posture of a mobile device, including operating system, browser version, etc., can be determined without requiring any intrusive software to be installed on the mobile device, making these controls better suited for partners and unmanaged devices. By enforcing these security posture policies inline as a part of the authentication, device health can be enforced without having to directly manage every endpoint attempting to authenticate.
For workstations, the need for inline dynamic authentication workflows can be even more valuable. Most organizations have practices in place to manage the software and patches installed on workstations within their network.
While these are good security practices to have, this management can take time to ensure every device is updated. This often results in workstations that are out of compliance and insecure for a number of hours, days, weeks, or even months accessing critical resources, before all of the workstations in an organization are updated accordingly.
Think of a large enterprise organization 120,000 accounts, factoring in privileged, partner, and contractor accounts, which utilizes several applications that are accessed through close to 400,000 endpoints, with the average worker having access to several mobile and workstations devices.
Should a critical vulnerability be discovered in a browser, such that every endpoint needs to be updated, how long would it take traditional IT security practices to ensure that every device is updated? Clearly, this could take days (if your organization is very efficient) and likely months.
With dynamic authentication, a global policy can be set to ensure the vulnerable version of the browser cannot be used to successfully authenticate across the entirety of the organization in a matter of minutes. That is the speed and agility of smarter Zero Trust authentication and a way to outpace the Red Queen.
Learn More About Zero Trust
Download and read the Zero Trust Evaluation Guide
Check out Duo’s Federal solutions
Try Duo For Free
Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.