Article by ThycoticCentrify Chief Security Scientist Joseph Carson.
It’s no secret that cybersecurity has a reputation for causing friction. But as we’ve seen with working from home – and will continue to see with hybrid work – tough security checks are needed. Threat writers are increasingly taking advantage of flexible work environments where users sign in from different locations and use a mix of work and personal devices.
Organizations should continue to strengthen their security controls to mitigate these risks. And Zero Trust policies – implemented through a range of identity verification and privilege management solutions – provide an efficient and adaptive approach. If only friction could be minimized to keep everyone productive! The right balance between productivity and safety is crucial.
To visualize how much friction controls can or cannot create, imagine an organization’s information infrastructure as something like a bank’s safe deposit box, with security guards at the door.
The strictest control would be asking guards to verify the identity of each client, requiring reliable, government-approved identification – passports and driver’s licenses, not library cards. This approach is most likely to weed out those who aren’t authorized, but it causes the most friction and can be frustrating for legitimate visitors.
A frictionless version would be for the guards to assess all visitors on sight only. Anyone who looks legitimate receives a nod; anyone who appears suspicious must show their ID. This creates a much better experience for visitors, but creates risk if the guards cannot accurately identify everyone entering.
A third option which also presents a frictionless experience is to constantly monitor how visitors use their access once they are in the secure drop-off area, with individuals being challenged if they attempt to visit from other areas or tamper with other boxes.
Think of Zero Trust as a digital polygraph test
While useful for seeing how security controls can work, not all of these scenarios may be effective in a physical environment. In a digital environment, however, some or all of these approaches can be effectively implemented with a Zero Trust strategy.
Obviously, employees don’t want to be constantly interrupted by security checks. Likewise, organizations seeking to minimize friction always want to accurately identify users and exclude unauthorized actors. Finding ways to move back-end security controls, while remaining strong and efficient, is the way to keep the balance between productivity and security.
The solution to achieving this balance is a Zero Trust strategy using a risk-based approach with verification metrics that vary depending on factors such as the user’s device or the systems and information they are accessing. Think of Zero Trust as a digital polygraph test that adapts to the risk potential of each interaction and – if properly implemented – authenticates users with as little friction as possible.
The key to Zero Trust is the ability to adapt security measures and verify authorization at any time, and there are many technologies and techniques that can minimize the impact on users. Single sign-on (SSO), for example, dramatically reduces friction, as users only need to be verified once to access different systems and information. With SSO, however, it’s important that passwords aren’t the only security controls.
Role of PAM, EPM and MFA in Zero Trust
Strict privilege controls are an essential part of reducing risk. A comprehensive privileged access management (PAM) solution enables organizations to adopt the principle of least privilege so that users can only access the data and applications they need. In particular, PAM controls the privileges of administrator accounts that adversaries target to gain full access to systems. It also controls access to valuable or sensitive information by privileged users who are targets of cyber criminals.
Endpoint Privilege Management (EPM) is an important tool that addresses the risks associated with local administrator access exploited by ransomware and other threats. EPM combines application control and PAM, so that only trusted applications can be run on users’ devices. It allows security to be adaptive and evolve to face new threats instead of relying on usernames and passwords and trusting users to always do the right thing.
Multi-factor authentication (MFA) is also an effective way to enforce adaptive authentication and has become very user-friendly in recent years, thanks to biometrics. When users act suspiciously, like attempting to access assets they typically don’t need or sign in from new devices or locations, they can be challenged and need to verify themselves.
With MFA, behavior can be continuously monitored in the background, and additional verification is required when a user exceeds their risk score limit.
A state of mind to guide organizations on their journey
Zero Trust is not a one-size-fits-all solution but rather a mindset to guide organizations on a continuous path of incremental improvement. Each organization must determine which controls will achieve the greatest risk reduction based on a clear understanding of the value of their assets and a dynamic assessment of potential risks and impacts.
Likewise, organizations must maximize productivity at every stage. Security checks should be as smooth as possible, especially in a hybrid work environment. At the same time, they must present the greatest possible barriers to attackers to prevent their exploits or increase the chances that they will be identified and stopped before achieving their objectives.
About the Author
Joseph Carson is the Chief Security Scientist and the CISO Advisory for ThycoticCentrify, a leading provider of cloud identity security solutions formed by the merger of privileged access management (PAM) leaders Thycotic and Centrify. Carson has over 25 years of corporate security experience, is the author of “Privileged Account Management for Dummies” and “Cybersecurity for Dummies”, and is a cybersecurity professional and ethical hacker. . He is a cybersecurity advisor to several governments and the critical infrastructure, finance and transportation sectors.