Blog

Absolute Zero

Dec 18, 2020

Allan Caton By Allan Caton, CISSP, CISM, CCSP, CISMP 

Most companies are migrating from an environment of legacy, on-premise systems to the cloud which will result in a hybrid environment. Market forces are driving the push toward usable, mobile technology and the always-on, always-available, ubiquity of web-based applications. This shift will include both customers and all types of enterprise users – including employees, contractors, vendors, partners, etc. 

This shift to a decentralized, identity-centric operating model brings with it the absolute requirement to consider the security of the user identities, devices and data which comprise the enterprise estate. The future of identity management, authentication, data management and network access demand a fresh look at how security protects corporate assets. 

The days when a simple password was sufficient to protect access to the corporate network and the days when the network was trusted represent out-of-date thinking. 

With the advances in technology available to cyber criminals and the ‘attackers for hire’ available at your local outlet of Dark Web Trading, companies need to think seriously about how best to protect their assets. 

Two such methods are Zero Trust and Password-less authentication. 

Before reading any further make sure that you have these two essential components, or the entire concept will never get off the ground: 

  • Senior Management backing– I don’t mean a rubber stamp on a proposal; I mean actual commitment to investing in the project and a complete understanding of the risks being mitigated. Senior Management should be demanding more from technology departments and should get a sense of excitement from the clear explanations of the possibilities unlocked by a more secure environment. 
  • Technology and Security Champions from your business units– Technology staff do not normally have an intricate understanding of the commercial environment they enable, the commercial drivers which affect it, or the data used to accomplish corporate objectives. For this there will need to be people from within the business who understand their data, users and requirements. The Champions, in collaboration with Technology, can create a transformation which will enable, encourage and insist on a secure, useful environment which will facilitate new capabilities without compromising security. 

Password-less Authentication 

Password-less access to technology is a natural progression from current day authentication methods for the following reasons: 

The single factor password started in 1961 with the Compatible Time-Sharing System (CTSS) which allowed hundreds of users to share a computer terminal with a common mainframe.

Fernando Corbató created the computer password as an accounting tool to allow users access to their resources on a mainframe for a certain length of time. 

In the 1995, AT&T was granted a patent for multi-factor authentication (MFA) (subsequently also claimed by Kim Dotcom in 1997). Regardless of who actually introduced it, in the last two decades, MFA has become the de facto standard to combat password theft. 

In 2019, an anonymous hacker released 2.2 billion usernames and password combinations freely across attacker forums, known simply as collection #2-#5 it was, at that time, the largest collection of credentials ever released. 

Advances in MFA technology include methods such as biometrics, facial recognition, one-time passwords and tokens. The inevitable question is, ‘If there are multiple factors of authentication and passwords are the weakest factor, why use them at all?’ 

Passwords cause multiple problems including: 

  • Users not being able to remember passwords
  • Complexity in passwords often results in passwords being written down or stored somewhere
  • Credential sharing with passwords is possible
  • Using the same password for multiple services or applications
  • Poor user experience
  • The ability to guess passwords from public information
  • Various types of attack crafted specifically for passwords
  • The cost to manage passwords outweighs the benefits 
  • Unique passwords are as mythical as unicorns
  • Passwords require frequent changes resulting in a simple increment for each change

The list goes on… 

The simple fact is that passwords are not good in terms of user experience, cost in terms of support time to maintain, are the single biggest attack vector in technology and no longer provide the security they once did.  

This realisation has led the technology industry to move toward replacing passwords altogether with more secure, simplified methods of authentication. 

“By 2022, 60% of large and global enterprises, and 90% of midsize enterprises (MSEs), will implement password-less methods in more than 50% of use cases, from fewer than 5% today.” Source: Gartner Market Guide for User Authentication 

Password-less authentication, such as FIDO2, establishes a strong assurance of a user’s identity without relying on passwords, allowing users to authenticate using biometrics, security keys, one-time passwords, tokens or a mobile app. Properly implemented, it can provide secure access for various use cases such as hybrid, cloud, on-premises and legacy apps. 

A well thought out and properly implemented password-less solution balances usability with stronger authentication giving users an easy, secure login experience, while reducing administrative burden and overall risks for the enterprise. Guy-Tech-Server

What is a Zero Trust? 

Essentially Zero Trust is exactly what it says, no user, device or service is trusted and the network itself is regarded as an untrusted and hostile environment. The assumption is that everything is attempting to breach the network, and nothing should be trusted until its identity is authenticated, approved and access to corporate assets is approved according to policy. 

Another facet of Zero Trust is that users, services and functions should only have the access and permissions they require (a combination of need to know and least privilege). 

In common with password-less technology, MFA is pivotal within the Zero Trust environment, regarding all access requests as an attempted breach. Using only a single factor of authentication would be similar to leaving the door ajar. 

