top of page
Search
Writer's pictureMark van Vuuren

Applying Zero Trust to PAM


The implementation of the Zero Trust-based security model has gained space in recent times, promoting the default approach of never trusting, and always checking before granting access to a company’s perimeter.

This practice is extremely important to ensure cybersecurity, especially in the context of remote work, with employees having access to the resources of the company from any environment and device.

What Is the Concept of Zero Trust?

Never trust, always check. This is the motto used in the Zero Trust cybersecurity model. According to this concept, it is recommended to grant minimum privileged access, after verifying who the requester is, what is the context of the request, and the risk offered by the access environment.

In this way, one can protect work environments, such as cloud technologies, SaaS, DevOps, and robotic automation, reducing the attack surface and the costs for organizations. In practice, the Zero Trust security model recommends all users be verified before gaining access to a particular system in order to protect it from external attacks, malware, and insider threats.

That is, they must be authenticated, authorized, and validated continuously before receiving access to applications and data and during the access.

To apply the concept of zero trust, advanced technologies are used, including IAM (Identity and Access Management), multi-factor authentication, identity protection, and endpoint security.

One also needs to promote data encryption, email protection, and verification of asset and endpoint hygiene to connect to apps. What Are the Top Three Aspects of Zero Trust?

The Zero Trust security model is based on three aspects, which must be considered by organizations. They are as follows:

  • Policies

To ensure digital security through the Zero Trust security model, it is critical to create and implement strict security controls, ensuring access to IT environments only for certain people in specific circumstances.

  • Automation

Through automation, it is possible to implement the concept of Zero Trust, avoiding human failures and correcting any deviations immediately.

  • Visibility

To protect IT devices and assets, it is imperative to identify and monitor them. After all, it is impossible to protect what is not managed, and it is impossible to manage what is not known. That is, to properly protect your infrastructure, you need to know what equipment the company has or has access to. What Is Its Importance? Companies around the world face problems related to insider threats, generated by third parties or even by errors, accidental or not, committed by employees and former employees. Thus, giant corporations, such as Google, started to adopt the security model based on Zero Trust, since the old model “trust, but verify”, proved to be insufficient to guarantee digital security.

In 2015, the U.S. Office of Personnel Management experienced cyberattacks, which motivated the House of Representatives to suggest the adoption of Zero Trust by government institutions. This is because adopting the concept of zero trust ensures effective control of networks, applications, and data.

Thus, in 2021, President Joe Biden signed the Executive Order for Improving the Nation’s Cybersecurity. This order considers the implementation of Zero Trust-based policies in all agencies of the American government.

Another important reason to join the security model based on Zero Trust is the possibility of providing digital security to remote work. What Are the Advantages of this Approach? As you have seen, adopting the concept of Zero Trust is essential to provide cybersecurity to organizations nowadays. Among its benefits, we can highlight:

  • Superior risk mitigation by reducing the attack surface and controlling lateral movement in the network;

  • Enhanced digital security and support for mobile and remote employees;

  • Defense of applications and data, regardless of whether they are on-premises or in the cloud;

  • Strong protection against advanced threats, such as Advanced Persistent attacks (APTs).

Finally, Zero Trust-based security allows one to segment the network by identities, groups, and roles, helping to contain cyber threats and reduce potential damage. How to Implement this Security Model? The implementation of the Zero Trust-based security model requires that the accesses requested are proven to be reliable. For, it is essential to:

  • Classify Data

The first step in implementing this security model in your company is to segregate and assign value to the data to be accessed, defining who can access it and how, according to its classification (secret, confidential, internal, or public) and urgency.

  • Monitor Network Environments

To detect irregularities, it is extremely important to know the traffic and how the information is shared.

  • Map Risks

Another essential measure is to map the external and internal risks to which the systems are exposed.

  • Officialize the Use of the Approach

It is also essential to adapt policies, procedures, manuals, and other documents to the Zero Trust security model, making the adoption of this approach official.

