By Joseph Carson, Chief Security Scientist (CSS) & Advisory CISO at Thycotic
What is the Zero Trust security model and why was it introduced?
The concept of Zero Trust security isn’t new; the term was coined by Forrester back in 2010 and was initially synonymous with a network security approach known as micro-segmentation.
Micro-segmentation is a way to create secure zones in data centers and cloud deployments that allow you to isolate workloads and protect them individually.
This approach is attractive because the traditional security perimeter was no longer proving an effective cyber security control.
Fast growing technologies, such as cloud, mobile and virtualization, made the security boundaries of an organization blurry.
For years organizations protected their valuable and sensitive data by building a fence around those assets, and all the data that flowed in and out was either via a single internet access point or on physical devices.
This meant that a traditional perimeter was an effective measure as the boundaries were known and controlled. As long as internet access was managed, it was possible to protect, monitor, and control the data that flowed through it.
If your users are accessing more IT services outside the security perimeter than inside, how protective can the perimeter really be?
Organizations protected internet access with firewalls, VPNs, access controls, IDS, IPS, SIEMs, email gateways, and so forth, building multiple layers of security at the so-called perimeter.
On physical devices, systems management and antivirus protected those systems and kept them updated with the latest security patches.
This traditional “defense in depth” security approach has been used for almost 30 years, but in today’s world it’s no longer enough.
After all, if your users are accessing more IT services outside the perimeter than inside, how protective can the perimeter really be?
Trust, in the past, was something that we heavily relied upon. Once an employee had a corporate laptop and authenticated, they were then expected to do their job and not abuse the trust entitled to them.
However, cyber-criminals took advantage of that exact flaw in the security model by abusing trusted user identities and compromising their credentials to gain access to company systems and sensitive information under the guise of authorized employees.
Today, trust is being abused by cyber-criminals targeting unsuspecting employees personal accounts to gain access, later elevating to privileged accounts that can move around corporate networks undetected, and roaming around the network for months or even longer.
Once attackers gain access to the internal network they typically have access to the entire network as everything inside the network is automatically trusted.
This is why the Zero Trust security model was introduced—to address a new stance on trust: never trust and always verify.
How has Zero Trust evolved since 2010?
Security product vendors have been steadily jumping on the Zero Trust bandwagon over the past nine years to the point that Zero Trust has ballooned to include almost every type of cyber security technology under the sun.
Finally, Forrester took an important step toward reigning in the definition of Zero Trust by publishing their inaugural Zero Trust Wave report: “The Forrester Wave: Zero Trust eXtended (ZTX) Ecosystem Providers, Q4 2018.”
In the report, Forrester’s framework is based on technology controls and defines 7 controls that are the basic tenets of ZTX:
Network Security, Device Security, Identity Security, Application Security, Data Security, Security Analytics, and Security Automation.
Gartner jumped into the Zero Trust conversation with their Continuous Adaptive Risk and Trust Assessment (CARTA) approach, and its “7 principles,” proposing that Zero Trust is only the first step in the process.
CARTA is based on the balance between risk and trust; high-value assets represent business risk and, therefore, require a higher degree of trust from anyone trying to gain access.
Organizations that implement the Zero Trust security model quickly find that it’s the opposite of how they have traditionally approached network security
The challenge with these approaches is that they’re so broad and comprehensive it’s difficult to know where to start.
Where is your biggest risk? What do attackers see as the low hanging fruit? What can you do to eliminate the most risk as quickly and affordably as possible?
To add to the challenge, organizations that implement the Zero Trust security model quickly find that it’s the opposite of how they have traditionally approached network security.
Switching from trusting everything to trusting nothing—and always verifying—has increased friction for employees and had a negative impact on productivity.
Although Zero Trust is firmly associated with security, in reality it breaks the balance between security and productivity.
And it does so at a time when we need security to help the business be productive and free of friction, enabling employees to do their jobs effectively and efficiently.
Our take on Zero Trust Security
Thycotic’s approach to privileged access security aligns well with the concept of Zero Trust and incorporates elements of both Forrester’s and Gartner’s approaches.
The overarching Zero Trust concept of “never trust, always verify” is essentially about controlling access.
And privileged access is the riskiest type of access. It’s why Forrester estimates that 80% of security breaches involve misuse of privileged credentials.
And Gartner ranks privileged access management as the #1 security project for 2019, for the second year in a row, because there are very straightforward and effective steps you can take to reduce your privileged access risk.
If you can effectively control and monitor privileged access, then you’ll mitigate the most cyber risk in the shortest possible time.
How the Zero Trust security model work
Zero Trust assumes any user or system that accesses the network, services, applications, data, or systems starts with no trust.
To gain authorized access, trust must be earned by the prospective user through verification. For example, verification can require two-factor authentication.
In this instance, a user provides a password but then must take an additional step by using an authentication application.
When new devices are introduced on the network, and before they obtain access to any resources, they must identify and verify themselves based on certain security controls.
The more sensitive the resources to be accessed, the more security controls they must satisfy.
Untrusted networks, devices, and BYOD devices should always be Zero Trust with continuous identity verification
Trusted networks, devices, and users should start with Zero Trust, allow them to build trust, and revalidate when the security posture changes or the risks increase
However, Zero Trust should not be the final goal.
It is an initial step to a dynamic or adaptive security model, such as the Gartner CARTA approach.
In this model, when the threat is high, the security fence increases, and when the threat is low, the security fence automatically decreases.
Managing this dynamic requires the efficient use of threat detection and intelligence to track activity.
Combining digital identity, multi-factor authentication, biometrics, behavioral analytics, and privileged access, you can build a dynamic security fence using a trust score or risk framework for digital identities to alert and/or challenge access when behavior changes or becomes suspicious.
And then you can use internal trust definitions or external threat intelligence to determine when security controls should be more sensitive.
For example, when a new variant of malware or ransomware emerges in the wild and exploits known vulnerabilities which have not yet been patched, the dynamic security measures can increase the security sensitivity.
That way when a human or system detects a privileged access request from an unknown source, it can prevent access until additional security controls are satisfied, such as peer review or alternative approval workflows.
Thus, privileged identity management and adaptive security can continuously check trust levels, and when a user or system makes too many unusual or anomalous changes, the privileged identity management solution will automatically challenge for additional identification of the human or system.
“Zero Trust has an important role in improving security and reducing business risk but it’s only an initial step in this process.”
In this short video filmed at InfoSecurity Europe, I discuss cyber security and vendor relationships, and Zero Trust is introduced at minute 3:02:
(Hear from Joseph Carson (advisory CISO to Thycotic) directly as he talks through a number of hot cybersecurity topics vendors were promoting. Are vendors talking about the right things? What are we still getting wrong? And how do we fix it? Courtesy of Lepide.)
Implementing PAM to achieve the principles of Zero Trust
Like Gartner, we recommend taking a risk-based approach to implementing Zero Trust security and privileged access management.
And Forrester’s ZTX technology controls provide a good road map for key areas to address.
The lowest hanging fruit in the PAM world, and a great way to remove lots of risk quickly and easily, is by changing default IDs and passwords for built-in privileged accounts.
This maps to the ZTX identity security control.
Another quick win that maps to the ZTX device security control is implementing least privilege controls on endpoint devices like laptops and workstations.
Local admin accounts on these devices should be locked down, and any application or task that requires elevated permissions should only be granted access via workflow approval.
(Using an analogy you won’t forget, Joseph Carson explains what least privilege is and how it works. He offers additional advice on implementing least privilege here. Courtesy of Thycotic and YouTube.)
The next big area of risk to address is controlling privileged access to your most business-critical systems, applications, and data.
This maps to the ZTX identity, application, and data security controls. Determine which privileged accounts have access to these systems, who has access to those accounts, plus when and from where they typically use their access.
For these high-risk accounts, keep the credentials in an encrypted vault so they can’t be shared or reused, use at least two-factor authentication to access the vault, rotate credentials frequently (if not after every use), and restrict the time and locations from which access is allowed.
Because attackers often try to create new privileged accounts in order to move laterally and avoid detection, you need to strictly control the process that governs how and why new privileged accounts are created.
This maps to the ZTX security automation control.
Users are encouraged to follow the rules when they know their behavior is being monitored
All privileged account activity for critical systems should be monitored and recorded. This maps to the ZTX security analytics control.
Users are encouraged to follow the rules when they know their behavior is being monitored, and recorded session data is invaluable when investigating the cause of a breach.
Classifying trust dynamically and making it adaptive to business risks
Cyber security classifications of trust and accepted risk should be adaptive.
This means you need to create policies or rules across the enterprise for identities, services, applications, data, and systems.
For example, you can have an “always verify” and “always monitor” policy for third-party vendors or contractor identities.
Internal employee classifications would be adaptive based on the sensitivity of the data being accessed.
An “always verify” policy would require credentials and multi-factor authentication, while an “always monitor” policy would audit and record all activity.
Moving beyond Zero Trust to adaptive risk-based security
Zero Trust is about ensuring only appropriate access is granted to critical assets.
Organizations typically start their journey to Zero Trust security by prioritizing high risk areas, such as supply chain, contractors, temporary employees, sensitive networks, and privileged accounts, and reducing the risk of attackers abusing accounts that may have less security or visibility.
Zero Trust is the baseline from which organizations can build trust scores they can use to determine how much security is required for appropriate access to internal networks and systems.
This concept can be applied and enforced very broadly, for the entire network and all of its assets, or very specifically, creating different levels of trust and verification at the micro-segment or individual asset level, depending on the level of security and control needed.
About the Author
Joseph Carson is Thycotic’s Chief Security Scientist & Advisory CISO and author of “Least Privilege for Dummies.”
A Cyber Security Professional with 25+ years’ experience in Enterprise Security & Infrastructure, Joseph is a Certified Information Systems Security Professional (CISSP).
An active member of the Cyber Security community and a frequent speaker at Cyber Security events globally Joseph is also an adviser to several governments and cyber security conferences.
In 2018 Joseph was selected as a (ISC)² Information Security Leadership Award (ISLA®) Americas Winner.
“I’m only as secure as the people around me.” ~ Joseph Carson.
Phenomenal Channel Performance Boosts Thycotic Revenues in 2019
Thycotic, the company who provides privileged access management (PAM) solutions for more than 10,000 organizations worldwide, including 25 of the Fortune 100, has experienced a rise in total worldwide revenues of 67 percent in 2019.
Thycotic’s global indirect sales were up by 35 percent year on year, helped considerably by strong business demands for PAM solutions from worldwide Channel partners including Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs).
Additionally, there were significant contributions from professional services, enablement and marketing support.
Recent portfolio additions like Account Lifecycle Manager, Cloud parity for Thycotic products and DevOps vault have allowed partners to offer their clients a full end-to-end solution.
A new Named Partner approach has been especially effective, creating a genuine team environment with a small number of key partners that are 100% committed to grow their PAM business.
This coupled with structural investments in channel support systems and processes have made 2019 a formative year for Thycotic’s Channel worldwide strategy and sets up to enter 2020 with dedicated and highly knowledgeable partners focused on delivering the best possible value for their end-user customers.
Highlights of Thycotic’s 2019 channel performance also include:
- 48 percent growth in value of overall channel opportunities created in global markets
- 42 percent year-on-year rise in partner sourced leads following newly introduced marketing-led lead generation program
- 296 percent increase in Thycotic Certifications helped advance the professional credibility of our partners in their knowledge of PAM,
- 50 percent increase in staff numbers
- 20 percent increase in value of deal registrations
- Success of professional services and partner enablement programs
- Members of Thycotic’s channel leadership team were recognized by CRN in several award programs in 2019, including Channel Chiefs, 100 People You Should Know and Women of the Channel.
“In our experience the top vendors are the ones that iron out all the wrinkles so partners can stay centered on serving the clients to the best of their ability,” explained Mark Weatherill, marketing director at UK distributor Alpha Gen.
“Thycotic’s professional services and partner enablement programs manage all the back-end processes while enhancements to the deal registration system keep everything conflict-free ensuring everything works smoothly and efficiently.”
“Thycotic has been unwavering in their support to help us grow our business particularly with the Department of Defense (DoD),” affirms Jeff Bloom, principal of Waimanalo Blooms.
“Thycotic’s commitment to send staff to attend key meetings and deliver the message in person has made quite an impact.”
“With consistent marketing and field support and sending staff to speak at major events has added credibility and built serious inroads in a vertical which is very hard to penetrate.”
Going into 2020, Thycotic is increasing investments to supercharge the channel growth.
The company is investing in state-of-the-art software to streamline sales processes, enable partners to find more opportunities and support them with new incentive programs.
Heading to RSA® Conference, February 24 – 28, 2020, in San Francisco?
Visit Thycotic booth #655 in the South Hall and you could #DriveAwayFromRSA in the CEO’s Jeep!
Join the conversation virtually with Thycotic CISO, Terence Jackson, on Tuesday, February 25, 2020, at 10:30 a.m. (PT), as he participates in the live video panel, “The Changing Face of Compromise,” presented by BrightTALK.
Thycotic Wins Third ‘ASTORS’ in 2019 ‘ASTORS’ Homeland Security Awards Program
Best IT Privileged Mgmt Solution
Secret Server 10.7
Secret Server 10.7 is an industry-leading Cloud privileged access controls, combined with the latest in threat management and full redundancy delivered by Microsoft Azure Cloud Services.
Thycotic was also a recognized in both the 2018 and 2016 ‘ASTORS’ Homeland Security Awards Programs.
