This guest post was contributed by Matt Graves, Vice President and Information Security Practice Lead at MajorKey Technologies.
It’s an iconic movie scene: Tom Cruise dangles on a rope lowered from a vent 30 feet above the floor, unable to make a sound or touch the floor lest he set off the alarm, as he hacks into the single computer in a secure vault within CIA headquarters.
Putting aside that they somehow successfully pulled off the caper — after all, the name of the movie is Mission: Impossible, not Mission: Likely and Probable — the isolating security around the computer terminal demonstrates some of the key principles of zero trust security. (Stick with us.)
You can’t miss zero trust these days. The White House is requiring all federal agencies to adopt the model. Article after article (similar to this one, although others perhaps not as pop culture referential) touts the benefits of the “trust no one, verify everything” approach to security.
Here’s the thing: they’re not wrong. Zero trust not only provides better security than a traditional perimeter defense security model in today’s world of cloud applications and remote work, it can create a better user experience and increase your organization’s overall efficiency.
It all starts with identity. It used be that you’d come into work, sit down at your workstation, and login using your network ID and password. All the servers and folders you need were a click away, and all your applications installed on your desktop. You’re inside the network, and you’re trusted. Work could begin.
The problem is, nothing is ever a closed network anymore. Employees login at their desk, but sometimes that desk is at home. They use their phone to access email and resources. They log into cloud-based applications like Salesforce. Often, they share passwords with co-workers, and they use the same password for that work application as they do for other applications or sites. The number of potential entry points for hackers increases exponentially.
Web applications were the top hacking vector in breaches and passwords caused an eye-popping 89 percent of those web application breaches, either through stolen credentials or brute force attacks, according to the Verizon 2021 Data Breach Investigations Report. That’s almost 9 out of every 10 hacked web applications attributable to passwords. The same report found that 61 percent of all breaches exploited credential data, either via leaked credential data, credential stuffing or brute force attacks.
Just being inside the network isn’t enough to be trusted anymore. The solution to this security snafu is to find a way to continuously monitor and verify users and devices accessing your network — know every user, what they should have access to, and what they are doing inside the network. If you have a unified identity and access management (IAM) system in place, then you already have the foundation for zero trust.
Which brings us back to Mission Impossible, and poor William Donloe from Langley, Virginia, the only technician at the CIA with certified access to the terminal vault and who later manned a radar tower in Alaska. He must pass a series of identity checks to enter the vault: voice recognition, a six-digit passcode, an eye scan and, finally, a double keycard entry.
Think of this as multi-factor authentication. Donloe entered the building at some point using a CIA identity badge. Then, once in the building, he went to the vault and had his voice identified. But this is a high-risk situation, so the policy is for the user to provide additional authentication, leading to the additional steps before he could enter the vault.
Under a unified IAM system and the foundation of zero trust, these kinds of risk-based access policies can be established for your network and resources. Say your organization holds information that’s subject to HIPAA (Health Insurance Portability and Accountability Act) regulations. Someone who works for your organization can enter the front door by logging into the network but trying to access the HIPAA information triggers a request for additional identity verification.
Now you’re saying, “But Matt, Ethan Hunt broke into the vault and stole the information!” But think about how he did it. He broke perimeter defenses, first by assuming an identity (a firefighter in this case), then bypassing physical lasers covering the vent with a device, and then stealing a password.
This is exactly the kind of easy-to-circumvent perimeter defense that zero trust avoids. Your important data doesn’t have a vent leading down to it, or at least it shouldn’t. In the byzantine labyrinth that is your network, your critical data is segmented off in its own vault with no vents, no windows, and only one door that requires MFA to open.
Then there’s the continuous monitoring — the touch-sensitive floor, the sound and heat monitoring within the chamber. These are analogous to the context-based policies that can be established under IAM. Who is in the room? Where are they coming from? What is happening that shouldn’t be happening right now? Any of these can trigger a request for further authentication, or a lockdown.
To breakdown our Mission: Impossible analogy: in a zero trust environment with IAM with context and risk-based policies in place, work actually becomes easier for your users. Instead of entering password after password, a true zero trust environment allows a single sign-on and then entry to everywhere you need to be, because it’s based on a user identity that is tracked and monitored.
This is your mission, if you choose to accept it, but this article will not self-destruct. We hope.
About the Author
Matt Graves is a Vice President and Information Security Practice Lead at MajorKey Technologies. An experienced information security and cloud architect, Matt is responsible for IAM solutions development across the MajorKey client community. He advises clients on how to evolve their information security strategies and solutions in ways that align with their business objectives and leads solutions architecture to ensure effective delivery. Prior to his current role, Matt held senior operational positions within Highmetric, helping clients implement service management processes and solutions. An expert with multi-cloud platforms, Matt joined the company from the healthcare insurance industry.