These materials are © 2019 John Wiley & Sons, Inc. …...Table of Contents vThese materials are ©...

These materials are © 2019 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

http://www.centrify.com


Zero Trust Security


Zero Trust Security

Centrify Special Edition

by Corey Williams


Zero Trust Security For Dummies®, Centrify Special Edition

Published by John Wiley & Sons, Inc. 111 River St. Hoboken, NJ 07030-5774 www.wiley.com

Copyright © 2019 by John Wiley & Sons, Inc., Hoboken, New Jersey

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

ISBN 978-1-119-55026-6 (pbk); ISBN 978-1-119-55025-9 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/go/custompub. For information about licensing the For Dummies brand for products or services, contact BrandedRights&[email protected].

Publisher’s Acknowledgments

Some of the people who helped bring this book to market include the following:

Project Editor: Elizabeth Kuball

Acquisitions Editor: Ashley Barth

Editorial Manager: Rev Mengle

Business Development Representative: Karen Hattan

Production Editor: Mohammed Zafar Ali

http://www.wiley.com

http://www.wiley.com/go/permissions

mailto:[email protected]

http://www.wiley.com/go/custompub

mailto:BrandedRights&[email protected]

Table of Contents v


Table of ContentsINTRODUCTION ............................................................................................... 1

About This Book ................................................................................... 1Foolish Assumptions ............................................................................ 2Icons Used in This Book ....................................................................... 2Where to Go from Here ....................................................................... 2

CHAPTER 1: Rethinking Your Security with a Zero Trust Approach ................................................................. 3Understanding Why Traditional Security Doesn’t Work .................. 4Seeing That Identity Is the Number-One Attack Vector ................... 4Considering Security Spend versus Risk Reality ............................... 5Defining Zero Trust Security: A New Paradigm ................................ 5Comparing Traditional Access Tools to Next-Gen Access ............... 8

Reducing or eliminating user friction ......................................... 10Reducing the burden on IT .......................................................... 10

CHAPTER 2: Verifying the User ..................................................................... 11Accepting That Passwords Suck ....................................................... 11Simplifying Access with Single Sign-On ........................................... 12Going Beyond Passwords with Multifactor Authentication .................................................................................... 14

You can never have too many factors ........................................ 14Contextual access reduces friction for users ............................ 16

Balancing Security and Convenience with Next-Gen Access ................................................................................. 17

Reducing the burden on IT with behavior-based analytics ......................................................................................... 17Reducing user friction and improving the user experience ............................................................................. 18

CHAPTER 3: Validating Every Device ........................................................ 19Protecting Your Largest Attack Surface ........................................... 19Securing Access through Validated Endpoints ............................... 20Managing Devices to Minimize Endpoint Threats .......................... 21

Enterprise mobility management ............................................... 21Mobile application management ................................................ 22

vi Zero Trust Security For Dummies, Centrify Special Edition


Improving Access Decisions by Leveraging Device Context .................................................................................... 23Using Endpoint Privilege Management to Increase Security ................................................................................ 24

Tightly manage access to service and admin accounts ............................................................................. 25Lock down the local superuser account privileges ................... 25

CHAPTER 4: Limiting Access and Privilege .......................................... 27Provisioning and Deprovisioning Accounts Automatically ...................................................................................... 28Reducing the Usage of Virtual Private Networks ............................ 28Controlling Privileged Access to Infrastructure .............................. 29

Consolidating identity silos .......................................................... 30Shared account password management ................................... 30Least-privilege superuser privilege management .................... 31Break-glass scenarios ................................................................... 31Privileged session recording, auditing, and reporting ........................................................................................ 32

Ensuring Compliance and Auditing Using Next-Gen Access Services ................................................................................... 33

Access auditing and reporting ..................................................... 33Continuous compliance ............................................................... 33

CHAPTER 5: Learning and Adapting.......................................................... 35Using Risk-Based Access Controls for Proactive Security ................................................................................................ 35Applying Behavior-Based Policies to Improve User Experience .................................................................................. 36Using Behavior-Based Policies to Reduce the IT Burden ............................................................................................. 37Examining Behavior and Risk for Greater Visibility and Insights ......................................................................................... 38

CHAPTER 6: Ten Tips for Attaining Zero Trust Security ............ 39

Introduction 1


Introduction

For years, companies have designed networks around a tradi-tional security model meant to protect local systems. This network perimeter included layers of firewalls, intrusion

detection systems, and other network security devices and sys-tems intended to keep data safe against attack. But today, attack-ers are focusing on a specific type of threat: compromised credentials. In fact, the leading point of attack used in data breaches is compromised credentials and the privileges that go with them.

Attackers know that, with the right credentials, they no longer have to fight through the old “perimeter” defenses. Instead, they use stolen credentials to gain access to your critical data, just like an employee. Your traditional security perimeter is no longer the strong wall that you once envisioned it to be.

We must change our cyber security mind-set from “trust but ver-ify” to “never trust, always verify.” You simply cannot implicitly trust that a user is who he claims to be or is doing what he’s sup-posed to be doing just by virtue of having access to your network.

About This BookThis book shows you what you need to know about the Zero Trust Security model. This new threatscape means that you need to move your first line of defense to the user accounts and privileges that attackers are looking to exploit. Architecting security using a Zero Trust Security approach can allow you to create a new secu-rity perimeter to keep your identities and, thus, your organization secure.

Of course, your organization is changing in other ways, too. Cloud infrastructure, Software as a Service (SaaS) apps, mobile devices, and a mobile workforce mean that traditional ways of securing and managing organizational assets just doesn’t work anymore. The same Zero Trust Security approach that enables you to rede-fine your security perimeter can also allow you to secure access to both on-premises and hosted apps and infrastructure — all without leaving behind your existing infrastructure and systems.


Foolish AssumptionsIn writing this book, I made a few assumptions about you, the reader:

» You’re interested in and comfortable with IT security topics.

» You may be an IT executive, manager, or practitioner.

» You have basic working knowledge of security and identity topics.

» You’re interested in the hot new topic of Zero Trust Security.

Icons Used in This BookThis book uses the following icons to call your attention to infor-mation you may find particularly helpful:

The information marked by the Remember icon is important enough to file away in your long-term memory.

When you see the Tip icon, you’re sure to find extra-helpful information — something that’ll save you time, money, or both!

The Technical Stuff icon marks places where I get into the weeds on a particular topic. If you’re pressed for time, you can safely skip anything marked with this icon.

The Warning icon calls your attention to common pitfalls that you may encounter — so you can sidestep them and move merrily along your way.

Where to Go from HereThere’s only so much I can cover in these pages. If you find yourself finishing this book thinking, “Where can I find more information on this scintillating subject?,” head to https://zerotrust.com for more!

