Ten best practices for embracing Zero Trust IAM

The world has changed a lot in the past two years. And while there’s still little certainty about what the future may bring, one thing is clear. There’s no going back to the way things used to be. 

For better or worse, this is the new normal. A landscape defined by digitization and distributed work. On the one hand, this is excellent — it creates new revenue streams, improves productivity across the board, and has the potential to revolutionize how businesses operate. 

On the other hand, it’s also fraught with risk. Threat surfaces are now more expansive and complex than they’ve ever been. Cybercriminals have wasted no time seizing the opportunity.

Last year, for instance, software-based supply chain attacks hit three out of five companies. This resulted in some of the highest-profile breaches in recent memory, including Solarwinds, Microsoft Exchange, and Colonial Pipeline. At the same time, criminals modernized and streamlined their own infrastructure and approach, with ransomware-as-a-service platforms reaching greater market penetration than ever before. 

In such a climate, traditional access controls are no longer sufficient. The security perimeter of yesteryear is obsolete; device and password-based authentication cannot protect critical assets on their own. To survive, businesses must adopt a new, identity-based approach to access management.

Zero trust represents a cornerstone of that framework. It is the bread-and-butter of Identity and Access Management (IAM), a pillar of cybersecurity in a distributed, post-COVID world. It also isn’t something you can apply without planning, knowledge, and foresight. 

To that end, let’s go over ten major best practices underlying the effective application of zero trust.

 

Always Verify

Traditional access management is predicated on the idea that some devices and users are implicitly trustworthy. Their access is unquestioned and their privileges are unchallenged. Zero trust turns this idea on its head. 

In a zero trust framework, there’s no such thing as implicit trust. Every device, no matter where and how it connects, must be actively verified and monitored. The same is true of every user — not even your own administrators are above reproach in this framework, nor should they be.

 

Multi-Factor Authentication (MFA) is a Must

On the topic of verification, the more layers of authentication in your sign on process, the better. Each layer represents another barricade with which criminals must contend. Another potential stopping point for anyone trying to gain unauthorized access to your network. 

SMS codes represent the most common type of MFA. However, they are the least secure option by far. Much has already been written about the security failings of SMS, which is vulnerable to everything from spoofing to SIM swapping. Instead, you should maintain mindset that authenticating factors all fall under one of the following umbrellas, and a strong approach to MFA requires one or more from each: 

  • Knowledge. This may include passwords, security questions, or personally-identifying information. 
  • Ownership. This is something a user has in their possession, such as a hardware token or device.
  • Identity. Biometric information such as fingerprint, retinal, or face scan. Also includes Behavioral data such as access location or access time.

 

You Need to Support Single Sign On (SSO)

Application bloat is a major contributor to burnout, a huge security risk, and an inarguable productivity killer. The average employee in the United States shifts between thirteen apps approximately thirty times per day. More than a quarter of employees say that this makes them miss important information, while 26% note that app overload makes them less efficient at work. 

At least part of this may be tied to the fact that each of these apps has its own individual authentication process. That means another set of credentials for your employees to remember, and more wasted time as they have to login to each individual piece of software. While it won’t eliminate application bloat, SSO is at least somewhat of a panacea to this issue, ensuring that workers must only authenticate once to access everything they need.

 

Zero Trust and Zero Touch Go Hand in Hand

The concept of Shadow IT is hardly new. Yet in a distributed workplace, it represents a greater threat than ever before. If employees were already willing to find a convenient workaround to cumbersome security processes in the office, it follows that they’d be even more prone to this while working from home.

While they must be designed based on a zero trust framework, your IAM processes must also be as convenient as possible for employees. SSO is one way you can make this happen. Zero-trust provisioning (ZTP) is another. 

With ZTP, deployment, configuration, and lifecycle management are fully automated, which means less work for your IT department and fewer headaches for your users.

 

You Need to Do Something About Passwords

The password is dead. 

You’ve probably heard the rhetoric done to death by now. Security experts have been shouting from the rooftops about the death of password-based authentication for nearly a decade. Yet somehow, passwords still persist to this day.

You probably aren’t going to be completely rid of passwords even within your own organization. However, that does not mean you shouldn’t explore alternatives. As we already established in our discussion around MFA, you need to

We also strongly recommend mandating the use of a password manager, and providing a secure one to your staff.

 

Apply Least Privilege and Just in Time Access

Alongside constant verification, the Principle of Least Privilege (PLOP) and Just-in-Time Access (JIT) represent some zero trust’s core concepts. 

PLOP maintains that a user should never be given any permissions they do not explicitly require. Someone logging into a remote desktop to edit documents, for instance, probably doesn’t need the ability to install new software. The idea here is preventing lateral movement by attackers.

If you want an example of what can happen when a business fails to do this, have a look at what happened in 2016’s Panama Papers breach. 

JIT, meanwhile, grants time-limited access on an as-needed basis. Note that you must be careful not to overdo it here. Few things are more frustrating than having access time out after only a half hour — and as we know, user frustration is anathema to effective security.

 

Manage, Monitor, and Audit All Privileged Activity

Even after a user or device is fully authenticated, that doesn’t mean they should be implicitly trusted. Instead, it is the responsibility of your security team to monitor all network activity, keeping an eye out for any potentially suspicious behavior. Given that this is a tall order even for a well-funded team, network monitoring tools are a must. 

You might also consider applying algorithmic security that automatically flags suspicious behavior based on machine learning to further lighten their load.

 

No-Code/Low-Code Can Be A Huge Boon

Where cybersecurity is concerned, simplicity is your best friend. The more you can do to streamline user authentication, the better. To that end, we strongly recommend adopting a low-code or no-code approach to the development and configuration of IAM. 

Allowing your IT personnel to modify and update the login process with a few clicks rather than requiring intensive coding can save you considerable time and money in both the short term and long term. Moreover, it allows your business to be far more agile when it comes to adopting new use cases and authentication requirements.

 

Consolidate Wherever Possible

We already touched on application bloat earlier, but it’s a topic that bears revisiting. The more moving parts present in a system, the greater the chance of something going wrong. The greater the likelihood that an attacker will find some vulnerability or bug they can exploit to gain access. 

Part of your approach to IAM should involve a thorough evaluation of the software tools utilized both by your IT department and by your end users. Look for opportunities to reduce the number of active solutions, either through integration or via migration to new platforms.

 

Above All, Remember That Zero Trust is a Process

Arguably one of the most common (and crippling) mistakes businesses make with zero trust IAM is treating it as a traditional software project. The reality is that it’s anything but. Even once you’ve successfully implemented a zero trust framework and adopted an IAM solution, your work is not done. 

Similar to crisis management or compliance, zero trust is not something you can ever mark as ‘complete.’ Instead, it’s an ongoing effort to protect your assets, safeguard your systems, and defend your people from an increasingly-sophisticated cybercrime landscape. 

Are you looking for an IAM partner? Get in touch with Indigo Consulting today and see why were a trusted partner for security-focused companies across North America.