In addition to the components above, properly implemented Zero Trust environments will incorporate micro-segmentation. Micro-segmentation is the process of creating security perimeters around small parts of the overall environment to accomplish a set task or set of tasks. The premise is that an identity can access all required resources within a given Micro-segment but will require separate authentication to access the resources in another segment. Using password-based authentication for this process would make it practically unusable so password-less technology is the ideal complement to Zero Trust. 

What are the steps to implementing Zero Trust and Password-less? 

There are steps which are required to be able to properly implement the type of security which will enable the level of assurance required by most Boards of Directors. The steps below can be implemented in a staged fashion and will each, in turn, improve your security posture. If you have Absolute Zero as the target, each step toward it will provide a better security posture. 

  1. Fully understand and document your current environment

Whilst it may sound like something all companies should already be doing and something all security practitioners should insist on, the simple fact is that most companies probably have at least some devices, user accounts, services, data or excess privileges which shouldn’t exist or have dropped off the radar. 

A thorough audit of devices, user accounts, roles (if they exist), services, APIs… basically every component which accesses the network, but not the network itself, the network should be regarded as hostile. In Zero Trust, computing it shouldn’t matter whether access is from an internal hardwired network or from your local coffee shops WIFI, all networks should be regarded as untrusted, hostile environments which form the largest attack surface. 

Users – From a business enablement perspective, Champions within the business will need to compile a list of every one of their users, what data those users should have access to, which applications they should be allowed to use and what access rights they should have to the systems and data. This is a substantial piece of work, but the output will allow the technology and security departments to: 

Define roles – Whether these are part of a bespoke corporate schema or taken from the roles incorporated within many SaaS applications, the roles should be consistent across the organisation and understood by all. The roles can be incorporated into user identities to facilitate the full range of capabilities required by each and every user. 

Ensure support for password-less technology – This is an easier process for end users than it is for devices and services, which may require a rethink of suppliers or at least a peek at their roadmaps to see if and when password-less and Zero Trust appear. Bear in mind that proper network segmentation will mean that you should be able to manage this with a phased approach. 

Authenticate to external services – Use technologies such as SAML, Open ID Connect or OAuth to further prevent intrusion attempts. In addition to authenticating to external services, you can also securely mange users in external services using the System for Cross domain Identity Management version 2 (SCIM2). 

Joiners, Mover, Leavers – Ensure that your company’s JML process has provisioning, identity management and deprovisioning at its heart to ensure that joiners are subject to least privilege and need to know, mover’s rights accumulation is avoided, and leavers removal of access is consistent. 

Devices – There is a need to uniquely identify every device which connects to the network and to understand its purpose, state of health, permitted connections and acceptable baseline behaviour. Since the network itself is regarded as hostile, the more we know about the devices which connect to it, the better we will be able to define the usage policies. 

The improved asset management enabled by knowing your devices to a greater level and storing them in a single directory will also provide a cost benefit by ensuring that any new devices will need to undergo just as stringent provisioning and deprovisioning as users, preventing devices from simply being ‘spun up’. 

  1. Classify all data and implement data management

Develop and implement a corporate data classification scheme for use throughout the business. Whilst there are some who think that 3rd parties can classify your data for you, this is simply not true. What 3rd parties can do is identify a bank account, a credit card number, a passport number and numerous other attributes within raw data but they CANNOT tell you which elements of data are valuable to the business, which documents are restricted or what audience should be able to see a prospective plan. To do this, you will need to classify your data according to bespoke corporate criteria. 

The data management plan will also need to contain categorisation data. Whilst these terms are often used interchangeably, for the purposes of this document, classification is used to describe the criticality and sensitivity of a data element whilst categorisation is used to describe use (for instance; project 007, not for publication, created 2020, destroy 2027, author alcato, etc) basically any descriptor of the data item. 

There are literally hundreds of data tags that can be added to each piece of data and, as long as these are agreed corporately and applied consistently, they are all useful. 

The data management plan should also consider the data lifecycle and which security measures should be applied at what point (Create, store, use, share, archive, destroy). 

  1. Identify or create a directory to manage strong user identities

Most companies will have directory services at present, whether that is Apache Directory Server, Microsoft Active Directory, Red Hat Directory Server or Apple Open Directory. To create a Zero Trust password-less environment, it would be prudent to involve your current directory service provider in transitioning to a new service which will support all of the functions you will require. 

The central directory will need to support all of the transitional functions such as importation, synchronisation and federation as well as ongoing management of identities (user, service and device), tokens, keys and certificates. With this being the single, most pivotal function in the whole enterprise, specific expert skills should be sought and, as attackers will know this is a pivotal function, as with all things, security measures should be reflecting the criticality of the asset. 

User identities need to contain sufficient information to make them absolutely unique, define any and all access required or permitted, have a role or roles assigned to them and be placed in groups defining permissible actions so that policies created at a later stage can be applied. 

