Three keys to frictionless zero-trust securityBlog
August 23, 2021
By Mike Epley, Red Hat
The U.S. Department of Defense (DoD) was already headed toward a completely perimeter-less security environment before the COVID-19 pandemic hit. Now, the agency has gone full-fledged into a virtually wide-open landscape where physical constraints that used to exist have been largely eradicated, and new types of threats against its workforce, tools, supply chains, and operations abound.
The DoD has responded by aiming at zero-trust cybersecurity architectures, but this practice presents its own issues. The need to constantly reassert user and system identities and enforce authorization can create enormous friction – defined as any circumstance whereby a primary task is prevented or delayed due to a security requirement – which encourages use of bypasses or overbroad accesses, neither of which are conducive to a successful defense operation.
But with an automated and virtualized infrastructure and user behavioral analysis in place, the DoD can maintain a strong zero-trust stance while significantly reducing friction and user frustration. Here’s how.
Automating declarative access
Zero trust requires a lot more system checks: Users’ access needs continually change and authentication and authorization procedures need to be constantly updated. Keeping up with these checks and changes using manual intervention can be inefficient and introduce risk.
It’s better to use declarative access controls as opposed to imperative controls. With a declarative access model, systems are set up to provide access based on the intent and need of the underlying interaction. Typically, encoding the rules matching data to the user’s needs inherently focuses on data-protection attributes: type, source, and dissemination, for example. Conversely, imperative models rely on the relationship of the actors and their actions. Declarative access controls are more consistent and predictable as actors change or as systems evolve and integrate with each other – as is the case while the DoD hurtles towards cloud and edge computing.
The DoD was already moving in this direction, but the pandemic has accelerated the need for attribute-based access control (ABAC) and dynamic role-based access control (RBAC). ABAC takes into consideration specific user attributes and considers those attributes when making a determination as to whether or not to allow access. Dynamic RBAC enables access based on traditional attributes like a user’s role or job title, but also limits access to only the capabilities needed for specific tasks. Dynamic RBAC may also factor in subtleties like different experience and certification levels.
Both of these practices require an underlying layer of automation that can immediately convert declarative requests to imperative authorizations, limitations on grants, or blockage of the request entirely. Automatically and safely authorizing access in a seamless manner can enable users to get information they need in real time or use new systems without compromising security.
Virtualizing the security landscape
Even if users can access information, there’s still the possibility the systems they’re using aren’t as secure as they once were. Despite the increased prevalence of the cloud, prior to the pandemic the DoD still handled much of its security through physical means. People were using DoD-issued laptops, usually on DoD networks and systems. These systems made it easier for security administrators to tell if users’ machines had the proper virus protection in place and make sound assertions surrounding security.
When everyone went remote, many physical assurances suddenly disappeared. And while military personnel are still working on highly secure devices, many people working from the DoD are relying more on personal laptops and smartphones that may not be entirely secure.
Virtualizing security can help teams overcome this challenge. Virtual systems can help administrators regain their agencies’ security postures by providing an abstraction layer between the user and the system they’re accessing. Administrators can insert safeguards – such as filtering, protocol breaks, and automatic backup and restore, for example – into their virtual infrastructures to protect systems against any malware they might otherwise be exposed to. If these protections fail, virtual environments can work to minimize their potential cybersecurity blast radius.
Layering in user behavioral analysis
Completing the no-friction zero-trust picture: Implementing user behavioral. Users can be monitored based on their behavior patterns; any deviation from a normal pattern could signal anomalous behavior indicating that the user may have been compromised.
For example, a user may gain access to a network from their home office in D.C. Moments later, their credentials may be used to obtain access to a different dataset from an IP address outside of the country. Upon detecting this abnormal activity, the system can automatically lower the level of trust associated with the user, and only that user. This action protects the network without having to shut other users out of the system, which enables them to keep working without experiencing any undue disruption.
Zero-trust cybersecurity doesn’t need to be a painful or disruptive experience. By employing automation, virtualization, and behavioral analysis, administrators can protect their networks and support their colleagues as they go about their missions.
Red Hat · https://www.redhat.com/en