Rolling Out a Zero Trust Security Model? Here’s What You Need to Think About
November 30, 2018
3 minute read
For more expert guidance and tips on Zero Trust, click here to read our whitepaper: A Guide to Effective SaaS Management Using a Zero Trust Security Model.
In part one of this series, I said that SaaS was creating a host of new security challenges stemming from cloud sprawl and shadow IT.
Network-based security architecture is no longer adequate because people are the perimeter now.
All of this means that companies need to invest in a new, flexible security architecture — one that can accommodate a global mobile workforce that uses many apps and devices, from anywhere, at any time. The solution has to be secure and seamless.
Enter: the Zero Trust security model. In other words, every service request made by any user or machine is properly authenticated, authorized, and encrypted end to end.
Here are some considerations to keep in mind.
Best practices when rolling out Zero Trust
- The goal: The main goal of a Zero Trust security model is to prevent data breaches.
- It’s a new version of corporate identity. Zero Trust redefines corporate identity. To prevent data breaches, every service request must be properly authenticated, authorized, and encrypted end to end. The model has to take into account a user’s corporate identity, which is a combination of the user plus the device used to request the service at a point in time.
- Authentication and Authorization as a Service must be based on many dynamic factors. For example, you should create your access policy framework based on behavioral patterns, which will vary across companies (more on this below). Elements to factor in providing authentication and authorization as a service are group membership, role, device state, geolocation and time-based controls, rules granularity, time for granting/denying access, and configurable policies enabling flexible controls. Agile architecture requires decoupling authentication and authorization service logic (including identity governance) from the core application, which can then support dynamic and evolving security requirements. This trend is here to stay.
- Use a centralized access control model for more visibility into user activity. With a central gateway, you can use it to monitor, track, and address any issues.
- Enforce security measures that promote a better user security posture. The best security measures are those that become everyday habits.
- Remove trust from your network. This approach eliminates static credentials, which are the most common source of breaches. Imagine a world without passwords.
- Enforce least privilege access. Every module, be it a process, user, or program, must be able to access only the information and resources that are necessary for its legitimate purpose.
- Every company is becoming a technology company to compete effectively. Software must be delivered faster and most efficiently to run the core business. This requires companies to adopt a DevOps mindset and use automated systems and streamlined processes to make the most out of cloud computing.
- Take inventory of all users’ devices and credentials. Authenticating devices is equally as important as authenticating users.
- Prepare and understand your current security architecture. Look for gaps and sources of vulnerabilities.
- Perform data analyses. You must be able to make sense of all the data collected (e.g., devices, credentials, and the current state of your security architecture).
- Understand and document behavioral patterns: Every company operates differently; therefore, their processes may vary, as will their user behaviors (both internally and externally). A big part of the solution is to understand and implement security and access policies that take these behavioral patterns into account.
- Lay the foundation for your policy framework. Think about which elements will form the foundation for your policy framework, and how granular your policies need to be. What can and can’t your users do? The rules that make up your policies should be easy to understand, and policies must be configurable to enable custom controls.
In part three of this series, I’ll cover the critical steps, tools, and technologies you need to achieve a Zero Trust security model for effective SaaS management.
Policies are critical to effective SaaS management. To learn more about automating your policies, request a demo with BetterCloud here.