Incorporating zero trust into endpoint security
Zero trust is a complex term, but organizations that take security seriously must know what it is and how it can support existing endpoint security platforms.
Zero-trust authentication is a security concept that has been around for over a decade, but the ways that IT professionals and security software vendors incorporate this strategy are consistently evolving.
The zero-trust security framework gets rid of concepts such as trusted devices and trusted users. It is seeing increased adoption by security software vendors.
What is zero-trust authentication and why is it important?
Zero-trust authentication is often referred to as zero-trust security, or simply zero trust. It refers to a completely different approach to authentication and access control than traditional authentication methods.
With the traditional token-based authentication, a user logs into a service or application, the directory service authenticates the user's credentials and then the service presents the user with an access token. From that point on, when the user attempts to access a network resource such as a network share, data or an application, the authentication technology compares the user's access token to the resource's access control list. If the user's access token matches the access control list, then they are granted access.
This basic approach to authentication and access control has been commonplace in enterprises for decades. Although token-based authentication works, it has one major security flaw; the user's access token is valid for the duration of their session, no matter how long or short it may be. In other words, the user's identity is validated once when the user logs on, and then the authentication platform considers them trustworthy from that point until they log out.
There are two reasons why it is unwise to implicitly trust a user once they have logged in. First, this approach to authentication and access control predates the cloud and the widespread use of mobile devices. Users operating inside of a network perimeter were generally considered to be trustworthy. If they were able to log in, it indicated that they were physically present in the office, and therefore a trusted employee. Now that remote work is the norm and users access the company network from various locations, IT admins shouldn't allow for any security assumptions based on user's physical location.
The other reason why token-based access control security model is problematic is because it gives an attacker access to all of an organization's resources once they have penetrated the perimeter network. An attacker does not even need to use the organization's VPN to accomplish this. There are plenty of examples of attackers entering a network by exploiting IoT devices, such as digital thermostats or security cameras.
Once an attacker has accesses the network, they may set out to compromise an endpoint using stolen credentials. If the endpoint is a Windows PC, for example, the attacker can download the Security Accounts Manager database to harvest the credentials of anyone who has logged onto that PC locally. With those credentials in hand, the attacker moves laterally through the network, in a strategy sometimes referred to as island hopping, to harvest credentials from other PCs. Eventually the attacker may find a PC with access to an administrator's credentials. With that information, the attacker takes full control of the network.
The best way to avoid unfettered access problems is zero-trust endpoint security. Rather than assuming that users are who they claim to be and allowing them to move unchecked throughout the network, zero-trust security validates the users' identity any time they access a resource. This doesn't necessarily mean that the system will constantly nag users to enter their password. Instead, the software may use any number of mechanisms to validate the user's identity.
Every zero-trust platform works differently. Zero-trust software might look at factors such as:
- the account that the user logged in with;
- the identity of the user's device;
- the user's physical location; and
- what the user is trying to do.
If the user performs some suspicious action, such as moving laterally through the network, then the software can ask the user to enter their password again, or to provide a code via their work-associated mobile device.
How does zero-trust work alongside endpoint security?
Security in a business setting must have a holistic approach. In other words, a variety of security mechanisms must work in tandem to achieve Defense in depth. This means an attacker who manages to circumvent one security mechanism will be confronted by another.
From a zero-trust standpoint, the principles of zero-trust software should function in conjunction with existing endpoint security features.
A big part of enabling zero-trust endpoint security is positively identifying both users and devices. Endpoint security vendors have different approaches for this process. For example:
- Microsoft provides guidance for registering devices and using endpoint identity as the basis of a zero-trust endpoint architecture.
- Palo Alto Networks has a security platform that decrypts SSL traffic and uses zero-trust principles to determine if the traffic is malicious. This capability blocks the command-and-control traffic that attackers commonly use to take control of a network endpoint.
- Another platform for zero-trust access is the CloudGen Access Zero Trust model by Barracuda. It allows for remote, conditional and contextual access to network resources.
Ultimately, zero-trust security is more of a security model than any one tool, and there are many ways to implement zero-trust security with any endpoint security vendor or approach.
To start with zero trust, take advantage of existing endpoint security mechanisms. Seek out products that consider user identity and endpoint identity among the factors for an access control decision.