Organizations struggle to balance the need for security and meeting the productivity requirements for enabling remote workers. Cybersecurity threats have increasingly grown in complexity and have evolved to exploit the rapid proliferation of bring-your-own-device and work-from-home scenarios. The legacy perimeter-centric security models rapidly breakdown as more and more organizational data is stored in the cloud, non-organizationally owned devices, at remote locations and with external entities. The Zero Trust security model is uniquely positioned to address these growing complications. Introducing an earned trust model can be far less complex than might be assumed and can help keep sensitive organizational data safe, regardless of where it travels.
Hello, everyone, and welcome to Securing Your Remote Workforce with the “Zero Trust” Security Model. My name is Joe Kuster, I’m the Director for Security and Compliance Solutions across Catapult Systems. I’ve got about 23 years in the field with systems management and security.
Today, we’re going to be talking about something incredibly important, how you can protect your organization against some of the emerging threats that are being leveraged against your users and your data. First off, to truths for all businesses. Employees are busy getting their job done—inefficient processes frustrate them. Additionally, studies have proven that there’s at least one employee in every organization will click on anything.
Now, quote, to get us started today, Forrester Research 2017, “The Legacy Perimeter Centric Models of Information Security are of no use in today’s digital business.” The last four years have proven that true, and nothing more so than COVID-19.
Overnight, businesses had to transform fundamentally, most of them were not prepared for remote work. Suddenly, we had a proliferation of users connecting from their home networks. In some cases, from their home devices. Suddenly, we saw Windows XP, Windows Vista, Windows 7, out of date versions of Mac, Android, iOS, accessing organizational data. Most of them were unmanaged. And the security, privacy, and compliance issues were significant. And it put a lot of pressure on the already crumbling perimeter centric security model.
Now, very quick refresher, you know, many have heard the perimeter as being described as a crunchy outer shell of protection, and an ooey gooey center of trust. The challenge is, is that center of trust, because there are many fatal assumptions baked into that model. When we talk about the perimeter model, it assumes that all risks are external. There’s never a malicious user. It assumes that devices aren’t transient, disconnecting, and reconnecting, dialing in from home off a VPN, that no device has ever been compromised, because it can allow lateral movement across the organization, and that phishing and malware never succeeds. Some of the simplest things like active directory, domain policies, often gave interactive login rights to all users on all devices. So, that gave a foothold, where if one identity was compromised, it gave them a login on the other, where the firewalls would assume all ports are open and fair game to all other devices inside the subnet—and that pose some fundamental problems. That’s what caused ransomware outbreaks to be able to cripple entire organizations, what causes trusted user phishing campaigns to proliferate.
So, that’s why the Zero Trust Security Model was invented, to be able to address those weaknesses, to start at zero, no permissions. Just because you have an IP address, it doesn’t mean you’re trustworthy. That is fundamental. Earning up from there, it’s not saying that you’ll never give trust, it’s that you have to earn that trust. Nothing is implicit. So, you may have to validate your identity, make sure you’re on a trusted connection, make sure your device meets specifications, that you’re using the approved applications, that you have rights management enforced, and that you have specifically been granted rights to that data, that application. And across the board, there’s the analytics and logging to be able to help protect you. Now, that’s just a foundational piece. Everybody’s control plane is going to look a little different, but this is a very high level look at it.
Now, if we take another peek at what some of those things may look like identity and access management with multi factor—most of you are doing that. And if you’re not, you really do need to be doing so. Adaptive access to cloud applications, that’s on the other end of the scale. Many aren’t taking advantage of those type of capabilities. Classification labeling, encryption, these are very fundamental security tools to be able to help protect you regardless of where your data goes, and so these are very powerful capabilities. And some people can get bogged down on where do I even get started with that. The interesting part is that many times, it’s not that it’s a zero trust product. In many cases, it’s actually just applying those tools you’re already familiar with, in a different way, where you have to earn that security, you have to earn that access, you have to prove that you’re compliant, before you’re granted capabilities.