  1. Create device identities

As mentioned in step one, each device should be uniquely identifiable and stored in a single directory. This not only enables a central point from which to manage the assets but also allows for clear visibility of the devices which access services and your data. These requirements will also make it very difficult for a rogue device to gain any access to corporate assets as they will need to undergo a similar provisioning regime to users. 

When allowing requests from devices it should be remembered that there are varying levels of confidence you can have in the device identity. The highest level of confidence will be achieved by having a device identity which is stored on secure hardware such as a TPM but this will normally only be possible on company owned systems. Identities stored within key management software can also give assurance of varying degrees. 

Identities from devices belonging to another organisation will require a trust relationship to be established between the two organisations. Having a ‘trust’ relationship in a zero-trust environment sounds counterintuitive but, in this environment, it simply means that policies governing access by devices from outside of the primary domain will need to be enforced limiting access, time allowed and other factors. As well as knowing more about your own devices, you will also need to know more about all devices accessing your environment. 

  1. Authenticate on a ‘per connection’ basis

Otherwise known as ‘authenticate everywhere,’ in Zero Trust architecture, as previously stated, the network itself is regarded as hostile so all connections will require authentication. Additional authentication will also be required when switching between data classifications or security boundaries. 

Micro-segmentation would facilitate each process, service or function operating within its own security and authentication boundary and any identity leaving the boundary to access data or services in another boundary would require re-authentication. 

Whilst this may mean that authentication happens many hundreds of times for each identity each day, using multiple factors, we must remember that the attacker will also be required to navigate this and with the advances in MFA, the additional protection afforded is not possible with a password enabled environment. 

Multi-factor authentication becomes a pre-requisite in this environment but that does not mean, however,

that the user experience has to be poor or that the user even has to be aware of much of the authentication. As mentioned earlier, use of password-less technology such as FIDO2 removes the onerous (and in some cases unwanted) user intervention. 

Requests between services also need to be authenticated. This is normally achieved using API tokens, frameworks such as OAuth or Public Key Infrastructure (PKI). Use mutual authentication wherever possible. 

  1. Closely monitor devices and services

The Zero Trust, password-less environment removes a lot of tools from the attacker’s toolkit so it is important to focus monitoring on the most vulnerable components of the new environment; devices and services, as these components will be the focus of the new world attacker. 

Your monitoring should also be aimed at policy compliance and access request failures as these can highlight attack attempts as well as misconfigurations. In addition to highlighting anomalies, monitoring aimed at this area can also demonstrate policy compliance. 

In the traditional environment, devices could be placed into VLANs, in a walled garden or on an isolated network segment but since the network in the Zero Trust environment is considered to be untrusted there is little point in monitoring it. So, the monitoring must be moved backward to the trusted elements (devices and services). 

Correctly selecting your log sources and refining your monitoring will allow trusted, identified, authenticated components to be able to interoperate in an efficient manner whilst immediately recognising illicit behaviour, untrusted devices or unauthorised data access attempts. 

  1. Create policies to clearly define permitted use cases

The policies which govern the new environment tie together all of the other components to create a usable, secure and business enabling environment. 

Creating a policy will require consideration of identification, authorisation, role, permissions, device compliance, monitoring requirements and much more. The policy engine which checks all policies triggered by an access request is pivotal to ensuring that appropriate, authorised connections and access are permitted in an efficient manner and that all anomalies are blocked, recorded and managed according to the treatment plan controlled by another set of policies governing escalation and anomaly management. 

Where the policy enforcement sits will depend on the physical infrastructure and the architectural blueprint in use at your individual organisation. For instance, policy enforcement can take place at a reverse proxy, which can enforce policies at several layers up to the application layer, or at an SDP (Software Defined Perimeter) controller, which enforces policies at the network layer. In most environments, a mixture of methods would be applied. 

The monitoring and reporting of access requests also needs to be thought out with security and business use in mind. Not only how you are going to record invalid access attempts but also what message are you going to relay back to the user to explain why access is denied and how to have it added to an identity if it is required? 

  1. Ensure that other security functions align

With the other steps in place, or during the implementation phase of them, ensure that all of the other security functions such as encryption, tokenisation, roles, reporting, security metrics, processes, procedures, etc, align with the Zero Trust and password-less architecture so that there is a single security fabric around the environment and the data which interoperates and offers assurance to the business that the corporate assets are secure. 

Summary 

Zero Trust and password-less technology together with rigorous data classification and encryption reduce the attack surface of the most vital corporate asset, information, to a point where true assurance can be given that the Crown Jewels are as safe as they can currently be. 

Adopting this technology will do away with password harvesting (phishing) emails, which have been the primary attack vector; thus, dramatically decreasing the attack surface for bad actors and offering assurance to senior management security as a primary consideration. 

Another benefit from this approach is that any new product or service which enters the environment will necessarily have to be considered in terms of security and technology offering. In itself, this will lead to a culture of innovation where the business feels safe to develop truly challenging requirements with the knowledge that Security and Technology can enable them.