2021 Playbook: Enforcing Zero Trust for All Identities

As we reflect on 2020, we can all agree that COVID-19 heavily impacted office workers and our organizations' security, accelerating digital transformation projects and cloud adoption. Looking ahead, it’s evident that the pandemic, coupled with our current economic climate, will continue to tax the identity and access management (IAM) practices of organizations worldwide. This will challenge us all to minimize access-related risks across traditional data centers, cloud, and multi-cloud IT infrastructures.

With IT administrators, security teams, and regular enterprise users dispersed and relying heavily on remote access to corporate systems, DevOps environments, and applications, threat actors enjoy an expanded threat surface with many more vectors of attack at their disposal. There’s more opportunity to exploit human imperfections with phishing and other social engineering campaigns, compromising credentials to access our IT infrastructure and data.

When analyzing breaches, identity has emerged as the weapon of choice for hackers. They have traded traditional hacking practices for merely logging into systems using stolen, purchased, weak, default, or otherwise compromised credentials. The 2020 Verizon Data Breach Investigations Report confirms this trend, revealing that 80% of breaches happen due to compromised credentials. If your privileged users continue to routinely use shared privileged accounts for access — especially remotely through a VPN — any attacker compromising said credentials has a front door key, if not a key to the entire kingdom.

Don’t be fooled into thinking that only privileged users are of concern, however. Many cyber-attacks target regular employee accounts to get an initial foothold, using it as a beachhead to profile your network, gain elevated privileges, and complete their objectives.

Armed with this knowledge, organizations must take action to re-examine the impact of human unreliability, a remote workforce, outsourced contractors, and an expanding attack surface from a highly distributed IT infrastructure. They must consider implementing new Zero Trust strategies and modern Privileged Access Management (PAM) technologies that are better designed to address these new dynamics. This exercise should not stop with identities for human user access, however. Non-human identities and service accounts for machines, applications, and other workloads increasingly represent the majority of 'users' in many organizations. This is especially true in the cloud and DevOps environments, where developer tools, containerized applications, microservices, and elastic workloads — that all need identities to talk to each other — play a dominant role.

For organizations currently in this state wondering how to improve their identity-based security and risk posture, a modern PAM solution founded on Zero Trust can help.

Zero Trust From a PAM Perspective

The traditional network perimeter is dissolving as our users and IT assets become more distributed. It’s no longer practical to base access decisions on simplistic concepts such as 'trusted users are on the inside' and 'untrusted users are on the outside' and using IP addresses to make that distinction. Organizations must assume that threat actors are already inside their systems. This knowledge should change the way organizations approach security. The outdated 'trust but verify' approach must now become 'never trust, always verify.'

'Never trust' means our legitimate admins no longer have carte blanche access to privileged accounts. i.e., instead of using shared privileged accounts such as root and local administrator at will, they use their HR-vetted enterprise account, which has basic rights. This prevents high-impact mistakes and reduces fallout should an attacker compromise that account. PAM security controls can then grant elevated privileges selectively when the situation requires, based on centralized roles and policies. Instead of consistently having the keys to the kingdom, this 'least privilege' approach to access reduces risk while still allowing legitimate admins to do their job, requesting just enough privilege, just-in-time, and for a limited time. To be effective, organizations must apply this consistently across all IT assets, whether in the data center, DMZ, virtual private cloud, or multi-cloud environments.

By implementing this Zero Trust approach to PAM via least privilege access controls, organizations minimize their attack surface, improve audit and compliance visibility, and reduce risk, complexity, and costs.

Steps Towards Good Zero Trust Maturity

PAM is a complicated world with many moving parts. However, you can achieve significant gains and improve your Zero Trust maturity over time, starting with some basics and later, more advanced features. 

Initial wins can come from improved password hygiene, vaulting shared privileged accounts, and enforcing MFA for administrators. For many attackers, time is money. Extra hurdles such as MFA can simply cause a hacker to move on to the next potential victim. Having these additional steps in place for a remote workforce will undoubtedly help reduce breaches.

Good Password Hygiene

Like it or not, passwords still abound, and it takes only one compromised password to potentially impact your entire organization. Despite years of research and articles warning people, poor password hygiene thrives. Humans are still the weakest link and, not surprisingly, a primary target for attackers. Continual education should be mandatory for all users, not just administrators. 

High entropy passwords that are hard to crack are essential, while frequent password rotations reduce hackers' window of opportunity. This is also important for the non-human accounts. They are rarely rotated for fear of breaking an application or service. Use PAM to take these accounts under the central management and apply a frequent rotation policy. Modern PAM solutions can use a multiplexed account capability to ensure the password is synchronized across all dependent computers before rotation to mitigate the risk of application failure.

MFA Everywhere

Another concrete step is to implement multi-factor authentication (MFA) for extra identity assurance for all administrators. This can reap huge rewards. Using a physical authenticator (such as a YubiKey, push notification, or onboard biometric such as Apple Touch ID) as the second factor presents a very high hurdle for an attacker. It will stop a bot or malware in its tracks. Applying this consistently at multiple access points is essential.

Password Vaulting

Identities with standing privileges carry significant risk. Linux systems, especially, are a huge source of local privileged accounts. The best practice is to eliminate as many as possible. Those you can’t eliminate, store in a secure password vault, limiting access for emergencies only. Taking these privileged accounts off the playing field will significantly reduce your attack surface and your risk. Then, least privilege with just-in-time privilege elevation gives your admins the rights they need when they need it.

As we leave 2020 behind us, it’s essential to learn from the challenges faced. We can enter 2021 with clarity around the threats that will continue to impact our distributed enterprises and utilize modern PAM tools to combat them. Organizations must assume bad actors are in their networks and build security plans around that assumption. One method is to consider moving your organization to a zero-trust model, with a PAM mandate that follows three rules: never trust, always verify, and enforce the least privilege. Minimally, implement basic password hygiene, password vaulting, and MFA.