I can’t think of a more appropriate topic to discussion as part of Cybersecurity Awareness Month than zero trust security. Underneath the U.S. Department of Commerce, the National Institute of Standards and Technology (NIST) organization has been quite involved in documenting best practices for several cybersecurity topics, including zero trust. As part of that service, the cybersecurity team published a foundational piece labeled as 800-207.
There are a couple of reasons why I think NIST’s zero trust architecture (ZTA) publication offers real value to organizations looking for guidance as they identify ways to raise their security posture while minimizing the usability hit for their users. Initially, as a response to a trend of organizations allowing BYOD devices on the intranet, there was also a broadening of the types of users granted remote access to internal services. Gone were the days of just specialized professionals such as road warriors needing access to the intranet. Rather, over time it broadened out to all sorts of user profiles, including contractors and even partners. The castle–moat paradigm was growing increasingly porous.
NIST brings a couple of important perspectives to the zero trust (ZT) discussion:
- When Forrester coined a set of security practices as zero trust, their description was network-focused, advocating network segmentation. NIST raises ZT to the application layer security solutions that can more easily tie information access to an identity.
- At a time when vendors are labeling what they currently have on their price sheet as ZT, NIST provides boundaries on what is considered ZT related technology and what is simply marketing. They do this by categorizing and describing security capabilities included in their ZTA model.
When ZT was first introduced, cloud-based services (IaaS, PaaS & SaaS) were starting to get noticeable attention. Today, the cloud paradigm shift is mainstream, making identity the best fit as the new security perimeter, especially in conjunction with BYOD trends. It’s this shift that brings Identity and Access Management (IAM) front and center into NIST’s ZT practices. As such, let’s review several of NIST’s 800-207 concepts and map them to what the NetIQ portfolio offers.
800-207 Key ZT Tenets
The NIST report states that the intent of a ZTA is to “ensure that the subject is authentic and the request is valid.” Below are NIST’s tenets and descriptors.
Tenet 1 – All data sources and computing services are considered resources.
This perspective speaks to the breadth of resources that fill an organization's digital environment and ultimately need to be secured. While the NetIQ portfolio doesn't secure routers and firewalls, there is a lot that it accounts for:
- Identity Manager (IDM) enables organizations to manage the identities of a wide variety (systems, services, applications, databases, ERPs, business suite services, etc.) to secure access to as many as billions of resources. IDM is event-driven and is best of breed, normalizing identity information across disparate resources, even IoT devices, although it may need the help of professional services.
- Identity Governance (IG) raises IDM's management capabilities to the business level to provide a business view of controlling and reporting who has access to what. Organizations can also improve their security posture by automating the request and approval process. Don't forget that folders and files are resources as well. Data Access Governance can extend IG's reach to those resources as well.
- Servers and their systems are resources are well. Privilege Account Manager offers ZT-level security practices to administrators who are frequently left unaccounted for and too often and the source of severe damage to an organization.
- Microsoft-centric shops will be surprised how far Directory & Resource Administrator and AD Bridge can be leveraged to the advantage of Active Directory (including Azure AD) to provision, automate, and delegate access to protected resources integrated with Active Directory.
- Here is where it gets even more interesting. While the list above allows zero trust principles to be applied to the protected resource, the Risk Service takes information gathered from Access Manager (NAM) or Advanced Authentication (AA). Device fingerprinting technologies gathered through NAM can be used to indicate whether the device used to request access is familiar or foreign. Whether it's it being used where it's expected? If AA is part of the configuration, geolocation can be narrowed down to a campus or even a building. Even if the device is familiar, behavioral analytics can be added to indicate that its true owner is using it to gain access.
- To move down to the client even more aggressively, don't forget Micro Focus ZenWorks.
Tenet 2 – All communication is secured regardless of network location.
Certainly, the reality of remote access and cloud-based services has moved this tenet to the forefront, and Access Manager’s gateway can address a large portion of an organization’s needs. This is important because plain federation does not address this tenet. Let that sink in. Federation alone between a service provider and its identity provider does not address this tenet. Rather, after the requester has been authenticated, the communication then transitions purely between the SP and its consumer. Access Manager’s gateway offers more because all communication with it is secured, including:
- Communication between the gateway and the IdP (identity provider)
- When the gateway is placed in front to secure otherwise under-protected resources
In addition to the gateway included in Access Manager, the optional API gateway add on provides the same type of protection at an API level. Beyond secure communications, Secure API Manager enables organizations to segment production traffic from sandbox sessions, ensuring a higher level of API security as well as protection against unexpected performance degradation. It also allows IT teams to spot anomalies.
While many readers undoubtedly know about Access Manager’s gateway capabilities, few remember MobileAccess. MobileAccess allows mobile devices to execute containerized applications from their smartphone. Beyond the secure communications of this second tenet, MobileAccess also enables quick onboarding of dynamic web-based applications to be consumed as a mobile app mark. Not only is it minimal effort to onboard a web app onto Access Manager’s gateway, but the security benefits of this configuration are quite robust:
- All communication is fully secured.
- No mobile device ever interacts directly with the web app protected by the gateway.
- The NetIQ MobileAccess, available on iOS and Android, runs as a secured container on the device.
- No data ever resides on the mobile device, meaning that MobileAccess could be used to comply with ZT initiatives or government security mandates.
Of course, the NetIQ portfolio offers SDK’s for native mobile apps, but for especially sensitive information, MobileAccess is an excellent option.
