Back in 2012 I started working with ISO on the development of standards. I have represented Ireland on matters relating to Cybersecurity and Software for a decade and more now, working on several standards and have even been the convener and lead editor on two standards. I’ve worked on the ISO 27000 family of security standards and the 19770 family of IT Asset Management standards. I’ve worked with global enterprises and several government agencies and intelligence organizations on both sides of the Atlantic to enhance their security and/or help them develop new security policies and national standards.
That’s all a preamble to give you the idea that I know whereof I speak when it comes to (at least some elements of!) security – and the core message of this blog is that the traditional thinking around Zero Trust leaves holes open that can be closed.
Zero Trust is admirable. I would say that it’s a crucial backbone and mainstay of any modern security playbook. With the hybrid workplace a reality for the majority of organizations, the perimeter is more dead that it has ever been. However, the things organizations typically go to implement first when adopting Zero Trust may not be the best, most effective ways to achieve the goals of Zero Trust. Effectively reducing risks, beyond what’s possible with Zero Trust is simple and easy to achieve.
Treat all devices and users as though they are external, and grant access only to what is needed as needed. That’s what Zero Trust says to do, is it not?
BUT… if we only need allow access to resources on an as needed basis, why then do we leave things like network protocols available even when no-one is using them? Why allow users to have privileges like admin rights or access to configure a printer until and unless they need them?
I get it – the question seems almost stupid – “Because someone may WANT to use the protocol/add a printer/install some software/whatever, at any time!” … that’s ok. I may want to get water from my tap or light from a bulb at any time – I can do that, without major effort, but I don’t leave my taps running and bulbs lit at all times, I switch them on and off on-demand.
The problem is that most people think you can’t enable or disable a protocol in the same way you can turn on a light switch – that the request will take time to be parsed by some system making connection speeds too slow. They may also think that appropriately identified offline users can’t make exceptions to security controls around privileges like Local Admin rights, or USB drive access controls. That’s because they don’t know the capabilities of the 1E platform.
I first covered this concept way back in 2017. The initial focus was protocols that allow remote access to devices – RDP and SSH. As per this 2020 blog, RDP is an attack vector and entry point in more Ransomware attacks even than email phishing. If you move those protocols to on-demand, with real-time (we’re talking milliseconds here) enablement when users want to access remote systems – you massively reduce your attack surface, with almost zero negative user experience impact.
1E is all about DEX – and security controls can be a bugbear with users. In my role with 1E, I often need to have Local Admin access to create new automations or test functionality which access various “admin only” parts of Windows, macOS or Linux operating systems. Starting as a “regular” user, even while offline I can get access to (for example) Local Admin, with MFA and it’ll work.
The first authentication factor is the fact I’m logged in to Windows. The access is granted based on the AD groups I’m a member of. The second factor is a specific PIN that can be setup so that if I walk away from my machine without locking it and someone clicks the desktop icon for self-service that allows me to elevate to admin – they also need to know this PIN. It can’t be spoofed, it isn’t my Windows password – no bad actor can take advantage of this facility, even when they have their hands on my device and it’s logged in already.
These are TRUE Zero Trust capabilities, which more fundamentally reduce attack vectors, without compromising end-user experience.
Talk to 1E today to find out how you can improve on “old-fashioned” Zero Trust concepts and truly protect your organizations users, devices and data.