About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Zero Trust and Identity and Access Management (IAM) – Zero trust is not a replacement for identity and access management (IAM), it is an extension in extremis. It is the extension of IAM principles from people to everyone and everything, everywhere and anytime. The difficulties in IAM are retained but are complicated by the complexity of installing it everywhere.
Nevertheless, zero trust is widely seen as an important part of effective cybersecurity. In 2023 we will see more vendors touting a complete zero trust product and/or methodology, and more businesses attempting its implementation.
Here we examine how this might progress through 2023.
Background
Zero trust is a natural evolution from the realization that company networks no longer have a perimeter that can be defended. With no perimeter to defend, every asset needs to be individually protected, and every access needs to be individually verified. Location means nothing – access to anything from anywhere must always be verified before it is granted.
It is a short step from this to realize such verification should apply within the network as well as from outside: east-west (where it is also called ‘microsegmentation’) as well as north-south. Achieve this, and you have fulfilled the journey to zero trust.
Zero trust is the replacement of a defensible data center perimeter with individual defensible asset perimeters – from one to potentially millions.
The DoD Zero Trust Reference Architecture, referred to in an OMB memorandum in January 2022, describes the concept: “Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned). Zero trust requires designing a consolidated and more secure architecture without impeding operations or compromising security. The classic perimeter/defense-in-depth cybersecurity strategy repeatedly shows to have limited value against well-resourced adversaries and is an ineffective approach to address insider threats.”
The OMB memorandum goes on to state, “This memorandum requires agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024.” Two things are immediately apparent: firstly, there will be extensive activity within federal agencies through 2023 to fulfill this requirement (and associated vendor activity to help them achieve this); and secondly, it is no simple task. The trickle-down effect of federal mandates will ensure that adequately resourced private industry will follow.
“Zero trust represents a fundamental shift in the way in which organizations view and approach risk (and in turn security),” explains Chris Denbigh-White, cybersecurity strategist at Next DLP. “Moving through 2023 many organizations are going to realize that zero trust is not so much a destination as a means of conducting the journey of information security. Yes, technology will play a vital role in this journey but should never be confused with the end of the conversation, or indeed the end of the journey.”
It is worth noting that some vendors call their preferred route to zero trust ‘zero trust network access’ (ZTNA). You can get further details on ZTNA here – but within this article we will treat the two terms (zero trust and ZTNA) indiscriminately.
Problems and issues for 2023
“The most common mistake organizations make deploying zero trust or microsegmentation is underestimating the complexity of their network,” says John Yun, VP of product strategy at ColorTokens. “An effective zero trust implementation requires the knowledge of all servers, applications that run on the servers, and users authorized to use those applications.”
Matthew Carroll, CEO and co-founder of Immuta, warns that zero trust should not be considered a complete solution on its own. The problem that it seeks to solve is partly due to the massive increase in data sharing that has arisen through the growth of cloud-based SaaS infrastructures. This will result in an increase in data processing agreements (DPA) between companies and SaaS providers. “In 2023, we’ll see DPAs become a standard element of SaaS contracts and data sharing negotiations.”
He still fears that zero trust alone will not provide adequate security. “In 2023 we’ll see a major shift in data security architecture. This will include proper access controls that effectively balance access and security.” But he adds, “Zero trust won’t work using traditional approaches because there are too many endpoints.” Implementing a zero trust approach for access must still be integrated with adequate anomaly detection – zero trust for access should not be at the expense of internal visibility.
The effect of Covid-19 has increased the importance of a zero trust architecture. “The Covid-19 pandemic ushered in a new era of remote and hybrid working,” says Craig Lurey, CTO and co-founder at Keeper Security. “The explosion in the sheer number of endpoints, with an increasing amount of them accessed remotely, requires a higher level of security to tackle growing online threats. Under this new normal, zero trust is now the only realistic and comprehensive framework for securing modern, cloud-based data environments and distributed workforces.”
Joseph Carson, chief security scientist at Delinea, adds, “A zero trust approach will become more essential than ever as the transformation continues. Employees should have access only to what they need to efficiently do their job. This will ensure that an attacker’s ability to move within the larger business network is limited and the attack surface reduced.” But he also notes that this could raise privacy issues if employers impose conditions on personally owned computers.
