Zero Trust: The Case for Just-in-Time Access
by JD Sherry, on Dec 03, 2020
The concept behind Zero Trust is simple. When you’re designing security, as Forrester alum and concept founder John Kindervag says, “never trust, always verify.” In practice, that means giving users just what they need, when they need it, and nothing more.
That sounds great. So, why hasn’t everyone committed to Zero Trust 100%?
Confronting Zero Trust inertia
Even ten years on, Zero Trust isn’t always a quick sell to IT groups. When you bring up the idea, people say that Zero Trust:
- “takes too much time”
- “is too hard to do”
- “costs too much”
Those arguments miss a critical point. A lot of IT departments are already doing Zero Trust. They’re just not calling it that.
They might be calling it micro-segmentation, or something else. But micro-segmentation is really just a first step toward adopting Zero Trust.
Risks of ignoring Zero Trust
When they are in the first stages of adopting Zero Trust, many organizations get stuck at “complete trust” and just-in-case administration, when they should have zero trust and just-in-time administration.
The risks of ignoring, or botching the implementation, are just too great.
Think about what any of these can do to your organization:
- Hefty fines related to GDPR
- Impact on brand reputation following a breach
It might seem like ages ago, but let’s look back at the 2017 ransomware attack launched at Merck. Merck’s employees logged into their computers and were told that they could recover their files only if they paid $300 in bitcoin—per computer. The ransomware, named NotPetya, was eventually traced to Russia’s military intelligence agency.
The fallout lasted weeks, crippling 30,000 workstations, 7,500 servers, and it hit their business too. Merck couldn’t produce enough Gardasil 9—their HPV vaccine—that year and had to borrow 1.8 million doses.
Later on, Merck’s $1.75 billion insurance claim got denied, because their policy didn’t cover acts of war. In the end, they lost $1.3 billion.
Adopting Zero Trust Architecture (ZTA) could have helped.
Zero Trust as a journey
IT groups take that first step toward Zero Trust with micro-segmentation, but it’s really just the first step in a larger journey. It's not a plug-and-play solution. It’s a commitment, a strategy, and a journey that becomes all-encompassing within your enterprise. It must be part of your security culture.
No one is thinking about Zero Trust for admin access control. Up until now, it’s just had a networking focus, and that’s selling the philosophy short. It can be applied to any discipline or asset you’re trying to protect, and it really belongs in access control and controlling admin access.
Zero Trust has evolved to protect resources, not just network segments. That’s increasingly critical as companies continue to take on more remote workers and assets become increasingly cloud-based. NIST points out that we can’t just rely on enterprise-owned network boundaries anymore. Technology, our resources, and our world have evolved beyond them.
How do you do (and not do) Zero Trust?
When they’re first starting out on Zero Trust, companies often go “too big, too fast,” said Forrester’s Chase Cunningham in my recent Cyber Wednesday podcast. He’s right. They’re big companies. They want to roll it out to thousands of users.
Then the “analysis” paralysis hits.
They stop short before they discover Zero Trust’s real value. To get Zero Trust right, you need to start small, with 40 or 50 users/workloads and take the time. Then, when it’s in place, you evolve the process out to larger groups.
You start with your philosophy toward security. Perimeter-based security means you’re making assumptions about trust. Zero Trust assumes that you’ve already been breached and asks, “what do we do now?”
The obvious next step is identity. In a perimeter-less world, identity is the new perimeter (and the attack surface). Not just the identity itself (e.g., username, password, authentication token, biometrics), but the access it provides. Effectively verifying the identity ensures the right person is on the network and right-sizing their access ensures resources are not exposed or abused, even if the identity is compromised.
Taking a risk-based approach, you want to start with those users who you need to trust the most and can do the most damage—your administrators, developers, and other users with elevated or privileged access. Their identities are prime targets for attackers primarily for the elevated levels of access they can provide and the sensitive resources they can easily access.
So, zero trust also means we start with zero trust for privileged users—and we start with less reliance on authentication and more on the access given to them. Zero Trust has been a long time coming. Legacy Privileged Access Management, PAM, focuses on authentication, not access, and this leads to high residual risk and high friction, not better security. That’s where Zero Trust comes in.
Zero trust means that you don’t provide administrators 24x7 access and into perpetuity. You move toward just-in-time Zero Trust access.
Zero Trust improves the experience of users and moves past security that stops at the perimeter. As Chase Cunningham says, Zero Trust moves toward “a workload-first, data-driven, and identity-aware security model.” In the COVID era, this is more important than ever.
That’s more than defending against ransomware. That’s about creating an entirely new security philosophy and culture.
In the long run, despite the costs, it’s worth the time and effort.
Zero Trust not only helps security. Zero Trust Architectures (ZTAs) can help reduce the risk of operational glitches too. When users don’t have 24/7 admin rights, when they’re not making changes in production and bypassing change control, you have better service, stability, and availability.
And you reduce the risk of minor security incidents becoming major security breaches.
Ready to learn more about how a Zero Trust Architecture for privileged users can help your organization?