When it comes to data, enterprises can no longer assume that traditional identity and access management approaches mean it is safe. Zero Trust security has emerged as the solution to this complex issue centered around access permissions. But what is Zero Trust and how does it affect my IT Audit?
Traditional security measures are typically referred to as “castle and moat,” in which enterprises defend their perimeter but assume that everything inside the network does not pose a threat. However, if a hacker can get inside of the “castle,” they can move freely throughout systems without running into many obstacles. Additionally, internal actors pose a significant threat, with 34% of data breaches perpetrated by internal bad actors. This is particularly troubling when 53% of companies report having at least 1,000 files available to all employees. With these problems arising in a traditional security environment, modern systems require an alternative approach.
Companies no longer exist with all their systems housed within a corporate data center. Now, systems may be a hybrid between cloud and on-premise solutions or even dependent on cloud technologies. Users can access applications from a myriad of devices from anywhere in the world, requiring enterprises to rethink how they manage user access.
This is where Zero Trust comes into play. The principle assumes that a data breach will happen and that no user is to be trusted. Each time a user requests access, their request must be authenticated, authorized, and encrypted before they are granted access permissions.
With Zero Trust, just because a user was granted privileges once does not mean that permanent privileges should be granted. When they need access, the system verifies attributes of the user, such as their role, position, usage behaviors, and device health when deciding if access can be granted. Once the user is in, they should be granted the least privilege access based on just-in-time and just-enough-access. These policies ensure that users are only granted the minimum access permissions necessary to complete their duties for just enough time.
After the designated time has elapsed, the user will lose their access rights and need to request them again. When employed, this practice severely limits the damage a hacker could do if able to infiltrate a Zero Trust network, as it is more difficult for them to move laterally or access files they should not be able to get into.
For Zero Trust to be successful, however, enterprises must continually monitor and log traffic activities. This practice should be part of IT audits because, without these monitoring activities, an enterprise cannot establish baseline activities for its users. Having a baseline makes it easier to detect anomalous and potentially malicious activity. Failing to monitor account activities makes it nearly impossible to preemptively identify the actions of threat actors, whether they are internal or external.
Though specific Zero Trust adherence models are not written into current IT audit compliance guiadances like PCI-DSS, HIPAA, HITRUST, SOX, ISO 27001 – components of their best practices will most likely be seeping into these compliance measures in the future. A best practice reference architecutre has already been created by U.S.’s National Institute of Standards and Technology (NIST). The guidance is call NIST SP-800, which outlines an abstract definition of zero trust architecture, deployment models, and use cases for the cybersecurity approach.
Enterprises should consider Zero Trust as the cybersecurity approach of the future, designed to prevent diverse threats. Coupled with IT audits, enterprises can position themselves as more proactive, rather than reactive, when dealing with securing their sensitive data.
YouAttest and Zero Trust
YouAttest is the only cloud-based IGA platform that deploys in minutes to conduct access reviews. YouAttest has a dedicated AD, Okta user/app/role attestations as well as an upload ability to work with any resource.
YouAttest enables an enterprise to ensure the privileges are applied correctly to the enterprise to implement the zero trust architecture.
YouAttest is the only cloud-based IGA platform that deploys in minutes to conduct access reviews. YouAttest has a dedicated AD attestation and can be used in conjunction w/ Guardicore in a Zero Trust environment. Register for the YouAttest/Guardicore webinar, Micro-Segmentation for Zero Trust Security and Compliance.
Also please feel free to write back to us if you found this NIST and Zero Trust article informative or if you feel like we have missed important aspects of NIST and Zero Trust so we can update our article as well. We will make sure that any suggestions and recommendations we receive will be added to the current NIST and Zero Trust article.