So, a very quick mental exercise that can frequently help folks submit this. What would you do differently, if all of your organization’s most sensitive stuff was being accessed by BYOD mobile, a device that you have no inventory or capabilities, you didn’t give it to the user. So, many of you would immediately start saying, I need to have inventory, I need to have management of that device, I need to make sure it’s encrypted, I need to make sure it has passwords, I need to make sure it’s using a secure network. As you start thinking through those things, and you start getting into item level encryption, and I need to be able to remove that data if they leave the organization. Those are all fantastic things—totally doable. So, why aren’t you doing that on your on prem networks, because that gives you East-West capabilities to protect servers from other servers should a compromise occur. So, think that over.
Now, we’re going to go through some applied zero trust. These are going to be some scenarios that we have deployed to be able to help protect organizations. We’ve stopped multimillion-dollar attacks with these approaches. So, start off with one that is, in many cases, the worst case scenario for some businesses, we have an on prem file share or SharePoint Server, and the user wants to use that untrusted, unmanaged device. Okay, I need to make sure it’s a trustworthy platform. So, I may enroll it with an MDM tool. And I make sure that I have managed devices, managed identity, I have the security controls put into play some policies. Why need a secure network? As your application proxy, in this case, you can do it via VPN, you can do it in a number of different ways. These are just an example of how you might create a control framework. But in this case, you have ad hoc SSL tunneling. It doesn’t even require a port on your firewall being open, it’s outbound only. So, it provides tie-ins to conditional access capabilities like multi-factor, compromised account detection, risk-based authentication capabilities, defender for identity. I need to be able to look for intrusion detection. I also need to be able to protect the information.
If this is an HR spreadsheet, full of social security numbers, I need to make sure it’s encrypted at rest, and it’s not being mishandled. So, I have that travel anywhere access control, I have the auditing logs of who’s accessing when I have relocation controls. So, let’s say for instance, if that user does something bad, the user stockpiles all that information on their device, puts it on airplane mode, so that you lose your ability of remote wiping it. That is some people’s worst nightmare, but we’ve got you covered. Because that travel anywhere protection gives the ability of saying, “if you can’t log into your Active Directory account, you can’t open these files.” And if the device is no longer compliant, somebody jailbreaks it, routes it, removes the management, you can’t open those files either. So, it all fits together and a comprehensive strategy, where you’ve gone through and you can check at any point, if it hasn’t met your requirements, you can block access or isolate that damage.
Let’s look at another scenario underneath the same piece. The user was fished. In that case, we can go through and say “hey, you know what, I’m going to make sure that I’m following these things.” But the risk based access controls are going to identify that “hey, you didn’t pass multi factor authentication, or this password was actually leaked on the dark net, okay, it might likely recognize that.” And it’s enforced and password reset, blocked access, and triggered an automatic investigation. So, those are very powerful tools that are at your disposal. So, you can see how they work together, to be able to earn that trust.
Now, let’s look at a different scenario: unmanaged devices. So, the previous one, they had some mobile device management. This case, they don’t. This may be the work from home user who has said, “I’m not gonna let you manage my device.” So, how do you protect that? Somewhat of a similar methodology, but you may use some different tooling. In this case, you can say, encryption in transit, maybe through OneDrive, conditional access with multi factor, cloud application, security gives you session controls. So, you can block unprotected downloads from happening, you can make sure that everything is protected before it’s allowed to be downloaded to an unmanaged device. So, that will kick in the information protection, that’s going to follow that file, regardless of where it goes. So, in that case scenario, the user tries to post the data to social media. Excel is rights management aware, many, many other applications are as well. So, you can have a PDF or a generic file here. But you can actually prevent screenshotting that information through the advanced rights management capabilities. And so, it makes it unable to copy that data out of the trusted container.
Now, similar scenarios, hey, maybe they were blocked there. So, they decided to do a OneDrive share to another competitor, say, they’re leaving the organization. And they want to be able to move that file over, or they don’t want to be able to share it with their own personal accounts. Well, that’s where the unapproved application sharing capabilities with data loss prevention, and tying in share management with quarantine, etc. So, it can identify that that’s an unauthorized domain and it’s sensitive information. So it’s going to block that share, it’s going to make sure that it logs the attempt. And you can even remind the user what the data handling policy is automatic. And you can flag it for investigation if appropriate.
So, let’s move to a little bit more complex one, that’s actually one that we’ve seen a lot this year. The administrator over payroll, high value target, a lot of attackers are trying to attack them. So, you may want to set in expectations that if you’re going to be changing direct deposit information, due to the number of payroll attacks, I need you to be on a trustworthy platform. So, I may actually say everybody in the company can check their W-2, or check their pay stub, but they can’t download and modify data. They can’t change direct deposits unless they’re coming from a trustworthy system. So, as an example, if that admin over payroll tries to log in to this cloud payroll app, thanks to session controls, it can kick in and limit the role. So, in that case, we could actually say you get read only access, you can read your pay stub, but you do not have rights to modify direct deposit because you’re on a non compliant device, you haven’t earned that ability.
Let’s switch this up. Let’s just go very basic: generic email access from an unmanaged device—incredibly common. Some folks may need to be able to get their shift information, or have, you know, be able to work off of email on any device. But maybe you haven’t instilled or earned up to the point of being able to have all users on managed hardware yet. In that case, you may choose to use mobile application management. The ability of saying, okay, we’ll all deploy outlook as an example. These are not specific tools. But in this case, we may say, mobile application management applied to Outlook, which protects your organization’s email, but just that, but it can tie into the conditional access into Azure Sentinel for threat hunting and event correlation, defender for Office 365, and again, rights management depending on what you’re working with. So, if that device is compromised, and is part of a botnet, you can actually identify that either through conditional access or through Azure Sentinel, and be able to revoke access. Role passwords because the device has been compromised and attackers have gained access to it. Initiate endpoint protection scans, purge your sessions and tokens, and be able to trigger a ticket for in-depth investigation. That’s all automated. So, these are very powerful ways that you can help protect your users. These are just samplings. But they’re very real scenarios where we’ve been able to help protect organizations from very real threats.
So, I want to move on to how you might be able to build your control plane. I want to touch on some tips on building your control plane. First off, I typically recommend starting with identity. But as you’re thinking through the tools and technologies, think holistically, you don’t want DLP on the network and on the device, and at the applications. How can I solve it universally wherever possible? This pyramid can be helpful if you think about how to solve upward from identity to network device to app to data. Now, when we look at the map of a potential control plane, there’s some considerations you want to factor in what type of data you have, where does it go, because that’s going to change some of the tools and some of the tools and features you might need to deploy. You also need to factor in what services need protection, some of them are going to be protected differently. It’s very common for a phased adoption for zero trust. So, in many cases, it’s actually easier to secure the cloud than it is for some of the on prem legacy infrastructure. There’s processes for all of it.
So, you may want to figure out what’s going to be the right adoption to be able to help mitigate the bulk of your risks. And consider what tools are going to interoperate with each other, some of them are going to work natively well together, and some of them don’t speak the same language. As you’re fitting this together, understand that user behavior. So, those user behavior analytics are going to be greater than just numerous alerts, old school sim tools just generate tons of alerts—that is not always the most helpful. So, be able to try and identify tools that can say, is this Joe’s normal device? If so, that’s a lower level risk. That’s going to be your sweet spot for helping automate some of these risks. And one of the other really important pieces is assume breach. So, as you’re piecing together what’s going to work for your control plane. Make the assumption what happens if this identity is compromised? What tools do I need to be able to identify that it’s been compromised? Isolate it, remediate it, and then go up to, what do I need to be able to identify that my networks been compromised, or that my infrastructure, my apps, my data and my devices. Piece those pieces together of saying, well, if I have a compromised device, how does that impact the other parts of the puzzle? So, that helps you build a unified control frame.
So, as we go through this, I hope this has been helpful information for you. If you do need some help building your own zero-trust approach that fits your particular organization, feel free to reach out. And again, thank you.
Get full Q/N Access
Sign up to Q/N with a few details to watch this presentation.