Zero Trust continues to be in the news and not for all the right reasons. A recent Deloitte survey with 600 respondents showed that the COVID-19 pandemic has motivated 37% more organizations to increase adoption of Zero Trust than were previously planning to earlier this year.
The increase is attributed to the mass transition to a remote workforce that has millions of employees and their devices leaving the secure perimeter of the office. At the same time, the pandemic has accelerated digital transformation plans for most companies, many moving the adoption of a Zero Trust strategy to the top of their security roadmaps.
The problem is that they are struggling to actually deploy Zero Trust solutions. While the benefits of implementing a Zero Trust strategy are widely recognized, key challenges remain for businesses and agencies deploying solutions that enable the strategy.
The crux of the problem lays in the increasingly dynamic networking and connectivity requirements for today’s sophisticated and increasingly cloud-based applications and services. For decades enterprise security has relied on Identity and Access Management (IAM) products and privileged access management (PAM) platforms to enforce enterprise policies by bestowing credentials on users, enabling them access to applications, their data, and other services. Granting privileged access to a subset of users and standing privilege to administrators tasked with maintaining the infrastructure and network represent a significant attack vector to attackers. Credentials theft is on the rise making credentials less effective in controlling access and reducing risk.
Enterprises rely on IAM, network access control (NAC) like VPNs and firewalls to control access. Enterprise directories, increasingly difficult to maintain and manage, provide a static resource to track the identity of users and device IDs – the credentials. This approach is rigid and somewhat limiting for controlling access when users are remote (outside the perimeter of the enterprise network) and the applications are resident in multiple clouds. Enforcing privilege, a basic tenant of Zero Trust, is difficult to enforce. What is missing?
According to Deloitte, “Modern technologies that support the Zero Trust concept of least privilege enforce access control decisions at lower layers in the stack.” Those lower layer controls are “fundamentally different than managing access control lists” on firewall devices. Deloitte is referring to a deny-all, authenticate-first architecture – the essence of employing a software-defined perimeter (SDP). There are many vendors claiming SDP capabilities. However, to enable automated, dynamic enforcement Waverley Labs employs a separation of the control plan from the data plane. By this we mean separating the controls of the requesting host (i.e. users and their devices) from the requirements of the accepting host (i.e. the application or services).
SDP does not require NAC, instead it utilizes the enterprise directories managed and maintained by the IAM and PAM products to generate a SPA packet that is accepted or rejected by the SDP application specific gateway. The SPA packet is like a passport issued to the client also called the requesting host for accessing a specific application/service. Utilizing static directories, the SDP gateway provides dynamic enforcement.
Gartner and Forrester agree that SDPs ability to dynamically create one-to-one connections between every authorized device, user and the data they access is the key to Zero Trust. Anyone attempting to access a resource must “authenticate first.” This applies the principle of least privilege and eliminates the network as an attack surface. With the Waverley Labs SDP there is no access by default – based on an IP address as an example. Instead, the SDP ensures that once a client generates the right SPA, the dynamic one-to-one connection is allowed from the requesting host (the client) to the accepting host (the specific application or service required). With the benefit of SDP, the application or service is completely invisible to the internet and would be attackers.
Without SDP, successful implementation of a Zero Trust strategy is challenging. The industry will have a long way to go before declaring that Zero Trust is an effective security paradigm.
For more information on this topic, register for the BrightTalk webinar SDP – a Trick or a Treat? Scheduled for October 29, 2020. Also check out this white paper on SDP.