printer friendly version

Trust but continually verify

The concepts of zero trust and least privilege access and identity management are gaining a lot of airtime these days. While not new, in organisations’ attempts to control all forms of access and manage the cyber threats to systems and data, these concepts are seen as more important. In the physical security world, these ideas are also not new, but they have often taken a back seat to traditional physical security issues.

However, as physical and logical security increasingly converge (and even when the two are separated, there is always a connection between them), access and identity management has become a critical issue. In this article, Hi-Tech Security Solutions looks at access and identity management and asks some industry players what zero trust and least privilege access means and how it can be rolled out to incorporate the converged world of security.

Starting out, we asked what the terms ‘least privilege’ and ‘zero trust’ mean in the world of access and identity management. And looking at the world around us, what do they mean as we move into an IoT (Internet of Things) world where connected things are as important as connected people, and devices on the edge send continuous streams of data to servers and data centres?

With the sheer number of people and devices that are able to connect to our networks today, there are an almost infinite number of possible connections that will want access, legitimate or not. Therefore, Kurt Burger, sales manager at Altron Bytes System Integration, says organisations must implement a least privilege model to allow the right people to access only the areas and data that is pertinent to them.

Mayleen Bywater.

Mayleen Bywater, senior product manager for cloud security solutions at Vox, explains that the terms least privilege and zero trust refer to the understanding a business has of who has access to what information, when and how. “The business has to ensure that users have the correct access to the right data at any given time. When IoT is brought into the environment, where it connects various networks, people and devices, the business needs to ensure that it knows who or what is connecting, to where or what, and who has access to the data and analytics.”

She adds that this is a crucial area for companies to control in terms of managing and mitigating risks in their data environments, whether it is on-premise, in the cloud or via edge devices, especially with legislation such as GDPR and PoPIA in mind.

Sagan Pillay.

Sagan Pillay, CA Southern Africa security solution strategist, adds that least privilege and zero trust are part of the defence-in-depth strategy organisations apply to ensure the right access is provided to the right person or people at the right time. It’s basically understanding what is happening in every transaction, from a simple exchange of data to complex financial transactions.

In most organisations, this is decided by the individual’s job. Person X needs to do certain things and is therefore granted rights to access the places, applications and data to fulfil that function. Unfortunately, many organisations have become lazy and when people move to a new position or even leave the company, their historical rights remain in place.

For example, someone may take over a job and the routine solution would be to give them the same access rights as their predecessor. Too often, the predecessor’s rights are not modified to change or remove their access and neither are the new person’s old access rights modified to remove access to what they required in their previous roles. This is, obviously, a security risk.

The idea of zero trust can also be aligned to the concept of zero tolerance, says Pillay. This implies strong control of all access and a demand that systems trust an identity completely before any transaction is permitted. “Strictly enforced, this binds a physical identity to a logical identity by various means, such as the physical location, biometric authentication or even the device used in requesting access. The organisation takes these factors and more into account and builds a trusted profile that can grant seamless access when all the trust boxes are ticked, or create more ‘friction’ when something is amiss.”

He provides the following example. When someone wants remote access to certain applications and data, the system may allow quick and seamless access because, over time, it has learned that this individual often accesses these areas after hours (from home, for example). The system already knows the home network, so that is a box ticked; it also knows the device used, such as a work laptop, which is another box ticked; the individual is using a work VPN and has logged into the system using their authorised username and password, another box ticked. They will therefore be allowed in without creating more authentication friction.

If the same person requests access from an unknown network (Wi-Fi at the airport, for example) or an unknown device, the system will automatically realise something is different and, depending on what is being accessed, request further authentication – or deny access altogether. A similar process can apply when an individual is accessing systems and data from their work computer over the work network, but because the organisation has combined physical and logical identities and access control, the system knows they haven’t entered the premises that day and can therefore safely block access.

Similarly, Burger says the zero-trust idea basically means “never trust, always verify”. Even when a known person connects from a known device and network, there needs to be something that verifies that it is a legitimate connection. This can be done through some form of token or credential (such as a certificate on their device), or we can also now use behavioural biometrics to determine who is typing on a keyboard or swiping on a mobile device.

When something wrong is detected, the system can escalate the abnormality and set procedures can be initiated to confirm that someone is using a stolen device or perhaps all is well but the individual has hurt themselves and is not using their systems as normal.

