In my previous article, I argued that the Zero Trust model was gaining traction because it is so well-suited to the digital and highly-fragmented organisational models that are becoming the norm in business.
So far, so good. But of course, a major reason for the openness of the corporate IT estate is the growing need to collaborate more closely with suppliers and business partners, and to interact ever more closely with customers.
The internet totally revolutionised how customers and merchants interact and habituated a new generation of users to a smooth and rich customer experience powered by technology. Then came the mobile revolution and the advent of the app economy. Mobile apps provide customers with unprecedented convenience via useful services that are developed and made available very quickly.
However, these apps − developed at speed and integrated right into the system’s backend − themselves represent a significantly expanded threat surface. Identity and access management quickly emerged as the only way to control this environment with its proliferating number of applications and, hopefully, growing numbers of customers using them.
Take, for example, the online or mobile app we now all take for granted that allows us to book a flight, choose our seat, book a certain kind of meal, print a boarding pass and so on − all without interacting with an airline employee. Such apps need access into the backend system, thus perhaps creating a back door for a malicious party.
Providing that level of service requires highly-sophisticated identity and access management systems, ones that are also able to scale to deal with, potentially, thousands and even millions of users. At best, the customer-facing identity and access management system needs to be able to balance the need to protect against escalating levels of risk, while at the same time enabling frictionless access for users.
The big question: How to strike this balance while keeping within the parameters of Zero Trust?
Anatomy of a conundrum
At this point, let’s remind ourselves that Zero Trust creates a security posture that is perpetually on guard, constantly assessing each user and his or her usage patterns in order to detect intruders as quickly as possible.
Organisations should not automatically trust insiders or outsiders − from a security point of view, everybody is treated the same and anyone trying to access the system must be verified first and on an ongoing basis.
To minimise the impact on customers, organisations will need to think carefully about what passive or low-friction verification methods can be used.
This is not so difficult to achieve for insiders because more is known about them, and their work patterns have a certain consistency. This position is reversed when it comes to external users. In addition, it needs to be borne in mind that external users may be accessing the systems via multiple devices or platforms, and it’s important they have the same experience as much as possible.
Here are some practical pointers to designing a Zero Trust framework that does not unnecessarily compromise the ease of access so fundamental to a customer experience that generates loyalty. These pointers are grouped under the three main elements of the Zero Trust model.
Minimise attack surfaces. To stay true to this principle, Zero Trust would tend to formalise the commonly used technique of network segmentation to isolate valuable systems. The focus here would be to shrink each network zone and then mandate access control for each microsegment.
At a technical level, gateways can be used to section off applications and microservices. By securing the access to each service, and separating services / applications from each other, CIOs / CISOs can reduce the attack surface available if that service is compromised. This approach aligns well with the transition to microservices.
Emphasise least privilege. Unfortunately, because services / microservices are often located across a variety of sources, the techniques described above to minimise attack surfaces cannot always be used.
Given that a key focus of Zero Trust is to prevent a successful intruder from moving laterally through the organisation to discover and access valuable data, the least-privilege security model needs to be expanded. Some basic principles to consider:
- Use a delegated model with highly-granular controls to gain visibility of who is accessing the organisation’s systems.
- Set up a lifecycle model for privileged users that tracks the administrator’s changing roles. This needs to be automated so that IT can stay on top of changing roles within the organisation.
- Implement comprehensive auditing that documents the roles and actions of privileged users − this constitutes an effective deterrent to rogue behaviour and provides useful forensic information.
Implement adaptive access management. Because many (or even most) of the services / microservices accessed by external users contain a measure of sensitive or regulated information, the risks inherent in providing easy access are high. Risk-based authentication has long been used to manage such risks, but Zero Trust requires organisations to strengthen and expand the implementation of risk-based authentication.
A key principle here is the substitution of a single sign-on with continuous authentication. Continuous authentication means that whenever customers access a new resource (commonly through an API underneath a mobile app), they will be required to verify their identity.
Likewise, customers accessing a protected resource that is outside of expected behaviour will be required to verify their identity.
To minimise the impact on customers, organisations will need to think carefully about what passive or low-friction verification methods can be used. Key here will be the smart use of a risk engine that is programmed to analyse context in order to distinguish expected user behaviour from genuinely risky situations.
Another way to keep customer interaction as open as possible would be to adapt the authorisation for the type of information the user can access − this would enable swift access, while reducing the risk by restricting access to the most sensitive type of information.
Whatever approach is chosen, the key is to have an adaptive approach that takes several factors into account.
In conclusion: Zero Trust currently offers the best approach to securing a fast-moving and constantly shifting IT environment. With the right approach on both a conceptual and an architectural level, it can be implemented without compromising the customer experience too significantly.