Tenet 3 – Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
For those who are familiar with the 800-207 publication, you may have noticed that my tenet 3 maps to NIST’s number 4. That’s because it’s easier to visualize the next tenet after you have walked through this one. As for this tenet, how many solutions do you know that do this or do it well? NetIQ does. In fact, this use case is an example of the advantages of taking a platform approach to identity and access management (IAM). It’s an important point because many organizations take a piecemeal approach to IAM, which limits their ZTA. Here is a use case for consideration:
- As part of onboarding your resources onto Identity Governance, you assign an inherent risk score for them.
- Identity Governance risk information can be fed into the Rick Service, which is designed to service the entire NetIQ platform.
- At the time of access, the risk service can calculate the total risk of the request:
- Strength of the authentication
- Behavior analytics
- Inherent risk of the resource itself
This is unique to the NetIQ portfolio. While many solutions measure risk based on context, fewer can supplement it with a robust behavioral analytics engine. The ability to include a concrete risk score of the resource itself in the just-in-time, total risk score is a one and only from NetIQ.
Now extending the previous use case to programmatic access (microservices or native mobile apps) well, and you have an additional unique ZTA model that expands resource protection significantly beyond most implementations. Here are a couple of extra options to further enhance the use case:
- Even though it is typically underutilized, the Advanced Authentication framework offers a wide library of available method integrations. The more authentication options that an organization deploys in their environment, the more options they’re able to offer users in different situations or chains together. A robust authentication framework significantly enhances the above use case.
- Extending this use case further, integrating Data Access Governance with Identity Governance adds unstructured data (namely files) to the set of the protected resource.
Tenet 4 – Access to individual enterprise resources is granted on a per-session basis.
With the background of my tenet 3 (NIST’s tenet 4), let’s examine how its dynamic information can lead to more sophisticated (potentially more secure and/or higher usability) implementation of “per-session” access to resources. This tenant requires that each access request be evaluated before it is granted, and then managed until it is terminated. This is a big deal. I don’t think organizations have connected the dots here on how much this tenet affects their IAM design, so let’s walk through how it can be fulfilled with NetIQ products.
With the key phrase for tenet 3 being “per-session,” it’s noteworthy that Access Manager’s gateway is an essential component for meeting that zero trust requirement. The gateway is far more secure than a simple relying party/identity provider paradigm found in a pure federation model because after the requester’s ID has been verified, it maintains control of the session:
- Before the user is prompted for verification, risk factors can be referenced to control what authentication level is required. Higher risk scores may impose a stronger authentication model such as multifactor.
- If the vulnerability risk warrants it (tenet 3), the gateway can enforce security policy at the point of additional access request within the session.
- Potentially imposing another identity verification.
- Restrict authorization within that session.
- Terminate session.
Tenet 5 – The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
This tenet can be a little confusing, so here is some additional clarification:
“An enterprise implementing a ZTA should establish a continuous diagnostics and mitigation (CDM) or similar system to monitor the state of devices and applications.”
This tenet spans disciplines outside of the NetIQ portfolio:
- For endpoint security, ZENWorks monitors and secures PCs. For network components, you will have to look outside of Micro Focus.
- The ArcSight portfolio does a great job monitoring, identifying, and responding to threats across your environment.
Tenet 6 – All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
The NetIQ portfolio swims deep into the enforcement of this tenet. First, let’s delve a little deeper into the details of this tenet –
“This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust in ongoing communication… Continual monitoring with possible reauthentication and reauthorization occurs throughout user transactions, as defined and enforced by policy (e.g., time-based, new resource requested, resource modification, anomalous subject activity detected) that strives to achieve a balance of security, availability, usability, and cost-efficiency.”
NIST describes the breadth of dynamic enforcement covers quite well. Here is where NetIQ accomplishes them:
- When a user or programmatic request is made for a protected resource, the Risk Service can gather contextual information from the session or from other NetIQ products that can direct Access Manager or Advanced Authentication to match the authentication type(s) to the risk at hand. Providing adaptive security, Access Manager can use this dynamic information to control the authorization will be granted for the next request relative to the requester’s entitlements.
- The Risk Service’s Behavioral Analytics add-on can consume information from various NetIQ products to calculate whether or not the context and access requests made indicate an impostor and raise the score in the Risk Service accordingly.
- Advanced Authentication offers a rich library of methods to allow for the availability of best-fit authentication to balance usability with strength of verification
- Access Manager offers an access gateway that can be used to control sessions with protected resources:
- Can accept control requests from the Risk Service to restrict authorization or end session
- Delivers metrics to the Behavioral Analytics extension
- Supports an API security gateway add-on to secure programmatic access (microservices, native mobile apps)
Tenet 7 – The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
While the NetIQ portfolio doesn’t fully address this ZTA tenet by itself, this tenet is another call out to ArcSight portfolio within CyberRes, a Micro Focus line of business. Having said that, it’s important to know that some of NetIQ’s products, including Access Manager, Privileged Account Manager, SecureLogin, and Advanced Authentication gather information about the identities that it is either servicing or managing. A few examples:
- Privileged Account Manager can monitor specific requests and commands that administrators perform as they interact with backend systems in an administrator role.
- Advanced Authentication can GSM location information to determine what kind of authentication experience is required for the user to verify their identity.
- Access Manager can gather a list of contextual information about the user’s location and device and what he or she is accessing.
Beyond these silos of information, the Behavioral Analytics add on for the Risk Service can assimilate all of the information references above to calculate that the identity is what he claims.
More Zero Trust Fodder
If you haven’t been there in the past few months, check out NetIQ Unplugged on YouTube for zero trust related content. Be sure to review the Universe sessions listed there. Also, this white paper, The Next Generation of Access Control, describes how to add adaptive capabilities into your access management, one of the tenets to zero trust.