Demystifying Access Control and Zero Trust

scyther5/iStock.com

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
By Mark Currie,
VIce President and Chief Network Officer, Cellcrypt Inc.

By Mark Currie

|

As agencies rethink making temporary remote arrangements permanent, officials should start with proven ubiquitous encryption technology.

The COVID-19 pandemic has forced many organizations to adapt to unprecedented numbers of personnel working remotely. Rather than just a temporary deviation, this seems likely to persist, with a recent Microsoft survey finding that 73% of employees want to continue to work from home after the pandemic. However, this "new normal" creates a significant security problem where IT resources, usually accessible only within the organization's local area network, or LAN, must now be made available remotely. 

In many instances, LAN-based IT resources are available without any special authorization, as these resources can only be accessed within an organization's premises, using physically connected devices, by vetted personnel, working within a physical access-controlled boundary.

To some extent, organizations had already begun to extend these boundaries with on-premises Wi-Fi. Those with their own premises that include outside areas, such as car parking, could largely contain Wi-Fi access within their physical perimeter. Remote access changes the scenario drastically as the physical boundary disappears. Virtual private networks, or VPNs, the standard mechanism used to secure remote access, even when coupled with secondary authentication, cannot replace traditional physical access controls, and network security alone is no longer enough. Access to IT resources now requires a far more granular approach, and this is what Zero Trust is all about.

Zero Trust assumes that all networks, even internal firewalled networks, are insecure. Organizations must individually evaluate each online resource to assess its value, decide who should be allowed access and how access should be regulated. Of course, this does not mean organizations should abandon network security in favor of Zero Trust. Overall, security is strengthened with multiple layers of different types of protection.

Security needs to start from each endpoint (the users and their devices) through to a specific IT resource (server) and, ideally, the service or application (end-to-end). Where multiple services share the same resource and security terminates at the resource, the most sensitive service must take precedence in terms of security enforcement levels. TLS proxies like Nginx and STunnel, underpinned with FIPS 140-2 validated OpenSSL, are tried-and-proven opensource technologies that can be used to add TLS and client certificate support to services retroactively. Endpoints should require encrypted network access (e.g. VPN or HTTPS/TLS), including two-factor authentication, or more broadly, multi-factor authentication,  or MFA.

To avoid man-in-the-middle MFA attacks, MFA should ideally be integrated with the communication encryption session. Further, to avoid the SolarWinds MFA bypass attack, the use of asymmetric encryption with hardware devices provided to end-users, such as smartcards or dongles, that can protect MFA encryption keys, should be used. However, this type of approach is typically both inconvenient and costly. 

A more practical approach is to try to tick as many boxes as possible while preserving enough convenience to guarantee widespread adoption: it makes sense to start with proven ubiquitous encryption technology. Public key infrastructure, or PKI, with all its limitations, remains the most widely supported means of implementing and managing communications security and is supported by all browsers and operating systems. The underlying standard cryptography layer (TLS) also supports mutual authentication using client-side PKI certificates to support the MFA requirements.

TLS client certificates are already integrated with the encrypted communication session (check) and are based on asymmetric cryptography (check). With client certificates, the private key associated with a user's public key can be stored safely, as modern computing devices all have platform-secured user key stores, often integrated with hardware security, e.g. Trusted Platform Module (TPM) (check). Client certificates are also often used to remove the need for user passwords. However, passwords have their own unique properties and, coupled with client certificates, make a potent MFA combination.

Purchasing client certificates can be expensive and owning your own PKI can be onerous, requiring a high-security facility. However, client certificates can be managed separately, removing the more significant security burden associated with issuing server certificates. For medium to large organizations, a client-only PKI is not too onerous and allows the possibility of using X.509 certificate authorization extensions to provide even higher access control granularity.

Organizations can introduce additional end-to-end controls with application-layer security. This is particularly important with multi-media communications such as instant messaging, voice/video calls and conference calls and file sharing. This type of media should only be deciphered and authenticated by the intended recipients.

Recent attack methods are proving more devastating, and the process of prevention requires some effort, but there is reassurance there! Organizations have a host of effective options available to ensure the security of their data and communications, and the cost and complexity they represent are a fraction of a successful compromise. 

Mark Currie is vice president and chief network officer of Cellcrypt Inc. 

NEXT STORY: Colonial Pipeline Forked Over $4.4M to End Cyberattack – But Is Paying a Ransom Ever the Ethical Thing to Do?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.