Barry Field is CEO of Appgate, a secure access company making life safer for users and harder for adversaries with Zero Trust solutions.
getty
Authenticating users on a network is one of the biggest cybersecurity challenges for businesses and government agencies. The problem has only grown in scale and complexity as the traditional notion of the network perimeter has evaporated. The current global pandemic has exacerbated the challenge, forcing a massive volume of employees, contractors and other "trusted users" to log in remotely.
This new reality demands that security leaders rethink how we provide dynamic secure access to users. The goal is to ensure that the right people have access to the right resources under the right conditions. Traditional network access methods were never intended to provide contextual access. A modern approach grounded in the principles of zero trust — "verify, then trust" — is needed to meet today's security challenges without limiting business operations.
Context: The Missing Link In Security
When it comes to security, "context is everything." Yet with legacy technology, context is all too often absent when it comes to authenticating a user and granting them access to protected network resources.
What exactly do we mean by context as it relates to security? If you are attempting to access something on a network — be it an application, a resource or a system — there are dozens of contextual attributes that can and should be considered when determining the relative trustworthiness of a user.
These traits might include identifying where the end user is geographically located, the type of device from which they are using to connect, when the device was last patched or the risk level of a specific transaction. While each of these discrete pieces of information on their own may not determine whether a user or transaction should be trusted, they can build a more complete picture of the user and their intentions when taken together in the aggregate.
Context can also play a significant role in the quality of the individual user's experience. Think about how a financial institution authenticates a customer's online transaction and how a variety of contextual attributes might be used to trigger a wide spectrum of security experiences.
For example, if you're logging into your account from a known device (your phone) from a known location (your home) and only checking your account balance, the context of this scenario might only demand a light-touch authentication such as your four-digit PIN code. However, if you are logging in using an unknown device from an unfamiliar location and exhibiting unusual behaviors while attempting a higher-risk transaction (i.e., wiring money to an unknown recipient), then the authentication methods should be far more rigorous.
Applying context in a way that's fully transparent to the user can create a more seamless experience while limiting fraudulent transactions. Without context, you might force users to jump through unnecessary authentication hoops, which is frustrating and can unintentionally create bad habits (i.e., one notable and unintentional consequence of forcing complex password requirements on users is that they tend to reuse the same password across multiple accounts).
Beyond VPNs: How A Software-Defined 'Segment Of One' Codifies Trust
For the past two decades, virtual private networks (VPNs) have served as the primary mechanism for connecting remote users to centralized IT resources. However, they have outlived their usefulness in a digital world characterized by hybrid infrastructure and a distributed workforce. In fact, US-CERT has issued several warnings related to VPN vulnerabilities, and as such, threat actors — including state-sponsored APT groups — are now actively targeting and exploiting unpatched VPNs.
This is one of the reasons why the phrase "zero trust" has become ensconced in the lexicon of security executives. The foundation of a zero trust framework turns the conventional "trust but verify" model that the internet was initially built upon on its head with a "verify then trust under the right conditions" approach. Any device, individual or resource that attempts to connect to the network must be thoroughly verified before conditional trust is granted.
A zero trust strategy begins with secure network access. Your network must be available for legitimate users and unavailable to all others. A software-defined perimeter (SDP) is the mechanism by which a zero trust network access (ZTNA) security model is enforced. It enables users to seamlessly connect directly to only the resources they are authorized to access.
With context awareness and risk-based policies, an SDP solution creates a "segment of one" by defining a just-in-time secure perimeter to automatically encircle the individual user and authorized resource — the rest of the network is invisible. This is especially important when it comes to damage control. Most breaches are caused by an attacker who gains access and then moves laterally throughout the network. With a "segment of one," the user — whether a malicious insider or external attacker — cannot move laterally or outside of explicitly granted access.
Many companies looking to implement an SDP solution don't typically boil the ocean with a full-scale rip-and-replace of all existing legacy technology. Instead, they take a phased approach, incrementally augmenting and/or replacing technology. They typically start with VPN replacement. The easiest way to shift from a VPN to an SDP is to identify initial areas where the change can be made with the least amount of friction or disruption to business workflows with the highest risk reduction.
Contextual Trust
One of the fatal flaws of perimeter-based security practices is that you inherently trust users once they've been allowed inside the network gates. Paradoxically perhaps, the best way to apply trust is to extensively verify, extend limited trust and continuously keep verifying. By applying context and the concept of a "segment of one" to the broader zero trust framework, we can deliver a more modern security experience that meets the requirements of the new digital age.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
