Author: Kamel Heus, Regional Director, Northern, Southern Europe, Middle East and Africa at Centrify
We have all seen the popular movie Panic Room with leading actress Jodie Foster. The concept is an extraordinarily safe room inside a reasonably safe house, with an outer perimeter protected by camera surveillance and other commodity detectors and alarms. Intruders are able to gain access through the outer perimeter into the house, but once the occupants of the house enter the panic room the intruders are foiled.
Organizations needs to protect their perimeters, but more importantly must assume that threat actors will be able to penetrate them and will have access to move around inside the organization’s network. Building multiple safe, panic rooms inside the organization’s network is therefore a great idea. Ensuring that absolutely no one can enter the panic room – except the proverbial Jodie Foster and her daughter is also equally important.
What about an assumed identity? Suppose threat actors gained knowledge of the access codes to the proverbial panic room inside an organization’s network? Then they could enter – right?
But suppose the access codes were rotated after each use, and were generated only on request. No predetermined assumptions would be used.
In the current modern-day environment of digital enterprises, digital technologies, mobile workers, connected devices, and hybrid platforms of computing, this approach of security access is increasingly the way forward – and is referred to as a Zero Trust approach. Zero Trust rejects the long-accepted adage of “Trust, but verify,” and replaces it with a new mandate more aligned to modern threats: “Never trust, always verify.”
Organizations must always assume that the most privileged users in an organization’s network will be the most targeted by threat actors. Moreover, once targeted, privileged credentials may invariably get stolen and threat actors will gain access to the organization’s network using those credentials.
The modern-day trend now is to limit the privileges linked to any access, so that even if the access credentials of privileged users are gained by threat actors their ability to enter the panic room is not assured.
In tomorrow’s digital organizations, it’s no longer just people who are accessing critical systems and sensitive data, and the organization’s network once controlled robustly within the brick and mortal walls of the organization’s building has now expanded to be replaced by virtual walls of the cloud.
Not only do human workers need to be given access to this network, but digital services and applications, robot workers, autonomous devices, and edge network sensors will all need to log into the organization’s distributed and virtual network. The once diligent but cumbersome process of manually giving access to known and named human employees, is giving way to an automated and intelligent processes of access control and access rights.
There is no doubt that in the future, many of the day-to-day operational requests that are within a known context can be automated. This will ensure that work is not delayed and there is a basis of continuous operation for the users. However, whenever requests do not match a previous pattern or are out of context, behavioral analytics will subject such requests to additional checks or will automatically escalate it for human intervention.
Privileged users will continue to be enabled, as in legacy systems, with the only rider that those privileges will be available on request in real time, and only for the time needed to perform the task required. Once the privileges have been used to complete a task, the privileges will be reversed once again to the minimum required.