In a previous blog post (https://blog.gemalto.com/security/2019/06/04/one-year-later-finding-harmony-between-gdpr-and-the-cloud/) we explored the relationship between GPDR and applications in the cloud. Trust is generally the foundation and basis of any good relationship, but when it comes to protecting your organization, sometimes a Zero Trust mentality is your best bet.
Today, Zero Trust, is a tech buzz word heard often, but what is the thought process behind it? By definition, Zero Trust is a security model based on the principle of maintaining strict access controls and not trusting anyone by default, even if that means someone already inside your network perimeter.
To better understand where the concept came from, we need to start from the beginning. Historically, the IT enterprise functioned as a contained environment. In other words, users were accessing company data either physically on site, or through a dedicated network or VPN. This mitigated risk in many ways, because the identity of the person themselves was verified by a physical or logical access point. Fast forward 30 years, and we’re in a highly distributed network environment situation. Enterprises have a mixed population of resources, possibly spread out around the globe, working remotely as well as from a myriad of different devices such as a smart phone, tablet, or personal computer. On top of that, Gartner sites SaaS as the largest segment of the cloud market with revenue expected to reach over $85 billion in 2019. Along with the pressure to increase business efficiencies many organizations are moving their applications to the cloud. This transition creates many problems for an IT department. It makes it much more complex for a security team to control all their users and the different level of access to the resources they need on any given work day.
Imagine the typical work day for an employee in this day and age. You arrive to work and check your O365 email account. Perhaps you login to Salesforce and glance at your reminders, next you check your HR portal to review the details of your last paycheck, then you upload some project documents to Confluence and lastly use Cytric to book a flight for your upcoming business trip. That is just a sliver of the applications a standard employee might use on an everyday basis. Studies show, users have an average of 27 different cloud applications they are logging into daily! The challenge that comes along with this, is that if all these applications are in the cloud, you would need to remember a username and password for each and every one. This causes password fatigue, an inefficiency in business due to password resets and most commonly, a user will replicate the same login and password for multiple applications, making them more vulnerable to an attack. In fact, 49% of businesses believe that cloud applications are the biggest targets for cyber-attacks. https://cpl.thalesgroup.com/access-management-index Additionally, 69% of breach incidents came from identity theft, which is why a strong consideration for a Zero Trust is so crucial.
Take into account that users are accessing all their most sensitive resources by bypassing any network controls. The login page to resources such as Salesforce for example, is completely exposed. As mentioned before, if a user is replicating their login credentials, malicious users have an increased chance in getting inside the organization’s other applications. There are many instances in the news regularly about how identity theft works. Compliance and visibility are also factors. The need to have oversight and visibility into who is accessing what app and when, as well as the ability to integrate with SIEM systems is key to staying compliant for many organizations.
Taking it one step further, imagine there are many different layers of how you manage that access. Perhaps you are an IT Admin who needs access to all the applications within the organization in order to monitor them, or you are an HR professional with access to lots of personal employee data, or someone in finance or legal, who would have access to the organization’s financial or contractually sensitive information. Surely a C-Suite executive user would need different access rights than that of a standard employee for example. So how does one set up different access controls for each user’s unique profile?
That’s where access management comes in. Being able to apply security at the application level by determining who, when and how users are accessing cloud applications is key. In order to establish this, an organization needs to evaluate three main steps. First, to assess risk by defining where your sensitive data is located, take inventory of all the cloud apps currently being used, define who should be accessing what, and then define an appropriate authentication method for each. Second is to manage risk. As we mentioned before, you need to take into account the different types of identities and profiles in your organization, the type of resource being accessed and the context as well. For instance, is the app being accessed from a mobile device, a personal tablet or a company issued computer? Is the user logging in from an approved network on site, or a local coffee shop with a public network? Is the user located geographically in an expected place of login or in an unrecognized country? These are all questions to help you better manage and mitigate risk and set the appropriate access policies. Third and lastly would be to contain risk by being able to detect unusual security events, monitor and adapt policies as needed as well as block, allow, or request a step up of authentication when necessary. If we go back to a real life example, you can imagine that that IT admin now logs into the admin console through a Smart Card and is required to use it each time. The access policy is then set up so a bevy of standard users can login to their O365 account with transparent contextual authentication if they are logging in from the office network, but Push OTP if logging in from outside the network. And even more secure, a C-Suite user logs in using certificate based authentication for more sensitive applications.
In the end the goal of access management is to support the Zero Trust mentality and work together to prevent breaches, enable the cloud transformation securely and simplify compliance while doing so. By setting up policies that take into account the role and context, and apply the right level of security at the right time, per app, per user you can rest easier knowing that all apps – no matter how they are delivered – and users, no matter where they are, are protected at the access point. To learn more visit: https://cpl.thalesgroup.com/access-management/safenet-trusted-access or watch a Brighttalk that futher illustrates this topic here : https://www.brighttalk.com/webcast/2037/348609/identities-are-the-new-security-perimeter-in-a-zero-trust-world