Overcoming user resistance

When it comes to access control, physical or logical, the question of user resistance is always an issue. Users want to get things done as quickly as possible with the least hassle, leading to shared passwords, tailgating and even choosing the dumbest passwords possible. And while the trade-off between security and convenience has become somewhat of a cliché today, it is something administrators need to always be aware of and try to prevent.

Bywater believes the best way to manage this is to set rules or have parameters in place where users can’t use the word ‘password’ or ‘123’ as a password. The business can also set up a rule that users can’t re-use a password they have used before. This will ensure that users do not use their pets’ names or the same details every month. Companies should also enforce policies such as regular password changes to ensure effective access control.

She adds that users often use the same password in multiple scenarios in order to make it easier to remember, which is a severe security risk. “The key is to create a single sign-on identity management system that links different systems into one. This enables users to change one password on a regular basis and it will pull across systems and applications. It alleviates the pain point of changing passwords across multiple applications and creates a best practice policy for the business around passwords. It is important for companies to enforce these policies as hackers know how to exploit security vulnerabilities such as weak passwords.”

Pillay agrees, but adds that passwords are only one level of security. We currently need passwords as a base-layer for access and authentication, but organisations must also have other authentication means over the layers of security they have in place protecting more sensitive systems and data. Certificate or token-based authentication can create these additional layers, often without user input. For example, if you have been granted access via your mobile device, a certificate can be installed on the device that tells the privileged access management system that the device is considered secure – although there are various layers and processes to consider. This process can also be applied to IoT access.

Burger is a believer in biometrics for identity authentication. He says the idea of being hacked is no longer a possibility but will happen at some stage. Tools exist that can even predict when these breaches are likely to happen, allowing organisations to prepare. However, he says prevention is a better course of action and advises that, as noted above, nobody should rely on passwords alone.

Not only does he recommend biometrics, but, depending on the environment and situation, multifactor biometric authentication should become the norm. In this way, even if your password is compromised, there is another layer of protection in the form of biometrics, which are much harder to fake – assuming the technology chosen includes liveness detection and other defence against fakes.

Privileges for things

In the IoT age, companies can amass an enormous amount of information from things, whether simple sensors or complex surveillance cameras. There are great benefits in the autonomous transmission, collection and collation (analysis) of data, but there are also risks as this data is often sent to servers that you wouldn’t want open for general access. It seems too easy these days for someone to add malware to the data stream and to receive unauthorised data via the same.

Pillay advocates a privileged access management approach to securing the IoT, which would see these systems only being able to access organisational devices within specific criteria and with set authorisations in terms of what can and can’t be done. This would be supported by gateway monitoring and authentication as an added security protocol to ensure nothing unusual comes through.

“The business must ensure that these devices are set up with the right rules and with alerts built in,” notes Bywater. “As much as we want systems to be automated and autonomous every step of the way, it is still necessary for an individual or for want of a better word, a human, to interrogate the data and mitigate an incident. Checkpoints should be in place across the network to make sure that current threats are mitigated and that an administrator builds rules to protect the environment on an ongoing basis.

“For example, if someone tries to bypass the system or gain access to the network, an automated system can probably pick this up, but if someone does manage to hack into the system and override rule sets, the business should have an administrator that can identify, verify and address the issue. It is key for the business to understand who has changed what at all times and to have an audit trail.”

Again, Burger highlights the ability to install digital certificates on devices as a means of automatic authentication.

Secure access control and the cloud

Cloud services are quickly becoming as normal as having servers on-site for many companies, and many organisations have already outsourced most of their server computing requirements to remote servers. We have also seen many companies opting for access control solutions that are cloud-based, putting the administrative tasks of access control as well as the maintenance and hosting functions in a service provider’s hands.

Pillay explains that cloud-based access is a reality today and will grow along with general cloud services, and that there are many options as to how companies can make use of access systems based in the cloud. The maturity and reliability of cloud services is rising and we will see many traditionally in-house applications being made available as cloud services in future.

“Cloud services are growing exponentially and if your business is not on board it leaves you behind from a technology and digital transformation perspective,” adds Bywater. “Cloud is simplifying services for businesses, making it easier for them to access and use a whole host of services. It also brings down the cost of managing and maintaining infrastructure.

“A business’s data is its number one asset. With cloud, the business has an audit trail of who has access to which systems and services and what was updated or not updated. The cloud is a realistic and reliable option for access and identity management as security is top of mind for cloud service providers.

“It is always a good idea to ask the cloud service provider about the security measures that are in place and whether it is necessary for the business to add its own measures,” she advises.

Burger agrees that cloud is the way to go, but also advises that there is not a one-size-fits-all solution that can be applied to every company like a template. Every organisation needs to take the time to determine what form of cloud services would best suit them, even adjusting the solution depending on the areas they are protecting. Accessing the parking lot and the canteen could easily be a cloud service, but accessing the vault would require a bit more thought.

He also highlights the benefits of integrating your physical access control with your logical access. He says this adds another layer to your authentication security by noting the physical location of the individual and the relevance of him/her accessing a server from there. An example often used is if someone has not entered the office building and is trying to log into a PC in the building. This should raise a flag. And as noted above, for remote access, depending on where the person is logging in from and the device they are using will determine if they are allowed access, and if so, how much.

No matter what solution you select, Burger says, you need to design a system that works for what you need and then look for the technology that will make it work, not decide on the technology and then see how you can jam it into your organisation.

Access and identity management is common in every organisation and even at home, it is just the complexity of the processes that vary. In the business world, authentication is more crucial than ever in a world where cyber criminals seem to have almost no restrictions. Controlling access to company resources, logical and physical, on-site and in the cloud, is therefore a critical aspect in your security arsenal, and combining the two into a collaborative effort to protect the enterprise, its people and assets is no longer an idea that could happen one day, it needs to happen now. The catch, as discussed elsewhere in this publication, is getting the physical and IT disciplines on the same wavelength and capitalising on the areas of speciality of both.

For more information, contact: Heidi Ziegelmeier, CA Southern Africa, +27 11 417 8594, [email protected]; Mayleen Bywater, Vox, +27 87 805 0000, [email protected], www.vox.co.za

Access and identity management insights

Dragan Petkovic.

Dragan Petkovic, security product leader ECEMEA at Oracle, offers some quick insights into access and identity management in business today.

The business needs behind AIM tools and solutions

The question of whether you need access and identity management (AIM) or not should not even be asked. Practicing minimum privileges and periodically reviewing access should be part of any organisation’s policy.

Identity management needs to be tightly integrated with other functions such as the security operations centre as well as mobile and network security. It is also more important than ever due to regulatory requirements on the one side and nexus forces on the other. It is the foundation of transformational forces, including mobility, big data, IoT and cloud.

Identity management should not be just another silo, it should work in unison with other security solutions.

Protection from the inside out

Protecting corporate assets from outside threats is a good starting point, but when someone brings a threat inside the business, the results can be catastrophic. This becomes particularly problematic when dealing with employees who are privy to sensitive information and who may have high-level decision-making powers.

Most privacy frameworks give a clear mandate that access to personal/private data should be given to a limited number of individuals within the organisation. Access restriction, practicing minimum privileges, being able to periodically review it and demonstrate it is a clear case for identity governance and access control.

Deciding who has access

Access to data is fundamental for most organisations and we’re seeing that physical and logical entitlements are converging. When implementing identity management it is paramount to align security controls to the value of the data.

Secondly, more organisations are moving their workloads to the cloud, which is often overlooked when it comes to identity and access governance. Cloud can be vulnerable when it comes to identity management as very often it is managed by line-of-business and security functions do not have control over it. Not having control can lead to all kinds of problems such as administrator account proliferation or dormant accounts. Cloud deployment should be done in a considered manner and when done in such a way it can be more secure than on-premise models limiting restrictions to company data.

How access fits in with the overall security

Access to data is fundamental for most organisations and we’re seeing that physical and logical entitlements are converging. When implementing identity management it is paramount to align security controls to the value of the data.

Access management is a journey. Getting your directions right the first time is essential. Having realistic and achievable milestones mapped to direct business benefits is the most important part of the journey. The management usually has high expectations, but loses interest quickly, so those realistic milestones keep them engaged.

For more information, contact Oracle, +27 11 319 4753, www.oracle.co.za

Share this article:

Further reading: