The recent hack of Twitter made me think about Authentication and Authorisation once again. If it can happen to Twitter, it can happen to even the largest companies. The time has come for all companies to think about adopting a "Zero-Trust" Model for Secure Application Access.
Post Covid-19, it has become clear that modern security is evolving beyond the perimeter. Users want to access critical work applications from anywhere, at any time and from any device, and security models need to grow to support this. The concept of zero-trust security has been around for a while, with an excellent example been Google’s BeyondCorp architecture, which is based on the principles of zero trust. If you haven’t read about it, I highly recommend you read more at https://cloud.google.com/beyondcorp.
A zero-trust security model states that organisations should not trust anything inside or outside of their network perimeters. Instead, they should verify anything and everything that tries to connect to applications and systems before granting them access. Simply put, no traffic inside a network is more trustworthy than traffic coming from outside the network, and it’s up to an organisation to determine under which conditions they decide to trust either a user or a device before granting it access.
Moving forward, enterprises need to design security with an understanding that trust levels are dynamic and change to adapt to evolving business environments. As such, I feel that to truly secure an application, you need five separate pillars to build a Zero Trust Authentication Model. Simply put, these consist of:
Establish trust in a users identity. Organisations need to verify the identity of all users with secure access solutions by implementing two-factor authentication (2FA) at a minimum, before granting access to corporate applications and resources.
To ensure compliance and mitigate risks, a corporation needs to ensure they have visibility into every device and user identity used to access applications, whether or not the device and identity are corporate-managed or not. How often do you hear about organisations that were compromised months before and only recently discovered the hacks?
Ensure device trustworthiness and always inspect all devices used to access applications and resources at the time of access to determine their relevant security posture and trustworthiness. Devices that don’t meet the minimum security and trust requirements set by an organisation should always be denied access to protected applications.
Enforce risk-based policies are implemented to protect every application by defining policies that limit access only to users and devices that meet your organisation’s risk tolerance levels. Define, with fine granularity, which users and which devices can access what applications under which circumstances.
Enable secure access to all applications and only grant users secure access to protected applications through a frictionless secure single sign-on interface accessible from anywhere without a VPN. Always protect all application’s, be they legacy, on-premises or cloud-based applications. The flaw in Twitters model in my humble opinion was that once an internal account was compromised, all layers of security were compromised.
As a starting point, I highly recommend you read “A New Approach to Enterprise Security” published by Google. Next week, I will post an article on my thought process about why 2-factor authentication should be updated.