  • Identify Accesses

Finally, it is absolutely essential to understand what are the types of users on the network, their roles, and the type of access they have. With this, one can authenticate them, ensuring a high level of security. Evolution of Zero Trust

The concept of Zero Trust emerged in 2010, as an expression coined by Forrester, which was synonymous with the micro-segmentation security approach and related to the creation of secure zones in data centers and cloud solutions used to individually protect workloads. This approach has become useful as traditional security mechanisms have proven inefficient in the face of technologies such as cloud computing, virtualization, and mobile devices. Before that, companies had been building walls around their sensitive data, which used to be transmitted through physical devices or from an internet access point, protecting, monitoring, and controlling that information.

In practice, it is possible to protect physical devices by managing systems and antivirus. However, the in-depth approach proved to be insufficient for IT services performed outside the security perimeter.

For this reason, providers of digital security-related products and services have been adhering to the Zero Trust-based security model since 2010, including all types of cyber solutions.

More recently, Forrester published its annual report “The Forrester Wave: Zero Trust eXtended (ZTX) Ecosystem Providers, Q4 2018”, defining seven controls considered basic principles of this approach. They are as follows:

  • Network Security;

  • Device Security;

  • Identity Security;

  • Application Security;

  • Data Security;

  • Security Analysis; and

  • Security Automation.

Gartner has proposed the Continuous Adaptive Risk and Trust Assessment (CARTA) approach, which also brings seven principles, with zero trust being its first one. This concept is related to the balance between risk and trust, considering the confidence needed to gain access to high-value assets. About PAM

In general, organizations rely on sensitive data and digital assets that should not be accessed by all users at the risk of leaks generated by human failures or even the action of hackers, who capture authorized accounts to move through the network.

To avoid this type of problem, it is recommended to use Privileged Access Management (PAM), a digital security tool that makes it possible to reduce the privilege of users to the minimum necessary to perform their tasks.

In short, PAM allows one to store and save credentials of authorized users on the network and manage their accounts, recording their activities and granting access only if they provide an explanation.


Zero Trust and PAM: How to Apply the Concept of Zero Trust in Privileged Access Management?

Associated with the concept of Zero Trust, a PAM solution provides digital security for companies. Its job is to promote centralized access management through the control, storage, segregation, and tracking of credentials with access to the IT environment. Thus, one can make sure the access is actually being made by a user and they are allowed to access that environment.

The main features of PAM that allow organizations to apply Zero Trust practices are: Credential Management

With Zero Trust and PAM, you can define administrators and user groups by stipulating their accesses and permissions and managing the full cycle of their credentials. Segregation of Access

This solution also allows you to isolate critical environments and detect suspicious activities, avoiding problems arising from unauthorized access. Approval Workflows

PAM access requests are easy to configure and make it possible to comply with multilevel approval flows and validate explanations provided by the requesters. Behavior Analysis

Another feature of PAM that optimizes the Zero Trust security model is the monitoring of user actions, which allows identifying and responding to changes in their behavior patterns and access profiles. Unauthorized Access

PAM also allows denying access to users who are outside the company’s policies, for example, using the password of a credential not managed by the solution. Action Analysis

PAM also analyzes activities performed by users and generates alerts that allow inappropriate actions or fraud to be detected. Session Blocking

Finally, whenever there is suspicious activity, the administrator can block the user session in IT environments or operating systems. About senhasegura senhasegura PAM allows you to securely manage generic and privileged credentials, ensuring protected storage, access segregation, and usage traceability.

With this, PAM enables organizations to adopt Zero Trust and respect the strictest access controls to privileged credentials in an automated and centralized manner, preventing cyberattacks and leaks of sensitive information.

Check out some benefits of senhasegura PAM for your company:

  • Control of misuse of privileges;

  • Securely-coded password management;

  • Protection against insider threats and theft of critical data;

  • Monitoring and recording of activities performed during privileged sessions;

  • Automatic reset of passwords or based on an established schedule; and

  • Simplified generation of audit reports from a central audit data repository.

11 views0 comments

Comments


bottom of page