2 Zero Trust Security For Dummies, Centrify Special Edition

https://zerotrust.com/

https://zerotrust.com/

CHAPTER 1 Rethinking Your Security with a Zero Trust Approach 3


Chapter 1

IN THIS CHAPTER

» Realizing that your current security is broken and needs to be rethought

» Identifying your real enemy: stolen or misused credentials

» Balancing spending and risk

» Rethinking your security paradigm with a Zero Trust approach

» Considering Next-Gen Access tools and platforms to attain Zero Trust

Rethinking Your Security with a Zero Trust Approach

When you work in cybersecurity, you have to think about so many topics, protect so many different types of resources, worry about so many new threats, pass so

many audits, and follow so many regulations. Sometimes it feels like you’re playing a game of whack-a-mole: Just when you’ve tackled one problem, another one pops up, and another, and another. . . . It’s hard to keep up!

This chapter takes a look at what’s wrong with the current approach to security and provides a look at a new way forward.



Understanding Why Traditional Security Doesn’t Work

For a couple of decades, our collective security efforts have focused on creating safe havens that allow “good guys” in and keep “bad guys” out. Over the years, we’ve invested in many layers of tech-nology and process to build these digital perimeters. The tradi-tional perimeter security depends on firewalls, virtual private networks (VPNs), and web gateways to separate the trusted users from untrusted users. Then we added in layers of monitoring that would identify increasingly sophisticated patterns and alert us to potential threats.

Organizations are dealing with skill shortages, overloaded employees, and an ever-expanding number of cloud apps and mobile devices that broaden the attack surface with each passing day. And with the shift to cloud computing and the rise of Internet of Things (IoT) devices, these perimeters have not only blurred but virtually disappeared.

There are countless threats constantly trying to punch holes in our cybersecurity defenses. We spend more, devote more resources, and employ more technologies, yet well over half of our orga-nizations have experienced a data breach in the past 12 months alone. We seem to be fighting a losing battle, and the stakes are only getting higher. Cybersecurity for most organizations is sim-ply broken.

Seeing That Identity Is the Number-One Attack Vector

According to one of the largest studies of actual data breaches, the Verizon Data Breach Investigations Report, four out of five breaches involve weak, stolen, or default passwords. And we know from the large IT and security analyst firm Forrester that an esti-mated 80 percent of breaches involve compromised privileged credentials. Mobile and otherwise untethered end users rely on access to applications and infrastructure that are secured only by passwords; provisioned by a host of point solutions; and woven together by only a thread of complex policies, permissions, and processes.



It’s no wonder then that identity is the number-one attack vector you face. It’s as if you’ve been spending all your time securing your home by building taller fences and putting security bars on your windows, yet the bad guys have simply made a copy of your housekey and can walk right through your front door. There has to be a better way!

Considering Security Spend versus Risk Reality

Another factor that you must challenge is your security spend-ing and priorities. Over the past decade, a major shift in security spending flowed from intrusion detection to intrusion preven-tion controls, such as unified threat management and next-gen firewalls. This shift has proven effective at reducing risk due to unpatched and even unknown vulnerabilities.

In 2018, organizations will spend over $96 billion on cyberse-curity, primarily focused on plugging ever more sophisticated vulnerabilities.

The current security reality is that ten times as many breaches are coming from identity-theft tactics, such as stolen passwords or compromised credentials from privileged employees, and not vulnerabilities. Yet CEOs overwhelmingly believe that plugging vulnerabilities are the top security priority. Make sure your secu-rity spending priorities are in line with your actual risks. You sim-ply can’t continue to spend your way to security.

Defining Zero Trust Security: A New Paradigm

Ronald Reagan was famous for touting the proverb “trust, but verify” while discussing United States relations with the Soviet Union. (In a gleefully ironic twist, this phrase is actually derived from a famous Russian proverb.) In many ways, we’ve all built our cybersecurity based on this very notion: that we can have a set of trusted users who, when they’re verified, can have access to corporate resources.



But we know now that as many as one-third of data breaches are committed by trusted insiders, and, to make matters worse, the bad guys are already in our network under the disguise of a valid user verified by a stolen credential. This fact alone means that we need to take a different approach, one that isn’t based on trust but instead on verification.

We must change our cybersecurity mind-set from “trust, but ver-ify” to “never trust, always verify.” You simply can’t implicitly trust that an insider is who he claims to be or is doing what he’s supposed to be doing. You must take a Zero Trust approach and verify every user access to every important resource, every time access is requested.

Zero Trust simply assumes that untrusted actors already exist both inside and outside your network. Trust must, therefore, be entirely removed from your security equation.

Practically speaking, there are four main pillars that make up a Zero Trust Security model. (We cover each of these four pillars in the following four chapters.)

» Verify the user. Passwords alone are not enough to verify the legitimate identity of the user requesting access. By enhancing the authentication experience with additional factors of authentication (called multifactor authentication [MFA]), single sign-on (SSO), and behavioral analytics, you

A ZERO TRUST MANDATEFollowing the highly publicized breach of the U.S. Office of Personnel Management (OPM), which exposed the personal data of tens of mil-lions of Americans, the U.S. House of Representatives Committee on Oversight and Government Reform issued a report recommending that federal information security efforts move toward a Zero Trust model. Stating that, “The Zero Trust model centers on the concept that users inside a network are no more trustworthy than users out-side a network, . . .” the 2016 report triggered a broad and ongoing discussion of Zero Trust across the public and private sectors.



can greatly reduce the chances that a stolen credential can be used against your organization.

» Validate the device. If a user is requesting access from a known, managed, and registered device that she uses every day, you can have a certain level of confidence that the request is legitimate — especially if you’ve also verified the user. However, if she’s trying to access services from an unknown workstation in an Internet café that she’s never used before, trust is out the window.

» Limit access and privilege. After a user has been granted access to a resource, the user’s privileges must be tightly managed. Malicious parties frequently target personnel with administrative privilege to gain control over business systems. With Zero Trust Security, it’s important to limit lateral movement within all resources such as applications, servers, or workstations by limiting users to only the access they need to perform their jobs. It’s a good practice to ensure that users have just what they need, just when they need it, for only as long as they need it.

» Learn and adapt. Zero Trust Security must continuously improve by learning and adapting. Information about the user, endpoint, application or server, policies, and all activities related to them can be collected and fed into a data pool that fuels machine learning. The system can then automatically recognize out-of-the-ordinary behaviors — such as a user trying to access resources from an unusual location — which immediately raises a red flag that may require a second form of authentication, or block access, depending on policies.

Now we have a philosophy, but how do we go about piecemealing together a solution with products from ten different vendors all purporting to solve a piece of the puzzle?