“It appears remote work is here to stay and will increase into 2023,” says John McClurg, SVP and CISO at BlackBerry. “Enterprises should look to adopt a zero trust architecture and security model to truly secure their remote workforces. This model is defined by trusting no one and absolutely nothing by default – including users inside an actual network. By assuming every user, device or network is hostile, zero trust security forces everyone to prove who they are before access is authorized.”
The urgency of the pandemic and the consequent rush to implement remote working is in many cases causing problems for the integration of an overarching zero trust solution. “The majority of organizations today still struggle with allowing explicit access to applications and enforcing zero trust policies across their business. In fact, over 80% of organizations have found it difficult to implement a zero trust model, and that has a lot to do with the fact that many organizations have hybrid IT architectures,” explains Peter Newton, senior director of products at Fortinet.
The problem is that it is too cumbersome to have one set of policies for on premises and an entirely different set of policies for the cloud. Consequently, he says, “In 2023 we will see more IT teams shift to incorporate ZTNA across the entire network – from cloud to on-premises – for universal coverage under a single solution. And as ZTNA begins to go mainstream in the enterprise, we’ll start to see organizations transition away from a pay-per-user model and start to bake ZTNA directly into their security architecture for a more seamless and consistent user and management experience.”
At its root, zero trust is a major extension of identity and access management (IAM) – but IAM itself is a problem that has never yet been completely solved. “Organizations are still learning the concept of identity sprawl and the scale of their technical debt, which means that companies are just starting to realize the scale of the challenge,” comments Wade Ellery, field CTO at Radiant Logic.
“In 2023, we are going to see more and more businesses slow down to speed up –they’ll recognize they need to put in an identity data foundation before they can justify building new, revenue-oriented projects that demand access to identity.”
For zero trust, he added, “As we move into 2023, senior decision-makers and security teams are discussing how they can achieve a granular-approach in real-time, and ultimately, they will come back to the issue of identity data management.”
More and more companies are recognizing the theoretical security benefits of zero trust and are starting their own journeys. In 2023, the difficulties in doing so will become more apparent – but it’s not all doom and gloom. “To a certain extent, factors such as internal politics, talent shortages, and economic conditions play a role in any IT project,” comments Hendra Hendrawan, security technical councilor at the Info-Tech Research Group. “Still, organizations with a good IT or cybersecurity strategy should embark on the zero trust journey with fewer frictions.”
At a high level, he says a successful IT implementation generally consists of well-documented processes, good selections of technology, and great talents. “Couple these with a solid security strategy, and achieving a zero trust architecture should not be a question of how but of when.”
That ‘when’ will be many years in the making. “Zero trust is a security model, not a product. Adopting zero trust across an enterprise requires careful planning and the use of complementary, multi-vendor solutions,” warns Torsten Staab, principal engineering fellow at Raytheon Intelligence and Space. “For many organizations, adopting zero trust security will be a multi-year journey. Establishing a solid zero trust strategy up front and developing a phased, step-by-step implementation plan to avoid boiling the ocean and losing focus will be key to a successful zero trust implementation.” But for 2023, he added, “Look for additional zero trust implementation guidance and recommendations from NIST and CISA.”
IAM issues
Foundational to implementing zero trust will be solving the existing IAM problems – and that will not be easy. The traditional approach has been to implement basic MFA involving a second-factor token delivered via a mobile phone – but such MFA is frequently broken by hackers.
“My prediction for 2023,” says Ben Brigida, director of SOC operations at Expel, “is that we will witness an increase in MFA push notification fatigue attacks. Why? Because they’re working. More and more, organizations are turning to cloud access identity providers for single sign-on capabilities. Attackers know that if they can get their hands on credentials for these platforms, they’ll get access to critical business applications—not just email. So, they’re sending multiple push notification requests to users and hoping the user will just approve one to make the notifications stop.”
Chris Vaughan, VP technical account management, EMEA and South Asia at Tanium, calls this an MFA push exhaustion attack. “This is where an attacker sends a large number of MFA acceptance prompts to users’ phone which may cause them to click accept to stop the barrage of requests. This has been largely successful in gaining access to user data and accessing IT environments.”
“Once considered a ‘silver bullet’ in the fight against credential stuffing,” adds Marcus Fowler, CEO of federal government for Darktrace, “it hasn’t taken attackers long to find and exploit weaknesses in MFA and they will continue to do so in 2023.”
