Zero-trust security models are helping large organizations to protect against malicious users, including those who have already infiltrated their networks, a new report says.
Government agencies will benefit from stricter security controls if they shift to a zero-trust approach, according to experts from Duo Security. Zero trust assumes from the outset that all users and data traffic are operating in an open and unsecured environment. The focus on security then shifts to giving authorized users access to designated applications and data based on their identity and to devices based on their level of trustworthiness.
“Achieving Zero-Trust Security in Federal Agencies” breaks down the methods to build zero-trust practices, including continuous authentication, device assessment, user controls and application access.
Continuous authentication is a user-specific approach that doesn’t rely on privacy-protected information. The security environment protects from threats by taking note of typical behaviors and then denying access when it senses off-pattern behavior that indicates an unauthorized user.
Because zero trust operates under the premise that the perimeter is anywhere an access control decision is made, continuous authentication allows user verification to occur at multiple access stages, the report explains.
“Managing users individually requires a lot of care and feeding and increases the risk of human error inadvertently creating security flaws,” the report states. “With zero trust, administrators establish access roles across applications that govern which job roles should be allowed access – and not which individuals.”
Currently, agencies relying on traditional perimeter-based security models are open to greater risk, as this approach assumes that users already accessing information from within a private network are trustworthy, the report notes.
However, in recent years some of the most flagrant data breaches happened because once a malicious actor gained access inside the firewall, they were able to move laterally through the system without much resistance.
“Continuous authentication isn’t perfect,” the report concedes, “but it can provide a balance between strong security and the usability that current users have become accustomed to.” It adds value by creating data points that are hard to mimic.
Additionally, as continuous authentication monitors for signs that an authenticated user is on a particular device, the zero-trust framework allows agencies to monitor the devices themselves.
Today more federal employees and contractors bring their own device to work instead of — or in addition to —government furnished equipment. With more opportunity for devices to connect to the network, government agencies are faced with a considerable security challenge.
The zero-trust model allows administrators to establish and enforce policies that only grant access to devices which meet specific criteria and device assessments, making sure the device meets a predetermined set of rules before it is granted access.
For example, the policy can require a phone to have the most recent operating system update as well as a lock screen that’s protected by a PIN code. Any device that doesn’t meet all those criteria is denied access.
Despite its name, zero trust doesn’t mean that no trust exists, the report concludes. Rather, “trust is determined on a narrow path to a successfully authenticated user from a successfully interrogated device to a specific application.”
Read the report, “Achieving Zero-Trust Security in Federal Agencies” for more on how to improve security controls to protect against malicious users and insider threats.
This article was produced by CyberScoop and sponsored by Duo Security.