The 2019 ‘ASTORS’ Awards Program surpassed expectations with a record number of nominations received from industry leaders and government agencies, and drew over 200 attendees to the ‘ASTORS’ Awards Presentation Banquet – an exclusive gourmet luncheon and networking opportunity which filled to capacity, before having to turn away late registrants.
The event featured an impassioned and compelling keynote address by William J. Bratton, former police commissioner of the New York Police Department (NYPD) twice, the Boston Police Department (BPD), and former chief of the Los Angeles Police Department (LAPD), as he walked attendees through 50 years of American policing history, the impacts on the communities, and the evolution of critical communication capabilities in our post 9/11 landscape.
Commissioner Bratton, one of the world’s most respected and trusted experts on risk and security issues and Executive Chairman of Teneo Risk a global advisory firm, was recognized as the ‘2019 ‘ASTORS’ Person of the Year’ for his Lifetime of Dedication and Extraordinary Leadership in Homeland Security and Public Safety.
Why the 2019 ‘ASTORS’ Homeland Security Awards Program?
American Security Today’s comprehensive Annual Homeland Security Awards Program is organized to recognize the most distinguished vendors of physical, IT, port security, law enforcement, and first responders, in acknowledgment of their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.’
Over 200 distinguished guests representing Federal, State and Local Governments, and Industry Leading Corporate Firms, gathered from across North America, Europe and the Middle East to be honored among their peers in their respective fields which included:
- The Drug Enforcement Administration (DEA)
- National Center for Missing and Exploited Children (NCMEC)
- United States Marine Corps
- The Federal Protective Service (FPS)
- Argonne National Laboratory (ANL)
- United States Postal Inspection Service
- DHS S&T
- United States Marshals Service (USMS)
- The Port Authority of New York & New Jersey Police (PAPD)
- The Department of Justice (DOJ)
- The New York State Division of Homeland Security & Emergency Services (NYS DHSES)
- United States Border Patrol
- AlertMedia, Ameristar Perimeter Security, Attivo Networks, Automatic Systems, Bellevue University, BriefCam, Canon U.S.A., CornellCookson, Drone Aviation, FLIR Systems, Hanwha Techwin, HID Global, IPVideo Corp., Konica Minolta Business Solutions, LenelS2, ManTech, Regroup Mass Notifications, SafeLogic, SolarWinds, Senstar, ShotSpotter, Smiths Detection, TCOM LP, Trackforce, Verint, and More!
Why American Security Today?
The traditional security marketplace has long been covered by a host of publications putting forward the old school basics to what is Today – a fast changing security landscape.
The traditional security marketplace has long been covered by a host of publications putting forward the old school basics to what is Today – a fast changing security landscape.
American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State and local levels of government as well as firms allied to government.
American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers eyes throughout the story with cutting edge editorial that provides solutions to their challenges.
Harness the Power of the Web – with our 100% Mobile Friendly Publications
The AST Digital Publications is distributed to over 75,000 qualified government and homeland security professionals in federal, state and local levels.
‘PROTECTING OUR NATION, ONE CITY AT A TIME’
AST Reaches both Private & Public Experts, essential to meeting these new challenges.
Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.
These experts are from Government at the federal, state and local level as well as from private firms allied to government.
AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.
AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.
Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.
To learn more about the 2019 ‘ASTORS’ Homeland Security Award Winners solutions, please go to the 2019 ‘ASTORS’ Championship Edition Fully Interactive Magazine – the Best Products of 2019 ‘A Year in Review’.
The ‘ASTORS’ Champion Edition is published annually and includes a review of the ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firms products and services, includes video interviews and more.
It is your Go-To source throughout the year for ‘The Best of 2019 Products and Services‘ endorsed by American Security Today, and can satisfy your agency’s and organization’s most pressing Homeland Security and Public Safety needs.
From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware and Networking Security – Just to name a few), the 2019 ‘ASTORS’ CHAMPIONS EDITION will have what you need to Detect, Delay, Respond to, and Mitgate today’s real-time threats in our constantly evolving security landscape.
It also includes featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2019 ‘ASTORS’ Awards Program.
Thycotic is one of the world’s fastest growing IT security companies, serving more than 10,000 customers, because they provide customers with the freedom to choose cloud or on premise software solutions that are easy to use and implement.
To see for yourself why Thycotic has more 5 star reviews than any other Privileged Account Management vendor, visit www.thycotic.com.
To learn about advertising opportunities with American Security Today, please contact Michael Madsen, AST Publisher at firstname.lastname@example.org.
AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:
- Provides named sources
- Reported by more than one notable outlet
- Includes supporting video, direct statements, or photos