John Stevenson, senior product director at Cyren, expands on the problem: “Phishing will remain an unsolved problem leading to countless account takeover attacks. As businesses enable MFA, phishers will update their tactics to defeat additional verification steps like one-time codes sent to phones or email addresses. So-called strong authentication methods that rely on mobile phones and email accounts (that were never intended to be identities) will be the first to prove insecure for high-risk use cases. Passwordless authentication won’t yet solve these issues due to insufficient lifecycle management solutions and incompatibility with legacy systems.”
John Pescatore, director of emerging security trends at SANS, sees an additional phone-based threat to identity management. “While mobile phones are more secure than desktops,” he comments, “we will also see a greater volume of stalkerware included in downloaded apps that target consumers.”
Pegasus spyware is a prime example of this threat – it can install itself on iOS and Android devices with zero clicks. Hackers are also creating malicious stalkerware apps and hiding them in app stores.
“As people become more accustomed to downloading family tracking software and giving away app permissions, the risk of having their keystrokes, locations, voice, and even photos and videos recorded for financial theft and other nefarious purposes will also increase.”
If second-factor one-time codes and passwordless authentication are not the solution to the IAM issue. an alternative must be found. Many have been suggested, from physical biometrics (including touchless fingerprinting) to behavioral biometrics and more.
“Touchless fingerprinting will emerge as the top authentication method,” claims Chase Hatcher, VP of technology and innovation at Telos. “In 2023, organizations with a pre-existing fingerprint database infrastructure will increasingly turn to touchless fingerprinting to perform remote biometric identity verification”, he says. “With regards to authentication, we’ll see identity platforms backed by multi-modal true biometrics face and fingerprint and ‘convenience biometrics’ embedded mobile solutions like faceID and touchID emerge.”
“In 2023, more people will protect their critical accounts with methods other than logins and passwords,” adds Ricardo Amper, founder and CEO at Incode. “When creating accounts, they will provide multiple factors such as biometrics, government-issued identity documents, and information from reliable sources to prove their identities. When authenticating access to these accounts, they will use biometrics, providing more security for their private data.”
Donnie Scott, CEO at Idemia, has a more specific US identity prediction for 2023. “In 2023, every jurisdiction that issues an identity will have deployed, be in the process of deploying, or considering the deployment of a digital form of mobile identity/mobile-driver’s license. Arizona was the first US state to adopt mobile IDs followed by Oklahoma, Delaware, and Mississippi. Up to 30 states, including Colorado, Hawaii, Ohio, and the territory of Puerto Rico, are in the process of making mobile IDs available to their residents. We will only see this increase.”
He is very upbeat about the potential. “The benefits of this model, where biometrics meets identity, are a citizen-controlled assertion of identity, backed by the Government’s high standard of proof against who that person is. This combination results in a high assurance, privacy protected model.”
But the problem for this, and virtually every other means of remote identification, is that ultimately it identifies a mobile phone and not necessarily the owner or current user of that phone. A compromised phone can still lead to a compromised identity. Absolute proof of personal identity for perfect zero trust is very difficult.
And we haven’t even mentioned machine identities, which are equally important in a zero trust architecture, and present their own problems.
Summary
“Modern security solutions that remove the implicit trust from users, devices, services, and workloads, regardless of the location will become the norm,” says Stefan Schachinger, product manager network security at Barracuda. “The ‘context’ of who, what, when, where, and how will become key security components in a world of continuous zero trust evaluation that will defend against ever more stealthy threats. In 2023, just detecting and blocking malicious events will no longer be sufficient. You need to investigate and remediate everything.”
Achieving a solid zero trust architecture won’t happen overnight. It’s not a product you can buy and run. It will require the integration of different security solutions – some of which may already be present while others will need to be purchased, implemented, and integrated, seamlessly. Many companies will start the journey in 2023, and many others will make progress – but getting close to the destination will probably take years.
Nevertheless, “Zero trust represents a new cybersecurity paradigm that offers numerous benefits to organizations of all sizes and industries. Deploying a zero trust approach to access management can be especially effective, creating a virtual ‘locking of shields’ between governments and the private sector,” says McClurg. “This allows for closer cooperation to better protect critically important infrastructure and services.”
“I like to keep this stuff abstract,” Steve Riley, field CTO at Netskope, told SecurityWeek. “I want to eliminate implicit trust from every layer: from the network, from applications, from virtual machines and from the data objects. Instead, I want the situation where every interaction is mediated by something, and the level of confidence in that interaction is measured by the context and the signal surrounding.”