Does the solution require that components be installed on the client asset?
Client-side solutions could limit business processes and delay productivity. They also create additional administrative overhead for your IT team.
A zero-trust security model greatly reduces the risk of password-related cyberattacks. Learn how your organization can implement it.
Zero trust is an “assumed breach” security model created for cybersecurity solution architects, system integrators and DevOps teams to integrate essential cybersecurity capabilities into a pervasive IT environment that empowers cybersecurity planning and decision-making.
Zero trust does not trust any human users or devices, regardless of where they are located. In a zero-trust environment, all users and devices must be authenticated before they can access organizational resources. Instead of relying on where users are, zero trust makes them prove who they are.
Implemented properly, zero-trust network access provides IT administrators with full visibility into all users, systems and devices. People, apps and services can communicate securely, even across network environments. It doesn’t matter if users are connecting from their homes, hotels, coffee shops or airports, or even if they’re using their own devices. Administrators can see exactly who’s connecting to the network, where they are and what they’re accessing.
Three guiding principles form the core of zero-trust security.
Any human or device could potentially be compromised, even if they’re connecting from inside the office.
All humans and machines must prove they are who they say they are before they can access network resources.
Even after a user has been verified explicitly, they should only have the minimum amount of network access they need to perform their jobs – and no more.
There are many zero-trust-compatible cybersecurity solutions on the market, but not all of them are suitable for your specific data environment and business needs. Ask yourself the following questions when choosing a zero-trust solution:
Client-side solutions could limit business processes and delay productivity. They also create additional administrative overhead for your IT team.
Some solutions assume that requested resources reside in the cloud (so-called north-south traffic) and not within an enterprise perimeter (east-west traffic). This poses a problem in hybrid cloud environments, where legacy line-of-business apps that perform critical functions may be run on-premises because migrating them to the cloud isn’t feasible.
Zero-trust access decisions depend heavily on the collection and use of data related to process flow – especially for privileged accounts.
Some solutions may support a broad range of protocols (SSH, web, etc.) and transports (IPv4 and IPv6), but others may only work with web or email.
Some solutions may require additional steps to perform a given workflow, which could require your organization to make changes to your existing workflows.
Once you’ve chosen a zero-trust solution, you should plan your zero-trust implementation around the following six pillars, all of which must be assessed, and then updated or replaced accordingly.
In a zero-trust model, every user – both human and machine – must have a unique digital identity. Whenever this identity requests access to a resource, the system must verify it with strong authentication, backed up with behavioral analysis to ensure that the access request isn’t anomalous for that user. Once the identity is authenticated, the user’s network access must follow least-privilege principles.
You can achieve this by ensuring users have strong, unique passwords for every account and enable Multi-Factor Authentication (MFA) wherever it is supported. Additionally, organizations should deploy real-time detection, automated remediation and connected intelligence solutions to both monitor for account compromise and respond to potential problems.
In today’s cloud-based environments, data resides everywhere, and it must be governed everywhere it resides. This involves strictly controlling and restricting data access according to least-privilege principles and ensuring that data is encrypted both at rest and in transit.
Segment networks to prevent threat actors from moving laterally and accessing sensitive resources. Utilize “in-pipe” network security controls to enhance visibility, including tools for real-time threat protection, end-to-end encryption, monitoring and analytics.
Application access and privileges must be controlled and restricted as rigorously as the data itself. Gate access to apps, monitor app usage for anomalous behavior, and use Role-Based Access Control (RBAC) to ensure that users’ in-app permissions are appropriate and follow least-privilege principles.
Only compliant and trusted apps and devices should be permitted to access data. Before allowing employees to access company apps on mobile devices, require them to enroll their devices in Mobile Device Management (MDM) and have them validated for general health and compliance with company security policies. MDM solutions also give administrators visibility into device health and compliance, as well as the ability to enforce policies and security controls, such as blocking copy/paste or download/transfer.
Managing permissions for both on-prem infrastructure and cloud-based Virtual Machines (VMs), containers and microservices can be challenging. Automate as many processes as possible. Use Just-In-Time (JIT) access to harden defenses, deploy security analytics to detect anomalies and cyberattacks, and automatically block and flag risky behavior for further investigation and remediation.
One of the biggest challenges to implementing zero trust is knowing where to begin. Zero trust has a lot of moving parts, and there are no universal “zero-trust implementation” standards. Here are a few best practices for mapping out your organization’s zero-trust journey.
As technology, workflows and the threat environment all shift and change, so will your zero-trust architecture.
Zero trust requires an "all or nothing" mindset and firm commitment from all levels of leadership. Support from upper management was a commonality among CRA’s “champions” – while a lack of support was the top stumbling block cited by organizations continuing to struggle with zero trust adoption.
To avoid business disruptions, start a zero-trust deployment by first migrating low-risk business resources, then segueing to more critical resources after your team has more experience with the zero trust model.
Identity and Access Management (IAM) is the most frequently-implemented component of zero-trust, with 95% of organizations having an IAM solution in place.
Keeper’s zero-trust, zero-knowledge cybersecurity suite enables organizations to adopt zero-trust remote access for their distributed workforces, with strong authentication and granular visibility and control. KeeperPAM® – Keeper’s next-generation privileged access management solution – unifies Keeper Enterprise Password Manager (EPM), Keeper Secrets Manager (KSM) and Keeper Connection Manager (KCM).
By unifying EPM, KSM and KCM, Keeper provides IT administrators with a pervasive, single pane of glass to track, log, monitor and secure every user on every device from every location, as they transact with all permitted sites, systems and applications.