We spend more time defining all these technologies and going into each of the pillars in more detail in the coming chapters.



Comparing Traditional Access Tools to Next-Gen Access

Traditional access management technologies have been around for decades. Typically, they’re sold and supported by a different vendor (or several are acquired by a single vendor as part of a portfolio of identity and access management tools). They’re gen-erally focused on either one type of user (such as customers, employees, or an IT administrator), one type of resource (serv-ers, desktops, or applications), or one type of deployment model (on-premises or Software as a Service [SaaS]).

Next-Gen Access is simply a label for the approach that comprises a combination of related access management tools and modern access management layers working together to control access to all

THE GOOGLE APPROACH TO ZERO TRUSTIt turns out that one of the early corporate adopters of Zero Trust was Google. Google has put Zero Trust into action with its own internal BeyondCorp project. The Google Zero Trust approach allows every employee to work from untrusted networks without the use of a VPN.

Recognizing the need for change following some scary data breaches that rocked many large companies’ faith in then-current security prac-tices, Google began altering its own network security policies to reflect a model of Zero Trust back in 2015, essentially handling its internal network as if it were completely exposed to the insecure Internet.

Google’s BeyondCorp model entirely removes trust from the network; securely identifies the device and the user; and applies dynamic access controls, least privilege, and context-aware policies. Although Google doesn’t have a complete solution for customers, it has pro-vided what many security analysts feel is the most compelling refer-ence architecture to date.

Whew! So we’ve spent a few pages now discussing the importance for your organization to achieve Zero Trust Security. Now let’s spend a couple pages on what Zero Trust Security is in a more concrete and practical sense.



resources. When these tools are made to seamlessly work together, they facilitate the creation of a Zero Trust Security environment.

Here are some of the key tools, some of which you may already have in place for some of your users or resources, needed to attain Zero Trust Security:

» SSO: SSO is a tool that reduces the number of times a user has to enter his password, reduces the number of pass-words a user has to manage, and often substitutes one-time tokens for logging a user in to a resource rather than entering or transmitting a password across the network.

» MFA: MFA ensures that the user is who he says he is. By combining something a user knows (password, secret) with something he has (push notification to his cellphone) or with something he is (fingerprint ID), you’re much more likely to ensure his identity than relying only on something he knows (like an easily stolen password).

» Enterprise mobility management (EMM): EMM is important to not only configure and control mobile devices, but also to make sure they aren’t jailbroken, are compliant with all security policies, and most important, are associated with the user that is attempting an access from the device. This assurance, combined with MFA, is important to make sure that stolen credentials can’t easily be exploited to gain access to your resources.

» Privileged access management (PAM): PAM is critical to secure privileged credentials within an encrypted vault, provide policy-based access to resources, and have users log in as themselves only elevating their privilege level when required by their job duties.

» User behavior analytics (UBA): UBA is crucial to building a baseline model of normal behavior for every user. This model can be used at every access attempt to identify when inappropriate or abnormal behavior occurs. Behavior attributes that can be modeled should include logon time/day/endpoint, location, application use, device use, resource access, and possibly more.

A Next-Gen Access platform is a single solution that combines these Next-Gen Access capabilities/technologies into a single integrated offering. A single integrated platform is typically cheaper to implement and easier to manage but also uniquely improves both IT and end-user productivity.



Reducing or eliminating user frictionNinety-nine percent of the time, a user is who she says she is and is accessing a resource she always accesses from the same device, in the same location, and at the same time of day. Knowing this, you may just want to automatically provide a silent sign on to the user and not require an MFA prompt, reducing user friction dramatically.

If you were to implement MFA blindly, this user might be prompted for additional verification every time she tries to access an application, adding significant friction and ramping up user frustrations.

But this unique combination of SSO, MFA, and UBA makes a con-textual decision to reduce the user friction and still allows you to have the security confidence that the access attempt is both appropriate and secure.

Reducing the burden on ITThe previous example is also one that shows how great a Next-Gen Access platform is for reducing the burden on IT. There is a com-prehensive model of the user’s behavior that allows an automated decision to allow the user access based on the low risk score for that access attempt.

Normally, an IT person would have to create specific rules for each type of user ahead of time to explicitly state that a verified user, who is using a particular PC, from the corporate network, during work hours on the day shift, can get access to this appli-cation. But what about the salesperson who travels up and down the East Coast? What about the branch office in the UK? What about . . . what about . . . what about. . . .

It’s impossible for an IT person to create all the specific rules needed for every user to have both a secure and low-friction access experience. So, most of the time, IT simply requires everyone to be prompted for extra validation on every attempt. Only with a Next-Gen Access platform can you have a risk-adjusted policy that is simple to define; reduces user friction tremendously; and simplifies the IT burden for discovering, defining, and maintain-ing complicated rules.

CHAPTER 2 Verifying the User 11


Chapter 2

IN THIS CHAPTER

» Accepting that passwords alone are bad for you and your organization

» Simplifying access with single sign-on

» Moving beyond passwords with multifactor authentication

» Balancing security with convenience through behavior-based analytics

Verifying the User

The first step of rethinking your security approach using the concepts of Zero Trust Security is to always verify the user. This chapter focuses on this first pillar and the notion that

a simple username and password does not prove the identity of a user. Identities are easily compromised, so access controls must be strengthened to confirm identity assurance.

This chapter also explains that only through the integrated Next-Gen Access technologies of single sign-on (SSO) and adaptive multi-factor authentication, coupled with machine learning and analytics, will you bolster access controls enough to ensure the authenticity of every user before access to a resource is granted.

Accepting That Passwords SuckA recent report by Verizon contains a great quote: “The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works.”

In fact, stolen credentials are — by far — the number-one attack vector that the bad guys use to gain unauthorized access to your resources. So, why do we keep allowing our applications, servers, databases, network devices, workstations, and other important resources to be protected by only a username and password?



In a word: convenience. Business users don’t want to be bothered by constant prompts for additional factors of authentication, and IT admins are rightly focused on accomplishing their endless list of tasks, and easy-to-remember and/or shared passwords take less effort.

Simplifying Access with Single Sign-OnWhen users have to remember a multitude of accounts and pass-words, they often solve the problem by reusing passwords or by using weak passwords. Not only does single sign-on help solve that problem, but it also provides a single place to enforce strong authentication requirements.

When you use single sign-on (SSO), it helps reduce the likelihood that forgotten or abandoned accounts will haunt your organiza-tion, because you can manage access to accounts centrally rather than on individual servers or services.

