Building trust in a ‘zero trust’ environment: A more dynamic security model

Building trust in a ‘zero trust’ environment: A more dynamic security model
Ojas Rege is Chief Marketing and Strategy Officer at MobileIron. He coined the term “Mobile First” on TechCrunch in 2007, one week after the launch of the first iPhone, to represent a new model of personal and business computing. He is co-inventor on eight mobility patents, including the enterprise app store and BYOD privacy. Ojas has been with MobileIron for ten years as the company has grown from an idea to a mobile security platform with over 16,000 enterprise customers. Ojas is a Fellow of the Ponemon Institute for information security policy and has written extensively on the implications of the evolving architectures of Android, iOS, and Windows on enterprise security. Prior to MobileIron, Ojas was responsible for the mobile product teams at Yahoo! and AvantGo and started his career in 1988 as product line manager at Oracle. Ojas has a BS/MS in Computer Engineering from M.I.T. and an MBA from Stanford University. He is also Board Chair for Pact, a non-profit in Oakland, California that provides adoption and education services for children of color and their families.

Today’s working environments are no longer governed by the perimeters and boundaries they once were.  As a result, security threats have multiplied and the pressure on IT teams to protect data has increased rapidly. Modern work happens in a mobile-cloud environment outside traditional security controls, and from the perspective of those controls it’s a zero trust environment.

As attacks become more sophisticated, security professionals are forced to reconsider the best practices on which they’ve previously relied. The more adaptable have realised the best solutions provide a secure contextual connection — based on device, app, user, environment, network, and everything else that’s involved in accessing their data.

The term  ‘zero trust’ was coined by John Kindervag of Forrester Research in 2010. Around the same time, a similar idea was being embraced by Google as a way to connect its employees to their internal applications. The Google BeyondCorp methodology was born out of this need and led to a specific adaption of the  software-defined perimeter (SDP).

The zero trust model treats all devices or ‘hosts’ as if they’re internet-facing, and considers the entire network to be compromised and hostile.  It  assumes that all access to corporate resources should be restricted until the user has proven their identity and access permissions and until the device has passed a security profile check.

Establishing and working in a zero trust environment

In order to establish trust in a zero trust environment, an organisation must first ensure:

  • All resources are accessed in a secure manner regardless of location
  • Access control is on a “need to know” basis and is strictly enforced

Context is central to establishing trust. This context comes from the posture of the  OS, device, network, app, and location. This information can then be used to provide adaptive security flows that mitigate the risk of data loss.  This is how ‘trust’ is established.

Building the trust ladder

A ladder is a good metaphor for trust. As you climb each rung, the level of trust increases and you feel more confident in providing the user access to data. If you have a trusted user and you have established full trust on the endpoint (OS, device, app, location), then you are in a position to provide access to any confidential information as long as the transport of that information is also secure. This is the desired state. You can now provide a fantastic user experience as well, with certificate-based authentication eliminating the need for a password on the trusted endpoint.

If you start climbing down the ladder, you will need to establish additional controls, for example, biometrics to ensure user identity. If that’s not possible and you are worried about credential theft, then a second factor through software-based multi-factor authentication might become important. Many organisations will use a smartphone as that second factor.

Credential theft will very often come from device and network compromise, once again demonstrating that user trust itself is dependent on the presence of contextual controls to prevent the capture of credentials.

What is your trust ladder? By clearly defining it in advance, you can more effectively design adaptive authentication into your security workflow.

Balancing priorities

Whenever possible, the trust ladder should be invisible to the user. When a user action is required, it should be simple and clear, and ideally the system should learn from, and adapt to their behaviour – without compromising security of course.

But lock-down is not an option, because it simply opens the door for a proliferation of shadow IT, which means data will actually be accessed in a truly zero trust environment. With the increasing consumerization of IT, employees expect the same functionality and experience at work that they get from the devices and apps they use at home. An environment that continuously hinders employee productivity will create frustration and negate security.

Maintaining this constant balance between security controls and user experience, not to mention legal and compliance considerations, is familiar territory for those managing IT infrastructure projects. A system that can achieve this, while still raising red flags when there is a deviation from the normal, should be the focus for anyone tasked with developing a trust ladder architecture.

Ultimately, the aim of zero trust framework is to protect data across an increasingly fragmented information fabric. Traditional security approaches cannot do this. The modern access decision requires continuous assessment because context is constantly changing. Moving to this dynamic model vs. the static “I’m in, you’re out” model of the firewall is the path forward.  It gives users the freedom they need to get on with their work without needing to abandon company security protocols. in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *