EC News DeskWe have all seen the popular movie Panic Room with leading actress Jodie Foster. The concept is an extraordinarily safe room inside a reasonably safe house, with an outer perimeter protected by camera surveillance and other commodity detectors and alarms. Intruders are able to gain access through the outer perimeter into the house, but once the occupants of the house enter the panic room the intruders are foiled.
Organisations needs to protect their perimeters, but more importantly must assume that threat actors will be able to penetrate them and will have access to move around inside the organisation’s network. Building multiple safe, panic rooms inside the organisation’s network is therefore a great idea. Ensuring that absolutely no one can enter the panic room, except the proverbial Jodie Foster and her daughter is also equally important.
What about an assumed identity? Suppose threat actors gained knowledge of the access codes to the proverbial panic room inside an organisation’s network? Then they could enter, right? But suppose the access codes were rotated after each use, and were generated only on request. No predetermined assumptions would be used.
In the current modern-day environment of digital enterprises, digital technologies, mobile workers, connected devices, and hybrid platforms of computing, this approach of security access is increasingly the way forward and is referred to as a Zero Trust approach. Zero Trust rejects the long-accepted adage of Trust, but verify, and replaces it with a new mandate more aligned to modern threats: Never trust, always verify.
Organisations must always assume that the most privileged users in an organisation’s network will be the most targeted by threat actors. Moreover, once targeted, privileged credentials may invariably get stolen and threat actors will gain access to the organisation’s network using those credentials.
The modern-day trend now is to limit the privileges linked to any access, so that even if the access credentials of privileged users are gained by threat actors their ability to enter the panic room is not assured.
In tomorrow’s digital organisations, it’s no longer just people who are accessing critical systems and sensitive data, and the organisation’s network once controlled robustly within the brick and mortal walls of the organisation’s building has now expanded to be replaced by virtual walls of the cloud.
Not only do human workers need to be given access to this network, but digital services and applications, robot workers, autonomous devices, and edge network sensors will all need to log into the organisation’s distributed and virtual network. The once diligent but cumbersome process of manually giving access to known and named human employees, is giving way to an automated and intelligent processes of access control and access rights.
There is no doubt that in the future, many of the day-to-day operational requests that are within a known context can be automated. This will ensure that work is not delayed and there is a basis of continuous operation for the users. However, whenever requests do not match a previous pattern or are out of context, behavioural analytics will subject such requests to additional checks or will automatically escalate it for human intervention.
Privileged users will continue to be enabled, as in legacy systems, with the only rider that those privileges will be available on request in real time, and only for the time needed to perform the task required. Once the privileges have been used to complete a task, the privileges will be reversed once again to the minimum required.
Key takeaways
- Organisations must assume that threat actors will be able to penetrate them and will have access to move around inside the organisation’s network.
- Zero Trust rejects the long-accepted adage of Trust, but verify, and replaces it with a new mandate more aligned to modern threats: Never trust, always verify.
- Privileges will be available on request in real time, and only for the time needed to perform the task required.
By Kamel Heus, Regional Director, Northern, Southern Europe, Middle East and Africa at Centrify.