ALPHABET SOUP: MAKING SENSE OF THE INTEGRATION STANDARDS FOR SINGLE SIGN-ONMany applications expose integration standards to make configuring and managing SSO easier. These standards can be confusing, so here’s a quick overview:

• SAML: The Security Assertion Markup Language, an XML-based protocol for authorization and authentication. SAML is used to replace text-based passwords with single-use tokens and to pro-vide single sign-on.

• OAuth: A widely used authorization technology, with similar bene-fits to SAML, but a different implementation.

• OpenID: Often used along with OAuth, where it provides the authentication layer for integrations.

• SCIM: The System for Cross-Domain Identity Management, it helps with user account management in the cloud by providing ways to create, update, and delete users in a standard way.



As Figure 2-1 shows, Next-Gen Access SSO solutions deliver a great user experience with a self-service portal that is tied directly to the authentication for their endpoint. So, after they authenti-cate to their endpoint, they can gain immediate access to any of their applications without having to enter a separate sign-on ID and password as plagued SSO solutions of the past.

By itself, SSO may actually represent a security challenge. If you lose control of your username and login, any bad guy or malicious insider could help himself to all your applications. That would be no good at all — you may as well have a separate password for every application if all you used to protect access was SSO.

But with some simple additions, you can ensure that SSO is paired with additional factors of authentication and other smarts to ensure that only trusted users are accessing the resources they need to do their job.

FIGURE 2-1: Centrify Next-Gen Access SSO user portal.



Going Beyond Passwords with Multifactor Authentication

Another great quote in that same Verizon report says: “Don’t get us wrong — passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”

Even the person who is often credited as the inventor of the pass-word, Fernando Corbato, said, in an interview with the Wall Street Journal, that the password has become “kind of a nightmare.”

Any time you have a password, you need to augment it with addi-tional factors of authentication. Passwords are enough to keep the typical user from snooping through your data, but they provide little barrier to stopping a determined bad actor.

The best way to think about enforcing additional factors of authentication is to consider that every access attempt is secured by at least two different types of factors:

» Something you know, such as a password or a secret phrase.

» Something you have, such as a smartphone that is uniquely registered to the user and can provide push notification that must be accepted. An older-fashioned version is a key fob that generates a time-limited security code (most users hate this option).

» Something you are such as your fingerprint, facial recogni-tion, or iris scan.

Cyberattacks are like water running downhill. They always find the path of least resistance. Why is this important? Because if you only implement multifactor authentication (MFA) for some of your resources, the attackers are smart (or lazy, or both) and will simply move on to an easier entry point. This is why you need to implement MFA everywhere.

You can never have too many factorsWhen you’re implementing MFA for your users, you need to give them choice. Some users carry a smartphone everywhere, so it makes sense to leverage an app on their devices, as shown in



Figure 2-2, instead of issuing something like a dedicated key fob. Maybe some of your teammates don’t always have predictable access to a smartphone. Or maybe they can’t easily access one in the moment. By giving your users choice, based on an accepta-ble risk level for that authentication attempt, you can gain wider adoption and adherence to MFA.

When considering an MFA solution, look for a broad choice of supported factors. Here is a partial list of the variety of choices you want to consider:

» Push notification to a registered mobile device via an installed application

» Soft one-time password (OTP) token generated by a mobile app

» Biometric factors, such as fingerprint scanners or facial recognition that is either integrated into a smart device or offered as a stand-alone offering

» OATH-based software or hardware tokens, based on an industry standard that allows even more choice for providing a second factor

» FIDO U2F security keys, based on another emerging standard, such as the USB dongles offered by Yubico

FIGURE 2-2: Example MFA factors on a registered smartphone or wearable.



» RADIUS standard support, which is often used to support a proprietary OTP generator such as a key fob that generates time-limited tokens

» An OTP sent via SMS/text message or email

» Interactive phone call for users who only have access to a feature phone or hardline

» Configurable security questions, which aren’t great because they’re just another secret like passwords, but can work in a pinch to add an additional layer of protection

» Smart cards, which are popular among federal and state government agencies

» Derived credentials, which provide a more user-friendly way to make smart cards work with mobile devices

Contextual access reduces friction for usersMFA is one of the most effective ways to mitigate the risk of com-promised credentials, but it may also introduce an unintended friction and frustration for end users. When users are constantly being interrupted to provide additional factors of authentication, they may be tempted to work around the experience or, worse yet, delay or avoid the task all together. This is where contextual access comes to the rescue.

Adopt a solution that allows you to specify the conditions under which additional factors of authentication must be enforced. That way, when a user is accessing an application she always accesses, at the time of day she always accesses it, from a trusted device, on the corporate network, with a low risk level, she can simply be signed on without additional prompting. But when a user tries to access a system, from an unknown location, using an unfa-miliar device, during the middle of the night, you can block her access all together (or at least prompt for additional factors of authentication).

Let’s face it: Ninety-nine percent of the time your users are who they say they are and doing what they’re supposed to be doing. Contextual access provides a configurable balance for securing access and ensuring a user is doing what she’s supposed to be doing with the desire to empower users and reduce the friction she experiences when performing her duties.



Balancing Security and Convenience with Next-Gen Access

A Next-Gen Access solution integrates SSO and MFA together with a contextual policy so that the authentication mechanisms are adaptive, smart, and risk aware — incorporating geographic location, device posture, network, and user attributes to ensure authenticity of all users.

Instead of challenging a user with MFA to access every resource every single time, a Next-Gen Access solution formulates a risk score for each user and will only challenge users with MFA or block resource access when a medium- or high-risk score is calculated. This benefits IT with more advanced and robust security controls while also simplifying and improving end-user productivity.

Reducing the burden on IT with behavior-based analyticsAdaptive MFA, combined with SSO, is a great way to balance secu-rity with a better user experience. However, the burden falls to IT admins to define and create enough conditional rules to ensure that users are not being unduly subjected to continuous prompts from the MFA solution. The desire to deliver a great user experi-ence seems to come with a steep cost levied on the productivity of the IT organization.

This is why Next-Gen Access solutions incorporate behavior-based analytics into the mix. Information about the user, end-point, application or server, policies, and all activities related to them can be collected and fed into a data pool that fuels machine learning. In turn, a complete access profile is generated for every user based on his unique patterns of behavior over time.

A Next-Gen Access system that employs behavior-based machine learning and analytics can then automatically recognize out-of- the-ordinary behaviors — such as a user trying to access resources from an unusual location — which immediately raises a red flag that may require a second form of authentication, or block access altogether, depending on policies.



Behavior analytics are used to ascertain the risk level of individ-ual transactions and decide in real time whether to allow them. This also provides identity services with key insights that can tell administrators when policies need to be changed.

Reducing user friction and improving the user experienceNext-Gen Access couples SSO with context-based and risk-aware MFA to bolster access security and ensure user validity. Instead of implementing MFA as “on” or “off,” and potentially forcing an MFA challenge for every user in front of every resource, Next-Gen Access solutions assess the context and behavior patterns of a user to formulate a risk score for each user.

The risk score determines if a user gets SSO access to a resource, is challenged with MFA for further identity verification, or is blocked from accessing the resources until further investiga-tion. Also, where traditional access management solutions offer SSO and MFA capabilities to a subset of resources (applications, endpoints, or infrastructure), Next-Gen Access solutions pro-vide adaptive and risk-aware capabilities across all enterprise resources, every time an access decision is being made.

CHAPTER 3 Validating Every Device 19


Chapter 3

IN THIS CHAPTER

» Protecting your single largest attack surface

» Ensuring secure access through only validated endpoints

» Minimizing endpoint threats through device management

» Leveraging device context to improve access decisions

» Increasing security posture with endpoint privilege management

Validating Every Device

In this chapter, we lay out how endpoints represent the single largest attack surface in your enterprise. You see the impor-tance of protecting access to and from these endpoints and how

they’re a great source of context when making access decisions for users. This chapter also explains how to minimize endpoint threats through device management and increase security posture with endpoint privilege management.

Protecting Your Largest Attack SurfaceNinety-five percent of phishing attacks targeting your organiza-tion originate on legitimate endpoints. A typical attack starts with a phishing email that is designed to install malware or redirect the user to a fake webpage. Either way, the bad actor is trying to intercept credentials that give them a toehold onto either that endpoint or directly to corporate resources (like access to a virtual private network [VPN]).



Every single PC, Mac, smartphone, and related device that your employees, contractors, and partners use represents a potential exploit to penetrate your defenses. But endpoints are also the pri-mary gateway to an organization’s resources, so you must protect your endpoints while at the same time empowering your mobile workforces.

Securing Access through Validated Endpoints

To achieve Zero Trust Security, identity-based preventive con-trols must be extended to the endpoint. As with users, devices cannot be trusted without validation. Validating a device involves the verified user enrolling his device, enforcing configuration and security policy, and proactively managing application and data on that device.

If there is one concept of Zero Trust Security that you must remember, it’s this: You cannot trust that a user is who he says he is just because he has the correct password to access your network. But this concept of “never trust, always verify” also applies to endpoints.

For example, if a user is requesting access from a registered device he uses every day, he has a certain level of trust. If he’s trying to access services from a workstation in an Internet cafe that he has never used before, trust is out the window.

Validating devices involves ensuring that devices are only allowed access if they meet certain security requirements:

» Is the device strongly associated with the user? For example, does it have a unique certificate on the device that is associated with that user?

» Has the device been jailbroken?

» Do the device settings conform to company policies like disk encryption, virus protection, and up-to-date patches?

Only allow registered devices with both a need to access enter-prise resources and a secure posture access. If verified users only access from validated devices, you can be reasonably sure that the access attempt is legitimate.



Managing Devices to Minimize Endpoint Threats

Even though a device is uniquely identifiable and registered to the appropriate user, that doesn’t single-handedly validate the device’s security posture. Settings can be turned off or changed after the registration process. Ongoing device and policy man-agement is necessary to both maintain the correct settings and monitor for non-compliance.

Enterprise mobility managementThe first step to ensure the proper security posture of each device is accomplished through the capabilities of enterprise mobil-ity management (EMM). These capabilities minimize endpoint threats by helping an enterprise to centrally manage hundreds of potential configuration settings to meet security policy.

For example, every smartphone needs a policy setting that locks the screen after a configurable amount of time. The device should not be allowed access unless a pin code policy is in place and full device encryption is enforced. There can literally be hundreds of these types of settings for limiting or configuring what is or is not allowed on the device in order for it to be trusted with accessing corporate resources.

Drivers and challenges pushing the need for an enterprise mobil-ity management include the following:

» Users are increasingly using personally owned computers, tablets, and mobile devices for work.

» IT needs to support bring your own device (BYOD) initiatives, but security and user adoption depends on the separation of enterprise apps and data from personal ones.

» Asking users to identify, deploy, and configure the correct mobile client apps leads to increased help desk calls while also frustrating end users and prolonging the time it takes to get them fully productive.

An EMM solution ensures that devices are configured with secure settings, registered to a known user, and managed by an applica-tion access policy to minimize risk of lost or stolen devices. This



includes the ability for IT admins to remotely locate, lock, and wipe corporate-owned devices.

Additionally, modern EMM systems support onboarding devices with self-service enrollment to support BYOD use cases. Addi-tional self-service capabilities include locating, locking, or wiping a lost device, as shown in Figure 3-1.

Mobile application managementCorporate applications today are increasingly in the cloud, but most of the time they’re accessed from users’ smartphones and tablets. That means native mobile applications are needed for a user to be productive. Most EMM solutions include the ability to automatically deploy and configure mobile application clients from either the commercial app stores or a centrally managed enterprise catalog.

With the ability to push, manage, and wipe mobile applications and their data across mobile devices, mobile application manage-ment (MAM) ensures that corporate data stays separate from per-sonal data. This means managed apps can be revoked to remove corporate data and access from devices, without wiping personal content like pictures and music.

When a user enrolls her device, MAM can automatically push the right apps to her based on her roles. Single sign-on can be configured for the apps. And an EMM solution can even provide

FIGURE 3-1: Self-service user portal for devices managed by Centrify.



secure certificate enrollment for access to Microsoft Exchange Server without a dedicated stand-alone app, so users can access the native mail, calendar, and contacts apps they prefer.

Some of the additional capabilities that a device management solution provides include

» Access apps with single-tap sign-in with PKI-based device enrollment and authentication.

» Use mobile devices as a multi-factor authentication token, supporting one-time passcode for user authentication to specific apps or a single sign-on portal.

» Increase security with real-time push notifications to smart devices when users attempt to access apps that require multi-factor authentication.

» Manage app policy across devices and apps, ensuring that users have the right access when they need it.

» Revoke device access to all apps with a single click to prevent data theft from lost or stolen devices.

» Ensure that only authorized applications are installed for the right users, with an inventory of apps organized by user, group, or device type.

» Prevent malicious applications from entering the environ-ment through endpoints with an additional layer of protec-tion of application control.

» Provide an enterprise app store to ensure that employees can only install trusted apps without giving those users administrative rights they don’t need.

» Automatically install and update the applications your users need on their endpoints.

Improving Access Decisions by Leveraging Device Context

With a Zero Trust approach to security, it’s essential that infor-mation about the user’s identity and about the endpoint come together to assign a risk score. If risk is low, friction decreases. As risk increases, the appropriate controls kick in, requiring addi-tional factors of authentication or more restricted access.



For example, let’s assume for a second that a user

» Is who she says she is

» Is working from the corporate network

» Is on a known and registered device that she always uses

» Is accessing an application that she always uses

» Logs in at the same time of day

Doesn’t it make sense to just give this user easy access through silent sign-on to her app instead of blindly prompting her for additional verification or reprompting her for a different set of credentials?

One the other hand, what if that user is trying to access

» From an unknown device that isn’t registered to the user, or that has a bad security posture, or has been jailbroken

» From an overseas location

» An application she doesn’t regularly use

» During the middle of the night on a weekend

In this case, you’d want to block her access or at least prompt her for several stronger factors of authentication to prove her identity and validity.

Using Endpoint Privilege Management to Increase Security

One last item to consider is endpoint privilege management. No matter how confident you are in the user’s identity and ability to limit access from only his associated devices, you still run the risk of letting a compromised endpoint access to your resource.

The majority of endpoint privilege risk comes from two impor-tant vectors: any service or admin/help-desk accounts you may have installed on the endpoint and the superuser account (root for Mac/Linux or localadmin for PCs). These two vectors need to be tightly managed to be sure your endpoints are accessing corporate resources while they’re compromised.



Tightly manage access to service and admin accountsAbout ten years ago, most organizations shared the same domain admin and root password across all their servers. Fast-forward a decade, and IT security auditors have flagged most of those practices and forced IT shops to implement a solution to enforce unique passwords across all systems and ensure traceability and accountability for anyone who checked out the passwords along with automatically changing (or “rotating”) the passwords after a period of time.

Unfortunately, even though the shared passwords among admin accounts problem is largely solved for datacenter infrastructure, one of the most common IT security deficiencies today is the usage of a single local administrator password used across all endpoints. Although this is understandable from a help-desk support point of view — because it makes it easier to provide remote help to an end user — this practice is a significant security concern because this password is highly coveted, inevitably shared, and does not promote accountability of the user logging into the endpoint with the local administrator account.

Additionally, when IT staff leave the organization, they often retain the knowledge of the admin account for all endpoints. It is essential to adopt a solution for generating a strong and unique password for each endpoint, storing passwords in a secure vault, and enabling workflow for password checkout requests. Pass-words are rotated upon check-in while every user who checked out a password is logged in for complete visibility and accountability.

Lock down the local superuser account privilegesEven with service and admin accounts being properly managed, you still have the issue of every PC or Mac having a local superuser account built into the operating system. With this account, you can install anything, have access to anything, and control any-thing on that endpoint — obviously not something you want to manage by a simple password checkout giving a user or IT admin complete control over a system.

Of course, an end user needs to be able to take a laptop home and join his home network, add a local printer, and so on. But it doesn’t



make sense for his account to have unfettered local administrator privileges. For example, if you didn’t let users install any unap-proved applications, but instead only managed applications (like through an enterprise app store that distributes pre-approved applications), you wouldn’t have to worry about malware being installed from a link in a phishing email. They simply wouldn’t have the privileges to do so.

Adopt a solution that assigns privileges dynamically so that users can use only a specific privilege for a specified period or at specific times, on just their own PCs or Macs. This type of on-demand privilege elevation is seamless and eliminates the need to re-enter passwords, check out temporary passwords, or submit help-desk requests for access. This policy will help keep the bad guys from exploiting their favorite tool — compromised privileged access to a system.

CHAPTER 4 Limiting Access and Privilege 27


Chapter 4

IN THIS CHAPTER

» Provisioning and deprovisioning accounts automatically

» Securing remote access without a virtual private network

» Managing privileged access to infrastructure

Limiting Access and Privilege

If you only allow verified users to access your resources from validated devices, you’re off to a good start. But bad actors fre-quently target administrative privileges to either applications

or infrastructure in order to gain control over those business resources. With Zero Trust Security, it’s not enough to know the users and their devices; you also need to limit lateral movement by limiting users to just the access and privilege level they need to perform their jobs.

This chapter discusses a key Zero Trust pillar focusing on limit-ing access and privilege based on job function, with just the level of privilege that is needed to perform the task, and only for as long as it’s needed to do the job. Some methods include auto-matically provisioning and deprovisioning of user accounts and access; eliminating the majority of VPN usage; working with and within the larger security ecosystem; and specific use cases for protecting and managing privileged access to data center servers, Infrastructure as a Service (IaaS), databases, network devices, and other infrastructure.



Provisioning and Deprovisioning Accounts Automatically

Provisioning is the creation of user accounts and the roles, groups, rules, and related configuration settings or attributes that allow users to perform their work. Provisioning enables users to be productive on day one with the appropriate access, authorization, and client configuration across their devices.

The role of provisioning in the Zero Trust model is critically important because provisioning determines who has which rights on which systems and applications. You can ensure that a user only has access to what he needs to do his job, create reliable reports, and audit those rights at any given time.

IT staff knows that accounts are difficult to manage because

» Employees are often given more access than they need.

» Access frequently follows them through the course of their tenure at an organization.

» They amass more and more rights over time — even as their positions and roles change.

» Unused accounts and accounts for employees and other users who no longer need them also tend to stay around longer than they should.

Some form of automation and deprovisioning is required. Com-bining self-service, workflow, and provisioning automation can ensure that users only receive the access they need, help them be productive quickly, and automatically remove their access as their roles change or when they leave the company.

Reducing the Usage of Virtual Private Networks

Remote access is a necessity with an increasingly mobile and remote workforce, but providing secure remote access to appli-cations can be difficult. Two of the most common solutions are virtual private networks (VPNs) and application gateways. VPNs



rely on identity to authenticate users and to place them in appro-priate networks based on who they are. But that approach often delivers broad access rights and implies a level of trust that is not appropriate with a Zero Trust approach.

Instead, solutions that protect applications by proxying data without this broad access to the network can use a Next-Gen Access approach to establish which applications can be accessed by particular users and under which conditions. It can also pro-vide adaptive multifactor authentication (MFA) based on the con-text and risk of each user’s access attempt.

Controlling Privileged Access to Infrastructure

In many organizations, privileged users log into servers, applica-tions, network devices, and databases using shared administra-tive accounts such as root or local administrator accounts. These accounts are the proverbial “keys to the kingdom,” and they account for the majority of malicious exploitation (or unintended misuse) of access to sensitive data, providing the ability to delete or damage critical systems. Privileged access security is critical to the defense of cyber threats in order to verify and protect access to these accounts.

You can help solve the problem of anonymous privilege usage if you invest in a Next-Gen Access solution that has the capability to associate privileged activity with an individual versus a shared account. Focus on solutions that only allow the user to elevate her privileges specifically for what she needs to do and for only as long as she needs to do it. So-called privileged access management (PAM) solutions help to ensure that users log in as themselves (instead of using a shared account), and that they only have the rights that they need. In special cases, like emergency support or for service functionality, PAM ensures that access to nonhuman accounts like service accounts and root and admin credentials are logged and passwords are automatically changed after use.



Consolidating identity silosMany organizations have multiple stores of identity scattered throughout their infrastructure. Often, that means that individual servers or systems have their own identity stores. But differences often occur at the organizational boundaries or due to differences in systems. These identity silos represent both complexity and risk.

Productivity improves when access, privilege, and audit policies are managed from a centralized point of control. This manage-ment can be a lot easier if you use your existing Active Directory infrastructure and invest in bridging technologies to manage a much broader set of systems (Windows, Linux, Unix), end points (Windows, Mac, mobile devices), and applications (on-premises, Software as a Service [SaaS], mobile) without introducing redun-dant and costly new infrastructure.

Consolidating identity silos through a centralized identity man-agement platform allows a single view of identity throughout the organization and, thus, a single place to control users, their access and account life cycle, and their eventual removal. Instead of hav-ing to account for each identity individually throughout a diverse infrastructure, centralization allows time to be spent enabling access and ensuring that it’s secure.

Shared account password managementIn an ideal world, you would eliminate all privileged shared accounts and throw a major wrench into the process for attack-ers. However, sometimes you can’t delete or disable a privileged account, such as local administrator accounts, root accounts, legacy application administrative accounts, or network device accounts. In those cases, limiting risk by using shared account password management (SAPM) features, often referred to as a password vault, can make a big difference.

Using a Next-Gen Access solution can make SAPM a lot more powerful, because it allows you to use SAPM across both on-premises and cloud infrastructures, instead of having to maintain two different SAPM solutions for each. Make sure your solution can support anytime, anywhere remote access to on-premises and cloud-based resources, secure VPN-less resource access, out-sourced IT and contractor login, and multiple identity provider (IDP) support.



Modern SAPM capabilities should be delivered as a service in the cloud to extend beyond basic password management to future-proof your identity and security strategy. In the classic “break-glass” scenario explained later in this chapter, the leg-acy on-premises SAPM solution is inaccessible if the network is down. An SAPM in the cloud is resilient to your network outages and accessible to every valid user, any time, from any device.

Least-privilege superuser privilege managementIn addition to making sure that users log in as themselves, it’s important to implement least-privilege access (access that pro-vides the minimum set of rights that a user needs to accomplish his job). Using least-privilege access limits the potential damage from security breaches and prevents users from improper or acci-dental activities.

To get the most benefit out of least-privilege access, make sure you control exactly who can access what and when. That means you’ll need to configure privileges so that users can only elevate privileges appropriate for their job function, at specific times, for a length of time, and only on appropriate servers or systems. A Next-Gen Access solution should be able to centrally manage least-privilege policies in a cross-platform manner across Windows, Linux, and Unix operating systems, as well as network devices.

Securing systems and applications can result in a complex web of rights and roles, so ensuring least privilege can be a challenge. It helps to have built-in tools designed to work with the appli-cations and operating systems you use. Centrify Access Manager Rights Builder, shown in Figure 4-1, is an example of how pre-built rights models can speed up your deployment and keep com-plex rights management from being a nightmare.

Break-glass scenariosIn the last-ditch case where a system is down, no network access is available, and an administrator needs to access a root password or local administrator account, an identity platform can allow authorized IT users to check out passwords for system accounts for a limited duration and then automatically change the password after the checkout expires. This platform also ensures that you’ll have an audit trail available to review after the issue is resolved.



Privileged session recording, auditing, and reportingThe need to monitor what privileged users such as system admin-istrators and other power users do is obvious, but such moni-toring can be a challenge. Power users frequently have sweeping rights to change systems including the logs that might capture their accounts being misused. Centralizing that capability, cap-turing all details in a full session recording, and using secure, auditable monitoring and reporting can make it a lot easier to ensure that privileged accounts are secure.

The other side of privileged account monitoring is tracking the rights that make an account privileged. If attackers can add rights to a normal user’s account that result in it being able to perform the same actions that an administrator can without that change being noticed, they can do major damage! A Next-Gen Access approach should allow you to monitor both how and where privi-leged accounts are being used, and how, when, and by whom the rights that make up those special privileges are being granted.

FIGURE 4-1: Centrify Access Manager Rights Builder.



Ensuring Compliance and Auditing Using Next-Gen Access Services

A Next-Gen Access platform may not be the first thing you think of when you consider compliance and auditing, but access to systems and data is often the first thing that you should look at. Reporting details of who had access to what, and what they have done with that access, as well as the ability to certify the technical process and procedures is important when reporting your orga-nization’s status.

Access auditing and reportingAuditing won’t prevent compromises, but it can help detect both attacks and attempts to exploit access. Zero Trust security relies on auditing and reporting, including the following key functions:

» Identifying privileged accounts and capturing privileged access and activity

» Providing detailed reporting on rights, groups, and correla-tion of roles and access

» Automated reporting for violations and potential issues

» Detecting unused or remnant accounts that should be addressed

These aren’t all the audit and reporting features that a Next-Gen Access solution can provide, but using these features can be a big part of providing greater security insight.

Continuous complianceAlmost every industry faces some form of compliance require-ments, whether they’re industry, government, or part of contrac-tual obligations. The increasing need for compliance means that being able to prove compliance quickly and easily can be a big win for your organization.

Compliance at a single point in time is necessary to pass an audit, but implementing security best practices with an identity man-agement platform will keep you in a continuous state of compli-ance and allow you to better protect your organization against



cyberthreats. The idea of continuous compliance is gaining ground over point-in-time certifications. A Next-Gen Access solution that provides best-practice security services can make the differ-ence between an issue that is quickly detected and handled and an audit finding a major compliance issue.

Many organizations have discovered that although they were reg-ularly tested for compliance, that didn’t mean they were secure! Most compliance checks focus on a point-in-time assessment. Being compliant with a standard like the Payment Card Industry Data Security Standard (PCI-DSS) doesn’t mean that you can’t be hacked (or haven’t been already). It just means you meet the requirements in the standard.

CHAPTER 5 Learning and Adapting 35


Chapter 5

IN THIS CHAPTER

» Adopting proactive security with risk-based access controls

» Improving user experience with adaptable policies based on user behavior

» Reducing the IT burden by automatically adjusting behavior-based policies

» Attaining greater visibility and insights into behavior and risk

Learning and Adapting

The fourth major pillar of Zero Trust Security involves con-tinuous learning and adaptation. This chapter explains how behavior-based analytics close the loop in order to build a

better understanding of access behavior over time. By capturing the access events and activities across all your applications and infrastructure, applying machine learning to better understand “normal” behavior over time, you can begin to pivot away from traditional detect and respond alerts and toward a more auto-mated, real-time, preventive control approach.

