THE IMPACT

At CyberArk Impact in Chicago this year I presented on Zero Trust in a World of Privilege. Since this session wasn’t recorded I decided to post the points I covered.

Principles of Zero Trust

• Zero trust means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network
• A principle of zero trust security is least-privilege access. This means giving users only as much access as they need, like an army general giving soldiers information on a need-to-know basis. This minimizes each user’s exposure to sensitive parts of the network

Traditional network architecture

• Traditional IT network security is based on the castle-and-moat concept. In castle-and-moat security, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default
• These sub divided network zones makes allows for strong defense in depth
• An even stronger architecture is the zero trust architecture…

Zero Trust Architecture

• Here, the supporting system is known as the control plane, everything else is referred to as the data plane
• Requests for access to protected resources are first made through the control plane, where both the device and user must be authenticated and authorized
• the control plane coordinates and configures
• This architecture leverages distributed policy enforcement and applies zero trust principles to protect sensitive items by building lines of defenses that an intruder must penetrate before gaining access

PAM Landscape

• How will this apply to what we focus on daily…let’s look at how PAM has been changing

Changing Paradigm

• As PAM professionals over the years we have seen the user base shift from just securing humans to securing service accounts, machines, bots, apis…
• We are now dealing with individual and shared accounts
• Our controls are now dynamic and risk aware
• Passwords require MFA and risk based auth
• The ecosystem has ballooned with IaaS, SaaS, devops, containers
• This will continue to grow

PAM Outlook

• Long story short PAM isn’t going anywhere anytime soon…so you need a strategy

Risk based Security

• Apply risk-based security
• Secure your access pathways
• Ensure your security strategy accounts for insider threat detection
• Enforce PAM Hygiene
  • CyberArk has an entire Hygiene program just for this
    • They will teach you how to eliminate network attacks
    • Control infrastructure accounts
    • Limit lateral movement…

Multifactor authentication

• I have yet to see an implementation that didn’t require this
• A key thing many do not implement is step-up authentication, if a user is requesting more access once authenticated. Request additional verification

Continuous reverification

• Trust, but verify and continue to re verify
• Have alerts in place for varying types of high-risk behaviors

Monitoring and analytics

• It is pertinent to implement automated controls
• Monitoring and analytics will be key to enabling rapid remediation of malicious activities
• Here’s zero trust again: isolate the endpoints and enforce secure connections to critical assets

Granular access control

• Enforce granular access control
• Clearly documented and defined standards, policies, and procedures that are enforced throughout the organization is critical to your overall strategy

Zero Trust Challenges

• Internal applications need to be redesigned to leverage your new security strategy (level of complexity based on application)
• Now you need to look at your asset inventory and update you applications for things like continuous verification, monitoring and analytics, granular access etc

Next Steps

• So What’s next?

Zero Trust application

• Within you PAM implementations identify use cases where you can begin to apply zero trust
• Perform a POC, never eat an elephant whole. Select a small diverse set of application (varying in complexity) and perform a quick POC
• Apply zero trust