Zero Trust and Privileged Access Management
It is exactly from this scenario that the term Zero Trust comes: The concept reinforces the idea that the danger is not only outside an organization’s environment, but it can also be on the inside. This environment can be compared to a kingdom that has walls, guards, and soldiers to protect its gates, but it does pay attention to a servant or member of the unfaithful court.
The Zero Trust concept came from Forrester – a well-known American market research company – through John Kindervag, one of its executives. This concept emphasizes that no traffic is reliable, be it internal or external. Any asset or device must always be analyzed and checked before connecting to the organization’s infrastructure and authorizing any type of access.
“Always check, never trust” is the concept behind the Zero Trust model: Even if something has been requested or done by some theoretically reliable user, the recommendation says it should always be checked.
Internal threats are unexpected but very possible: not only third parties but also the very employees who have access or credentials may make accidental or intentional mistakes. Thus, the resources, processes, and methodologies available in the company must be applied in the infrastructure, aiming at the internal protection of the organization.
However, external threats are also related to the concept of Zero Trust when a hacker, for example, manages to overcome external security barriers and invades the company’s environment. If not properly protected, the individual can find an environment of free access and not raise suspicion during their “visit.”
Many technologies and models can assist in the implementation of a Zero Trust system. Yet, one should have in mind that these practices must support the idea that any requested access must be proven as reliable access.
These are some of the actions related to the implementation of the Zero Trust model:
- Data classification: To segregate and impute the value of data and information that will be accessed, so that there is a definition of who can access them and how, according to their urgency and classification (secret, confidential, internal, or public);
- Network environment monitoring: To analyze, check, and know the traffic and the means by which information is transmitted to easily identify irregularities;
- Risk mapping: To understand the risks to which systems are exposed in both the external and internal environment;
- Documentation: To adjust policies, procedures, manuals, and other documents for the new circumstance, making the use of the Zero Trust model official;
- Identification of roles and accesses: Perhaps the most important issue and the basis for the implementation of the Zero Trust model is to understand the types of users on the network, their responsibilities, and the type of access they have. The aim is to ensure that these accesses are authentic and reliable.
The Zero Trust model focuses on the accesses and activities performed by users within the system. Thus, using a solution that automates the understanding of the actions performed by users (accesses and activities) is essential for the Zero Trust model to be properly implemented.
In the context of the Zero Trust model, a Privileged Access Management (PAM) solution can assist Information Security officers in any company to implement the concepts related to this model.
In this situation, the goal of a PAM solution is to perform centralized access management through the control, storage, segregation, and tracking of all environment access credentials. Through the use of this type of solution, one can ensure that the access is actually being performed by a user and that the user is allowed to access.
Thus, the following features of a PAM solution help organizations to deploy Zero Trust practices:
- Credential Management – The PAM solution must allow the definition of administrators users or user group that will have certain types of access and permissions in relation to a target device or system, as well as manage the complete cycle of these credentials;
- Segregation of Access – The solution must be able to isolate critical environments and correlate events to identify any suspicious behavior. That way, it is possible to prevent data leaks due to unauthorized access;
- Approval Workflows – access requests must be easily configurable, allowing the fulfillment of multilevel approval flows and validation of the explanations provided by the requesting user;
- Behavior analysis – monitoring of users’ activities and identification and response to any changes in behavior patterns and users’ access profiles;
- Unauthorized access – monitoring of accesses outside the organization’s policies, such as a user who performs direct access to a device through the password of a registered credential not managed by the solution;
- Analysis of actions – analysis of actions taken by users and alert generation to identify fraud or inappropriate actions;
- Session Block – the PAM solution must allow an administrator to retake control or even block a user session in a series of environments or operating systems;
Taking the presented features into account, the correct implementation of a PAM solution ensures the access is being performed in a secure way, regardless of the location or access device. Thus, credentials with higher privileges will have their activities monitored, ensuring that any irregularity in their accesses is being checked.
The Zero Trust model may be relatively recent, but in current scenarios where data leaks are recurring, it is in fact very important for any company that wants to achieve greater development in terms of data protection. The use of the available solutions and means, such as a PAM solution, is already a great step that can be taken to achieve the Zero Trust applicability. The implementation of this model allows the creation of a culture of internal environment protection with the same strength and concern with which the company’s external environment is protected.