Zero Trust policies - Not just for humans, but for machines and applications too

This blog was written by an independent guest blogger.

Hackers are continually finding more and more pathways into an organization’s internal environment. Not only is access widely available, it can also be alarmingly simple. Rather than having to actively hack systems, hackers often just log in using easily-obtained or compromised user identities and credentials. 

To avert these types of attacks, many organizations have adopted zero trust policies that require a user to provide additional authentication before accessing an organization’s resources and data. 

Traditional, identity-centric zero trust practices focusing solely on protecting the credentials of human users ignore a substantial set of vulnerabilities, namely those involving interactions between machines, applications and workloads. “Machine identities,” which now outnumber human identities 20:1, present organizations with additional security challenges. 

To address those challenges, businesses must implement effective processes for recognizing machine identities, provisioning their access to resources, and continuously authenticating identities during interactions with organizational resources.

What is Zero Trust?

Zero trust security models assume that no identity is inherently trustworthy. All identities are equally distrusted - whether customer, employee, device or process - and require additional authentication. 

A well-known example of a zero trust policy is the use of multi-factor authentication to verify a user’s identity. Identity authentication issues for machine identities, while similar, become a bit more complicated. 

But, as discussed below, there are policies and processes an organization should consider when implementing zero trust programs that will effectively protect both human and machine identities.

Effective application of Zero Trust policies to machine identities 

Effective zero trust policies require frequent and continuous validation of all “users.” But to be as effective as possible, the policy must address the question “Who or what constitutes a user?”

It is quite normal to think only of human users when the word “identity” is used. But there are any number of intermediate nodes between a human end user and the resources they access within an organization, including devices, applications and networks, as well as the organization’s databases that contain relevant data. 

In addition to having their own identities, each of these nodes can be associated with and accessed by a number of other identities, whether they be other devices, workloads, microservices, applications or human users. And each identity involved in an interaction, from human user identities to the machine identities, is a potential target for a hacker. 

Many businesses reach the point of zero trust too late, after a problem such as a breach or a failed security audit has already happened. Prudent businesses, however, implement strong zero trust policies proactively. 

Effective policies require strong, well-protected, frequently modified credentials and limit access to essential processes and data without negatively impacting interactions and workloads. Zero trust is not a perfect solution with respect to machine identities, but it can be effective. Organizations should consider the following when building a zero trust program:

Ensure that third-party providers use effective identity authentication measures

Organizations must consider both the security of their own systems and the systems of third-party service providers. Cloud-based server and storage providers, development framework providers, and application providers should all be vetted to ensure that they use effective identity authentication processes. 

Online businesses, for example, should only use online payment software that comes with PCI-DSS certification to verify the online identity of customers. PCI certification also includes identity verficiations, firewall configurations, encrypted transmissions across open networks, and avoidance of vendor supplied security parameters to secure cardholder data.

Ensure effective internal identity management

Management of identities within an organization, whether human or machine, requires implementation and coordination of diverse resources, all of which work together in a robust security program. Among these resources are:

• Systems that define user roles and permission, e.g. identity access management (IAM) systems.
• Systems that manage generation and use of credentials such as password, digital keys, certificates or digital signatures, e.g. key management systems (KMS).
• Systems that store and manage credentials, e.g.  KMS, secrets management systems and hardware security modules.

To properly protect machine identities within an organization, the organization must first know what machine identities actually exist in its environment and properly control the generation, storage and use of the credentials for these identities, using all the tools at their disposal.  

Build from the inside out with identity-based microsegmentation

A common fault of existing identity-centric zero trust models is that they focus on the perimeters of an organization’s networks (e.g. the firewall), often ignoring what happens once the perimeter has been passed. This fault often goes hand-in-hand with failure to know what machine identities actually exist and are operating within an organization. 

Organizations should consider building their zero trust policies from inside their systems, using identity-based microsegmentation. With microsegmentation, organizations isolate workloads and secure the individual workloads, thereby providing more barriers to a hacker who is attempting to access large amounts of sensitive data or processes. 

Microsegmentation, however, may result in a very complex structure with a vast number of individual segments, that have typically been based on frequently changing network addresses. Using software identities rather than IP addresses during microsegmentation allows the organization to minimize the effort necessary to authenticate communications, as it brings the authentication process closer to the software. 

Use real-time monitoring

Zero trust is not effective unless it is a continuous process - real-time monitoring of machine identities and their use is necessary. But this can be a significant burden, and organizations may wish to consider third-party service providers. 

As Sydney-based cybersecurity expert and web designer Nathan Finch of Best Web Hosting Australia discusses in his analysis of the top website monitoring platforms, “You cannot sit in front of your website 24 hours a day seven days a week. This is what monitoring services are for. These services can help you identify strong points and weak points with your site with the goal of helping you improve conversion rates and improve your site.”

Use least-privilege access

The more access an identity has to an organization’s resources, the greater the possibility for significant damage from a cyber-attack. Limiting access to those applications, processes and data necessary for a given task likewise limits exposure to attack. Implementation of least-privilege access controls, for both human or machine identities, is another necessary component of an effective zero trust program.

Conclusion

As the number of machine identities continues to increase, organizations must continuously adapt their cybersecurity policies to account for vulnerabilities associated with these identities. 

Effective identity management systems that include location and logging of all human and machine identities in an organization’s environment, along with policies that require properly limited access and frequent modification of authentication credentials, will reinforce these identities against unauthorized access and use. 

Supplementing effective policies with ongoing real-time monitoring ultimately ensures that the organization doesn’t have zero trust in its zero trust controls.