When it comes to cyber security, over the past decade the question for most businesses has been when, and not if, something bad was going to happen.
Security needed to be viewed from a different perspective, to rather assume that the network is compromised and ask the important question of what could be done differently.
This is the principle behind zero trust, said Hans-Robert Vermeulen, manager: SaaS Solution Sales Specialists team, EMEA, SailPoint, speaking during the ITWeb Cloud Webinar Series this week.
“The term zero trust was first coined by John Kindervag at Forrester in 2010, and he used it to describe a different way of thinking about enterprise security – don't rely on the network to keep yourself safe. Instead, accept the fact that there's danger and risk and deal with it.”
Assume the network is hostile
He stressed that zero trust is an approach, it's not a product or protocol. “It says 'assume the network is hostile'. That does not mean giving up on network security and opening the door for the bad guys. It simply means accepting the idea that the adversary can and ultimately will see your assets. Accept that fact and focus on overlaying controls and governance over who gets access to what.”
Catalogue your entitlements because, ultimately, zero trust is all about understanding and managing fine-grained access risk.
Hans-Robert Vermeulen, SailPoint
It is critical to understand user access patterns, where people come from, and how they connect, and build context about who should have access and why.
“Zero trust says to focus on the details, and understand and manage fine-grained access controls. Catalogue your entitlements because, ultimately, zero trust is all about understanding and managing fine-grained access risk. Make identity and access governance a serious core competency, particularly these days since COVID sent entire workforces home to work.”
Three pillars
There are three specific things that SailPoint does that become the pillars to supporting a zero trust approach, he says. "Implementing least privilege, building a model-based lifecycle, and delivering predictive controls."
1. Least privilege
Firstly, Vermeulen says least privilege simply means only giving people the access they need to get the job done. When an account is compromised the footprint is smaller, there's less people can do with that account and for that reason it's mandated by GDPR and many other regulations. "So the question is, how do you apply this for zero trust? The answer starts with inventory and visibility, because you cannot manage what you cannot see. Least privilege for zero trust requires an entitlement catalogue and a full inventory of access."
The second element of least privilege for zero trust is least access, which means thinking differently about providing access in the first place, but also being diligent with your access reviews which are often too focused on providing the most access because it may come in handy. We should give out less access by default, which only makes sense when we can support it by self service capabilities to manage exceptions quickly and complement this with intelligent self service, highly automated provisioning, and fast approvals, he added.
2. Model-based lifecycle
The second pillar supporting zero trust is a model-based lifecycle, which is a key differentiator between basic provisioning and what we all understand to be identity governance, and a model baseline cycle, which means putting well known and well understood entitlement models in place.
“We also need ownership and approval definitions that overlay responsibility and ownership for all the things we care about, and trigger and change control models that carry out defined actions. For example, when underlying identity data changes, such as when people move departments, allowing us to automatically change the access accordingly,” Vermeulen explained.
3. Predictive controls
The third and final pillar of identity governance supporting a zero trust approach is predictive controls, and this is where we solicit the help of artificial intelligence because we need to simplify things for our users, said Vermeulen.
“For example, it's not uncommon to ask managers to perform an exit review with literally hundreds of decision points. Yet many of these could be simplified, we could build better roles to reduce the number of decision points. We could filter access that everyone has or access we really should not care about from a risk perspective, and just pre-approve it. We should focus on the access that really poses a risk to the company, and help people make better decisions in the first place. And this is why we need AI because AI can look at our data in ways that no human can.”
Cloud platform security
This, said Vermeulen, is a zero trust approach driven by identity governance.
“So how do we apply this to cloud platform security, what's different? Cloud platforms such as Azure, AWS and GCP form a bit of an obstacle – they come with complexities that pose a challenge to governance. Firstly, these cloud platform environments are super rich in entitlements. If you thought SAP was complex, you were right, but it’s nothing compared to AWS, Azure and GCP.”
Next, he said, with cloud platforms, identity isn't simply a human entity anymore. “All of a sudden a piece of code, like an AWS Lambda or a virtual machine, becomes an identity that also has access to your data and needs to be controlled and governed. Thirdly, all access is granted indirectly through policies, which makes it impossible to get a simple view of these platforms as to who really has access to what – and this is the most basic thing we need to understand in our pursuit for zero trust. Looking at a membership list on a roll or group isn't telling you anything.”
He said SailPoint is using AI to answer that basic question. “You have to traverse every single access path, every role that can be assumed, every policy associated with either the object identities, groups or roles, to be able to understand what access and identity result from this privileged rich environment. Most access that is granted is heavily over-privileged because it is so difficult to understand. A simple virtual machine that is easy to instance in AWS has over 300 privileges. This is often the case because DevOps teams are measured on the speed at which they can roll out new functions. They obviously aren't keen on security in a broad sense but they do tend to grant way too much access to keep things simple.”
Ultimately, he said, over-privileged access means you are exposed to risk. “We need to be able to see what access is actually being used. Unused access exists in each cloud platform environment, and you absolutely need to mitigate that to give zero trust a chance.”
* SailPoint sponsored a webinar on A zero trust approach to cloud platform security as part of an ITWeb cloud webinar series from 10-12 November 2020.