Given current business conditions and the prevalence of SaaS technologies, now is the time to take steps toward zero trust.

Lenny Zeltser, Chief Information Security Officer, Axonius

September 27, 2021

4 Min Read
Hand pointing at abstract tech image
Source: Sikov via Adobe Cloud

The IT landscape has shifted a great deal over the last 18 months, providing corporate management and end users insight into why robust, identity-focused boundaries around data are essential for the modern business environment. As a result of this growing support and the prevalence of software-as-a-service (SaaS) technologies, implementing zero-trust security is easier these days, so now is a great time to consider such strategies.

While opinions vary on what zero trust is and is not, this security model generally considers the user's identity as the root of decision-making when determining whether to allow access to an information resource. This contrasts with earlier approaches that made decisions based on the network from which the person was connecting. For example, we often presumed that workers in the office were connecting directly to the organization's network and, therefore, could be trusted to access the company's data.

Today, however, organizations can no longer grant special privileges based on the assumption that the request is coming from a trusted network. With the high number of remote and geographically dispersed employees, there is a good chance the connections originate from a network the company doesn't control. This trend will continue. IT and security decision-makers expect remote end users to account for 40% of their workforce after the COVID-19 outbreak is controlled, an increase of 74% relative to pre-pandemic levels, according to "The Current State of the IT Asset Visibility Gap and Post-Pandemic Preparedness," with research conducted by the Enterprise Strategy Group for Axonius.

Though the idea of implementing a zero-trust approach may seem impossible at first, there are ways to move toward the desired architecture one step at a time without trying to fully overhaul all security components at once. When designing a zero-trust journey, security leaders can start by increasing the role that single sign-on (SSO) plays in their environment, and how users' endpoints can be secured and validated before granting access.

Managing Dynamic Identities With a Zero-Trust Approach
In the zero-trust world, access policies often start by asking: Who is this person? Should they be allowed to access the application? What privileges should they have? These questions are tied to the person's identity and their role in the organization so that their access is aligned with what they need for their work. For example, a salesperson needs access to their accounts in the customer relationship management system and other information relevant to the sales function. Privileges granted to a software engineer would be very different.

A practical way of establishing such identity-focused security measures is through SSO functions. In this context, SSO describes a way of maintaining the identities of the company's employees in a single service and delegating access and privileges-related decisions to that service.

Most SaaS providers today support SSO integration, so that instead of creating yet another repository of identity information, organizations can centralize identity management. When selecting SaaS products, confirm that they support SSO in a way that works with your identity management system. Some SaaS vendors charge for SSO integration or require a costly bundle upgrade to enable the functionality.

For the identity management system to be useful, it must keep up with the dynamic nature of the companies. People come and go, and employees' access requirements change when they switch roles. For example, a salesperson promoted to an executive position might require access to information about a broader set of customers.

One way to manage this challenge is to connect your identity management system with an authoritative source of information about employee roles and responsibilities: the human resources system. When the two systems are linked, personnel changes in the HR systems can automatically propagate to the SSO provider, which will enforce them across the integrated SaaS applications for authentication and authorization decisions.

Validating the Endpoint to Strengthen the Zero-Trust Architecture
Another important element of a zero-trust architecture is determining whether to grant access based, in part, on the state of the connecting person's endpoint. Beyond questioning identity, security teams also need to consider the condition of the device. Is its security posture appropriate for the type of data the person is accessing or the type of action the person is taking? One way to achieve this is to integrate the SSO provider with the endpoint IT or security agent. When a user tries to log in to an application, the provider authenticates the user and checks to see what level of privileges they are allowed. Then it will ask the endpoint agent whether the state of the device is acceptable before granting access.

Organizations move toward zero trust on different timelines. A younger enterprise may already have a modern architecture, making it easier to implement IT and security practices consistent with zero trust. Established organizations require more careful planning as they shift away from trusting the network toward granular factors such as user identity and endpoint state. Regardless, given current business conditions and the prevalence of SaaS technologies, now is the time to take the step toward zero trust.

About the Author(s)

Lenny Zeltser

Chief Information Security Officer, Axonius

Lenny Zeltser is the CISO at Axonius, a leader in cybersecurity asset management. Prior to Axonius, he led security product management at Minerva Labs and NCR. Before that, he spearheaded the US security consulting practice at a leading cloud services provider acquired by CenturyLink. He also helps shape global cybersecurity practices by teaching at SANS Institute and sharing knowledge through writing, public speaking, and community projects. He has earned the prestigious GIAC Security Expert designation and developed the Linux malware analysis toolkit REMnux. He is also on the Board of Directors of the SANS Technology Institute.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights