Improve Security and User Experience with Zero Trust
By: Cameron Zivkovic
Organisations are increasingly adopting flexible and remote working arrangements, surfacing the requirement to enable access to applications and services remotely in a secure way. Historically, this looked like taking a laptop home and connecting to a VPN to access on-premises services such as file shares or core line of business applications. While productivity is important, cyber-crime is rampant with constant threats to your organisation. These attackers may seek to steal your data or take your services offline costing you money.
To mitigate cyber-crime, organisations establish security controls. While this helps to mitigate threats, generally it is at the detriment of user experience. I like to think of this as a sliding scale. The more secure the environment the worse the user experience. The better the user experience the less secure the environment.
This is where Zero Trust comes into play. It not only allows for a great user experience but also provides the level of security required to protect from cyber-attacks.
What is Zero Trust?
Putting things behind a firewall no longer ensures corporate data is safe. Cloud has changed the way we work, we are more mobile and need to access data and services from anywhere. Zero Trust assumes breach; there is no implicit trust or access to resources. This means that regardless of location, device, identity or type of data being accessed, users must perform strong authentication, have the permissions to access the application while having strong foundational platform controls. This all sounds great from a security perspective, but sounds like it could be inconvenient for end users. Below are the guiding principles for Zero Trust as defined by Microsoft, with my view on user experience impacts.
|Zero Trust Principle||User Experience|
Always authenticate and authorize based on all available data points.
|Applications will utilise a single login point. Once login is performed with strong authentication the end user will have single sign on into other connected applications.|
|Use Least Privileged Access
Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
|Roles and security policies are tied to the authenticated user. Users should have just enough access to perform the duties require given the conditions of their access.
If accessing sensitive information from a personal device for example, download and other functions may be blocked because it violates policy.
Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
|The underlying platform has encryption and secure communication between components with all activities logged. End users are not impacted by this and it is invisible.
Administrators have greater visibility due to login events being centralised and can take immediate action should threats arise.
Pillars of Zero Trust
There are several pillars to consider when implementing Zero trust, and this extends to all services within the environment. These pillars are shown below as defined by Microsoft.
The changing world means we need to be agile and ready to adapt to new challenges. When looking at traditional approaches in these pillars, this is some of what I’ve seen. When overlaying Zero Trust principles and technologies, this is what the future can look like.
|Pillar||Traditional View||Zero Trust View|
|Identity||Multiple directory services and/or local application database to host credentials. No or minimal Multi-Factor Authentication. No or minimal Single Sign On and multiple login prompts for end users.||Single directory service requiring strong authentication. Advanced auditing and behavioural analytics to detect potential attacks into the environment.
All applications use the single directory service with modern authentication protocols such as SAML and OpenID Connect/OAuth.
|Endpoints||Managed through Active Directory domain join and Group Policy or utilising Microsoft Endpoint Configuration Manager. Update management, application deployment and policy enforcement/compliance is difficult or not possible when devices are remote.||Endpoints can be managed from any locations and report back to a central corporate cloud service. Device compliance can be used as a condition to access sensitive information and corporate data.|
|Data||Data sensitivity is not a factor when securing information. Information is largely not classified or labeled with mitigating controls to prevent data loss. Organic growth and access creep can leave sensitive information available to the wrong people (e.g. information on traditional file shares).||Sensitive information is defined and has rigorous data loss prevention and sharing controls applied. Identity and device compliance can influence access to the data depending on certain conditions.|
|Apps||Applications reside across on-premises, IaaS, PaaS and SaaS. There is no unified way to govern access to the application or understand what unsanctioned 3rd party applications are being used by employees (potentially containing sensitive corporate data).||Applications all use a single directory service and policy enforcement point. Application logs and activity are sent to a central location and controls can be applied at the enforcement point depending on the access conditions.
Unsanctioned application use can be detected on corporate or enrolled devices that access corporate data.
|Infrastructure||Infrastructure exists across on-premises and cloud. Security controls and permissions are maintained manually and evaluating compliance is challenging and manual. Administrators have more permissions than required to perform their role.||Infrastructure feeds back into a central console and policy enforcement point. Encryption and access is standardised and compliance can be viewed in a single dashboard.
|Network||Flat networks with minimal security controls - the view that internal traffic is safe and there are minimal barriers between client, server and application components. Internal traffic can be unencrypted and be largely unmonitored.||Applications components exist in different subnets with security rules applied (e.g. web, app and data).
All internal user to application traffic is encrypted and monitored. Native capabilities such as securing against OWASP top 10 are enforced.
We live in an ever changing world where secure access to corporate data and applications is vital to business continuity. The balance of security and user experience is critical and this can be achieved through the implementation of Zero Trust. There are a number of activities and projects required to get from the traditional state to the future state, but thankfully there is guidance available to aid organisations.
I have covered Microsoft best practices and recommendations with my view of traditional methodologies and user experience improvements that can be achieved with Zero Trust. Zero Trust not only increases the security posture of organisations, it makes applications and data more available and streamlines user access to increase productivity. The task seems daunting, but Microsoft provide a large amount of deep dive information which I have used to help guide this article. There are also additional maturity assessment tools and models available to help guide the Zero Trust journey.