This is the first post in our series covering the principles of the Zero Trust model. Today’s post looks at enforcing Zero Trust with a least-privileged access control policy. Zero Trust is enforced through three core principles: never trust a connection, assume a breach has or will happen and enforcing least privileged access. We will look at each of those components over the course of our series.
Castle and Moat Defense is Not Sustainable Defense
The traditional castle and moat style of cybersecurity is no longer sufficient to defend against attacks. As connections are scattered across the country and globe, combined with continuously expanding fleets of devices, applications and users, hackers have exploited the security holes left as businesses have failed to adapt their defenses to this changing threat environment.
As organizations move their data into the cloud and change their network from being fully on-premises, to a hybrid, cloud or multi-cloud environment, it has opened new areas of opportunity to exploit.
Compromised credentials and weak access and authentication policies are among your most important elements to make secure. One of the easiest ways for a company’s defenses to be breached isn’t by an infection with malware or ransomware, but by a bad actor walking right through the front door under the guise of an employee, contractor or partner.
A New Line of Defense: Zero Trust and Least-Privileged Access Control Policy
A strong, least-privileged access control policy, focusing on user identity and authentication measures providing just the right level of access and at just the right time, are foundational to a Zero Trust framework.
Least-privileged access reduces role privileges and only shows the parts of your network to the user that you want or need them to see to accomplish their role, and only when they need to access it. It is part of ensuring that a user receives only the level of access they need, and only when they need it, to perform their role and nothing more.
A contractor can be granted access for the date and time of his arrival on the site to the exact devices and assets he will touch, for the duration of time that he will need to access them. Once he has completed his job, his access is revoked.
If an employee is servicing a ticket, certain access can be granted in relation to the needs of the ticket and once the ticket is serviced, access to those devices is revoked.
Enforcing Least Privileged Access Control Policy
Enforcing a strong least-privileged access control policy requires the corresponding elements of your cybersecurity to be mature. It is why we have written two blogs that help in enforcing this and understanding where you are in your current journey toward cybersecurity maturity.
- Our secure remote access maturity model helps you to enforce how a user is granted access to a network and how that access is allowed to interact with the rest of your network and its devices, applications and data.
- Our password management maturity model helps with additional authentications and further strengthening your access control policies by reducing threats associated with getting credentials in the first place.
If we look at the models’ highest levels, we can see the intermingling elements that form a mature Zero Trust level that assesses each individual, with no inherent trust permitted.
These include structures in place for verifying users beyond just the password, with password updates and changes happening automatically and away from users, and the highest standards enforced for password requirements.
If you mix this level of password maturity in with sophisticated secure remote access, including components like permitting access when it is needed, to whom needs it and only for the duration they need it, you are strengthening your defenses more.
Further Defense is Needed
Zero Trust does even more to bolster your defenses and we’ll be discussing those elements more. Our upcoming posts in the Zero Trust series focus on the elements around never trusting a connection and assuming a breach has or will happen. We will continue visiting how traditional defense treats these threats and how Zero Trust compensates for the deficiencies left behind from this traditional approach.
To further bolster your defenses and go beyond Zero Trust, you can see how ConsoleWorks helps you enforce it even further in our post here.