This chapter also illustrates how adopting a more proactive approach with behavior- and risk-based controls can improve the user experience, lower the burden on IT, and deliver greater visibil-ity and insights into the access security across your organization.

Using Risk-Based Access Controls for Proactive Security

One of the hallmarks of a Zero Trust Security approach using a Next-Gen Access platform is the ability to continuously learn and adapt. By feeding every access attempt back into an analytics



platform, you can apply modern machine learning to build indi-vidual behavior profiles for every user.

Machine learning and access analytics are a perfect fit for gather-ing data about every user’s access attempts, building out a base-line profile for the unique behavior patterns and attributes for each user, and calculating a risk score for every access attempt.

Applying Behavior-Based Policies to Improve User Experience

Zero Trust Security would be easy if you simply didn’t allow any-one to ever access anything. Simply unplug, and safety is all but guaranteed! Except that would mean your organization’s produc-tivity would plummet, the exact opposite of what you want.

This solution is absurd, you say? Of course, but let’s take it to the next level and say you know that multifactor authentication (MFA) is powerful enough to stop most stolen credentials from being used. So, you decide to blindly prompt every user, every time she accesses a server, opens an app, turns on her device, runs a command . . . ugh! Now you’ve frustrated your users to the point where they avoid working or look for a workaround.

What you need is a balance between security and user productiv-ity, an approach that elevates the security of every access attempt while reducing the friction for end users and the burden on IT.

Enter Next-Gen Access. For example, consider the same user sce-nario described in Chapter 3. A user has logged into her laptop using MFA, is working from the corporate network, and is on a registered device that she always uses, accessing the same app she always accesses, and at the same time of day as always. Great! You can give this user easy access through silent sign-on to her app instead of blindly prompting her for additional verification or asking her for a different set of credentials. Figure 5-1 shows a spider chart with examples of risk factors that are used to mea-sure the risk level of a user.

CHAPTER 5 Learning and Adapting 37


Using Behavior-Based Policies to Reduce the IT Burden

In the example mentioned in the preceding section, I describe the normal behavior of a single individual, but the normal behavior of, say, a marketing intern working from HQ is very different from the normal behavior of a salesperson who travels up and down the east coast every week. Building out a set of rules that considers every unique user’s situation would be impossible.

One of the primary drawbacks to many access control technolo-gies is the number of rules that need to be created and main-tained. Instead, IT workers are overloaded and create very simple rules to maintain a veneer of security instead of accounting for every possible situation (until it bites them!).

By leveraging machine learning, you greatly reduce the com-plexity of analysis that needs to be performed by IT. Instead of writing complex rules, IT can decide on how to respond to the risk level of an access attempt, saving a great deal of time and frustration.

FIGURE 5-1: Centrify Analytics risk factors spider chart.



Examining Behavior and Risk for Greater Visibility and Insights

The last thing you need to understand about behavior-based access analytics is that a great deal of insight can be achieved into not only risky behavior but also current access trends; user experience; and patterns of access across applications, endpoints, and infrastructure.

For example, in Figure 5-2, you can see a summary of access risk that an organization faces, understand where those risk events are coming from, and see how the volume of events has increased over time. This quick visibility gives you actionable intelligence with a real-time view into current risks across the organization.

FIGURE 5-2: Centrify Analytics custom risk dashboard.

CHAPTER 6 Ten Tips for Attaining Zero Trust Security 39


Chapter 6

IN THIS CHAPTER

» Recognizing the key pillars of Zero Trust Security

» Knowing what to look for in a Next-Gen Access solution

Ten Tips for Attaining Zero Trust Security

You have a lot to contemplate when you’re considering a Next-Gen Access solution to help you attain Zero Trust Security. You need a solution that can support your evolv-

ing (likely hybrid) IT environment while acting as a key layer of security for your organization going forward. These types of solu-tions typically have a long life cycle, which means that choosing the right vendor and solution is very important.

Here are ten tips to keep in mind when you’re striving to attain Zero Trust Security:

» Never trust, always verify. Don’t automatically trust anything inside your network. Instead, verify everything before granting access to your resources.

» Look for integrated access solutions that work together to help attain Zero Trust. Avoid piecemealing together various solutions.

» Support single sign-on (SSO). SSO makes a big difference in user productivity, reduces the use and risk of passwords, and gives you a central place for access control. Choose a platform that makes SSO as transparent to your users as possible, and you’ll save time and money on support.



» Adopt multifactor authentication (MFA) everywhere. MFA is critical to keeping your organization secure. Look for an MFA model that will work well for how your staff works and that’s integrated into a single solution across servers, apps, and devices. Avoid stand-alone MFA solutions that unnecessarily prompt users for a second factor.

» Balance security with usability by using conditional risk-based access. Conditional access allows you to create rules that identify important policies for controlling risk. Risk analytics leverage the user’s typical behavior to avoid unnecessary prompts that can kill the user experience. Risk analytics also reduce the IT burden of creating an unwieldy number of rules that cover every conceivable user situation.

» Manage the security of mobile devices. As your workforce becomes increasingly mobile, and as phones and tablets continue to grow in use for productivity, you’ll need a solution that can manage these devices. Pick a solution that leverages the security posture of mobile devices in the access policies for applications and resources.

» Integrate secure remote access. When your users need to get work done remotely, integration with remote access is key. Look for secure remote access capabilities that limit the need for a full virtual private network (VPN) connection and provide the ability to monitor and record remote sessions.

» Make sure you can manage privileged access and shared accounts. Your organization’s cyber security may rest on its ability to manage privileged access and shared accounts. Find a platform that makes visibility and central control easy and accessible.

» Look for an identity platform that makes integrating with your existing and future IT environment easy. Your chosen platform should have out-of-the-box support for your data center systems, applications, cloud services, devices, and other integration points that matter to you.

» Find a vendor that offers a strong partnership and support. A vendor that wants to see you succeed can make the difference between a successful rollout and a failed and neglected implementation. Find a vendor that has great references and a reputation for carrying through after the sale.


Notes


http://www.centrify.com

http://Dummies.com

WILEY END USER LICENSE AGREEMENTGo to www.wiley.com/go/eula to access Wiley’s ebook EULA.

http://www.wiley.com/go/eula

These materials are © 2019 John Wiley & Sons, Inc. …...Table of Contents vThese materials are ©...

Documents

Transcript of These materials are © 2019 John Wiley & Sons, Inc. …...Table of Contents vThese materials are ©...