Why Identity Isn't Enough for Zero Trust
Zero Trust is one of the hottest concepts in security, and for good reason - you can actually prevent attacks from hackers even if they have access to your network. Real prevention that keeps your organization data leaks, ransomware, and other malicious activity comes as a major relief to overburdened security teams. These are just some of the reasons why President Biden issued Executive Order 14028 requiring all Federal agencies to adopt Zero Trust by the end of 2024.
What Zero Trust is has been much harder for most of us to pin down. You’ve probably heard the slogans, like “never trust, always verify.” We can reasonably infer that verifying has something to do with identity. So Zero Trust has something to do with identifying the users who are accessing an application – the message is that we need to deploy identity services and multi-factor authentication? It’s not so simple.
To understand why, think about the ERP application in your network - if you authenticate all users against an identity service and use MFA to reduce the risk of phishing and credential theft, you definitely have improved the security of the ERP application. But how does that help protect your ERP data from hackers dropping ransomware in your network or pivoting to the server and uploading the data to the dark web? That’s the kind of protection Zero Trust is supposed to provide, isn’t it?
So yes, identity is necessary for Zero Trust. But it clearly isn’t sufficient, either. Upgrading identity and turning on MFA won’t get you there. So if identity isn’t enough, what does it take to be considered Zero Trust?
Well… Zero Trust really does mean never trust, always verify. The key is to remember this doesn’t only apply to users who are attempting to access the ERP application - it applies to every single packet that arrives at the NIC. Traffic that isn’t explicitly authenticated and authorized must be discarded. This level of enforcement is what makes it possible to prevent 0-day attacks, ransomware, and data leaks - the core benefits of Zero Trust.
There are various ways to achieve this level of network control. One traditional approach is to create a VLAN for the ERP application, using network configuration to limit which hosts can send packets to the protected server. But it’s difficult to control access to a service that’s supposed to be generally available to users in your organization, and it doesn’t solve the problem of authenticating privileged administrator access.
Another approach is to use an advanced micro-segmentation solution. Micro-segmentation inserts security controls at the server OS level, creating the required default deny behavior. This is especially powerful when integrated with ZTNA access controls, as every single network packet can be specifically authenticated and authorized before reaching the listening application.
Fortunately, there are solutions available that go beyond identity and integrate the critical components of a Zero Trust solution. CoIP Platform, for example, offers a powerful NIST SP800-207 Zero Trust Architecture that tightly integrates identity with micro-segmentation and ZTNA. It's also software-based, allowing you to deploy to protect critical applications in legacy brownfields in record time.
If you're serious about improving the security posture of your applications and data, it's time to adopt Zero Trust. Contact us today to learn more about CoIP Platform and schedule a free consultation with our systems architects. Working together, we can make your organization more secure and resilient to cyber threats.