Joseph Carson, Chief Security Scientist, ThycoticCentrify, explains how a Zero Trust approach can reduce risk without increasing friction for users.
Last year we added a new phrase to our vocabulary, ‘working from home’ or WFH. This year, we added another term, ‘hybrid working’, to describe a flexible approach that combines working from home and the office, and which many organizations are embracing in response to employee requests or to minimize their physical space requirements.
But just as organizations were challenged in the rush to support WFH at the beginning of the pandemic, hybrid working comes with its own set of risks and challenges.
Employees need to be able to start work and log in at their preferred location while still being able to access the same systems and information they need. If this is difficult, involving what employees may see as unnecessary friction, productivity is reduced and the organization’s business will be impacted.
It’s no secret that cybersecurity has a reputation for generating friction. But as we saw with WFH, strong security controls are necessary as threat actors increasingly take advantage of flexible working environments where users log in from different locations and use a mix of work and personal devices.
Strong controls and/or a frictionless approach
Imagine that an organization’s information infrastructure is managed like a VIP event. A strong control would be to have security guards check everyone before they can enter. You would need reliable identification such as a pass or ticket backed up by photo ID like a driver’s license or passport.
This would be very effective at keeping out non-VIPs. But it could also be frustrating for legitimate attendees who may not take kindly to requests to show photo ID, resulting in long delays.
A more frictionless approach would be for guards to check visitors based on their appearance. Familiar guests could walk right in, but sketchy individuals would be asked to show ID. This would be better for most familiar guests, but it would create risks if guards weren’t familiar with everyone on the invitation list.
Another option aimed at cutting down on friction would be to look at the behavior and actions of guests. Security guards could monitor what people did, and if they abused their access or visited off-limits areas, for example, they could be challenged or removed.
While these scenarios are helpful to visualize how security controls work, they may not be very effective in a physical setting. In a digital environment, however, any or all of these approaches can be effectively implemented. It is all about the balance between productivity and security.
Zero Trust and risk-based verification
In hybrid working environments, employees don’t want to be constantly interrupted by security controls. Equally, organizations looking to minimize friction still want to be able to accurately identify users and exclude unauthorized actors.
The solution to achieving this balance is a Zero Trust strategy using a risk-based approach with verification measures that vary based on factors such as the user’s device or the systems and information they access. Think of Zero Trust as a digital polygraph test that adapts to the risk potential of each interaction and – if implemented properly – authenticates users with as little friction as possible.
While we’ve been hearing about Zero Trust for a few years, it would be a mistake to think of the concept as a typical security solution. Rather than a list of boxes to be ticked off, it is more a mindset guiding each organization down a unique path determined by their individual infrastructure and objectives. It is about forcing attackers into taking more risks.
Key to Zero Trust is the ability to adapt security measures and verify authorization at every point, and there a number of technologies and techniques that can minimize impact to users. Single sign-on (SSO), for example, significantly reduces friction because users only have to be verified once to gain access to different systems and information. However, it is important that passwords are not the only security controls.
PAM and EPM provide strong controls
Strong privilege controls are a vital element in reducing risk. A comprehensive Privileged Access Management (PAM) solution allows organizations to adopt the principle of least privilege, so that users can only access the data and applications they need. In particular, PAM controls the privileges of admin accounts which adversaries target to gain full access to systems. It also controls access to valuable or sensitive information by privileged users who are targets for cybercriminals.
Endpoint privilege management (EPM) is an important tool that addresses risks associated with local admin access exploited by ransomware and other threats. EPM combines application control and PAM so only trusted, known applications can be run on user devices. It allows security to be adaptive and evolve to address new threats as opposed to relying on usernames and passwords and trusting users to always do the right thing.
Multi-factor authentication (MFA) is also an effective way to enforce adaptive authentication and has become very user-friendly in recent years thanks to biometrics. When users act suspiciously, such as attempting to access assets they don’t usually need, or logging in from new devices or locations, they can be challenged and have to verify themselves. With MFA, behavior can be continuously monitored in the background and additional verification required when a user exceeds their risk score limit.
A journey made one step at a time
Of course, no organization can ever be made 100 percent secure. Zero Trust, like security, is a journey which is best made one step at a time based on clear objectives. It requires a solid understanding of the value of an organization’s assets and a risk assessment of potential impacts. And, in a changing environment, this process should be dynamic, not just an annual audit.
Organizations then need to decide what controls will achieve the biggest risk reduction and break their Zero Trust strategy down into steps. Start with smaller use cases to get quick wins, and build on early successes to gain support and acceptance to protect the entire organization. A mature Zero Trust implementation will extend from endpoint systems and cloud environments to the supply chain and whatever the future brings.
At every step of the way, risk reduction must be achieved without increased friction for users. That is particularly important in supporting a hybrid work environment so employees can remain as productive as possible. And while users may thank you for it, Zero Trust strategies will have the opposite effect on threat actors, making it as difficult as possible for them to achieve their objectives and far more likely that they will be identified and their exploits averted.