Trust no one, device, identity or network resource. Zero Trust has now become one of the most important security models. The concept is simple and intuitive: implicit trust is a vulnerability in itself, which attackers can exploit for lateral movement and access to sensitive data. The Zero Trust approach attempts to mitigate this risk by eliminating implicit trust from the corporate environment.
Zero Trust always assumes that a security breach has already occurred. For example, an attacker managed to bypass some of the defenses in place and gain a foothold in the enterprise environment. In the next phase of the attack, the hacker moves sideways through the network, accessing additional resources until they find valuable data or assets. The Zero Trust model aims to significantly limit the damage when a hacker is in the corporate environment.
To date, Zero Trust has primarily been implemented at the network layer by rebuilding the network infrastructure and dividing it into multiple micro-perimeters with segmentation gateways. Recently, however, another zero trust approach that focuses on the identity layer rather than the network aspect is gaining traction.
Network-Based vs. Identity-Based Zero Trust
Zero Trust is designed to prevent malicious access to resources within the corporate environment. While such access is performed by a device on the network connection, it also requires user authentication to access the resource. In an implicit trust environment, if this user account is compromised, a hacker can use it to freely access any resource or move laterally in the network. However, if the granular verification is not based on the network connection but on the authentication itself, a zero trust model can also be achieved. Both network segmentation rules and risk-based authentication policies are useful tools to block malicious access attempts. However, the latter are easier to implement and in many cases offer higher granularity and risk detection capabilities.
How identity-based Zero Trust works in detail
Identity-based Zero Trust relies on assessing risk and enforcing secure access controls whenever a user attempts to access a corporate resource. Each access request is monitored – regardless of where the user is located or whether the resource being accessed is on-premises or in the cloud. In addition, the risk associated with the access request is always analyzed and adaptive, risk-based policies are enforced throughout the network, both on-premises and in hybrid environments. Access to the resource is granted only after a detailed risk analysis of the user’s authentication activity and is valid for a specific access request. This risk analysis should be carried out for each individual access attempt.
Today’s enterprise environment encompasses multiple types of resources: physical servers, SaaS applications, cloud workloads, file shares, on-premises applications, and many others. Identity-based zero trust means that the following criteria are met:
• Each user account is considered compromised, ie untrustworthy, until proven otherwise.
• A user account is trusted only after it has been validated and only for a single resource access.
• If the user tries to access another resource after a validated access request, they must be validated again.
For example, a remote user connected to the corporate VPN using authentication. Once in the internal environment, this user now tries to access a file server. Identity-based zero trust would never assume that this user account is trustworthy based on a mere successful VPN authentication, but always check this access and user for trustworthiness.
The identity-based Zero Trust evaluation process includes:
1. Continuously monitor all access requests made by all user accounts to any type of local or cloud resource and create a comprehensive audit trail.
2. Risk Analysis: For each individual access attempt, the probability that the user is actually compromised is evaluated. This risk determination is based on the analysis of user behavior, the audit trail and various contextual parameters.
3. Enforcement of real-time access policies: Based on the calculated risk, access is either allowed, blocked or authentication is tightened with multi-factor authentication (MFA).
The benefits of identity-based Zero Trust
An identity-based Zero Trust approach has significant implementation, management, and security benefits:
• Simple and easy to implement: Unlike network-based zero trust, no infrastructure changes and associated downtime are required. There is no need to remove and replace anything in the area.
• High granularity: Focusing on the user and not the network segment ensures that risk analysis is performed for each resource access, in contrast to a network-based approach that can only enforce this check at the segment gateway and no insight into the actual ones resources within the segment itself.
• Improved ability to detect anomalies and threats: An attacker’s movement within the corporate environment is anomalous compared to legitimate users. Performing security checks on every resource access increases the likelihood of discovering hidden malicious activity.
It is critical that security officers are able to monitor, analyze and enforce an access policy on every single access attempt in real-time: for every user, every resource and every access interface. This is a basic requirement, without which organizations receive only partial protection and the value of the Zero Trust model is nullified. For this reason, organizations should consider implementing a unified identity protection platform.
Unified Identity Protection: Identity-Based Zero Trust in Practice
Unified Identity Protection is specifically designed to protect against identity-based attacks that use compromised user credentials to access corporate resources. This allows companies to fully enforce an identity-based Zero Trust architecture in modern corporate environments.
Unified Identity Protection consolidates security controls across enterprise networks and cloud environments to mitigate identity-based attacks. Using agentless and proxyless technology, a unified identity protection solution seamlessly integrates and stretches with any existing IAM solution (such as AD, ADFS, RADIUS, Azure AD, Okta, Ping Identity, AWS IAM, etc.). extends their coverage to assets that could not previously be protected: These include homegrown and legacy applications, IT infrastructure, file systems, command-line tools, machine-to-machine access and more. The solution continuously monitors all user and service account access in both cloud and on-premises environments, analyzes risks in real-time using an AI-based engine, and enforces adaptive authentication and access policies.
With the flood of sophisticated attacks, traditional security approaches alone are no longer sufficient to ensure corporate security. It can be assumed that attackers are already in the network unnoticed. A full Zero Trust approach that includes the identity layer can significantly strengthen the defenses to protect valuable data and assets.