{"id":16924,"date":"2023-02-06T14:32:57","date_gmt":"2023-02-06T13:32:57","guid":{"rendered":"https:\/\/www.show.it\/cyber-insights-2023-zero-trust-and-identity-and-access-management\/"},"modified":"2023-02-06T14:32:57","modified_gmt":"2023-02-06T13:32:57","slug":"cyber-insights-2023-zero-trust-and-identity-and-access-management","status":"publish","type":"post","link":"https:\/\/www.show.it\/en\/cyber-insights-2023-zero-trust-and-identity-and-access-management\/","title":{"rendered":"Cyber Insights 2023 | Zero Trust and Identity and Access Management"},"content":{"rendered":"<\/p>\n
\n
\n
\n

About SecurityWeek Cyber Insights |<\/strong> At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.<\/em><\/p>\n<\/div>\n<\/div>\n

\"Cyber<\/figure>\n<\/div>\n

SecurityWeek Cyber Insights 2023 | Zero Trust and Identity and Access Management (IAM) \u2013 <\/strong>Zero trust is not a replacement for identity and access management (IAM), it is an extension in extremis. It is the extension of IAM principles from people to everyone and everything, everywhere and anytime. The difficulties in IAM are retained but are complicated by the complexity of installing it everywhere.<\/p>\n

Nevertheless, zero trust is widely seen as an important part of effective cybersecurity. In 2023 we will see more vendors touting a complete zero trust product and\/or methodology, and more businesses attempting its implementation.<\/p>\n

Here we examine how this might progress through 2023.<\/p>\n

Background<\/strong><\/h2>\n

Zero trust is a natural evolution from the realization that company networks no longer have a perimeter that can be defended. With no perimeter to defend, every asset needs to be individually protected, and every access needs to be individually verified. Location means nothing \u2013 access to anything from anywhere must always be verified before it is granted.\u00a0<\/p>\n

It is a short step from this to realize such verification should apply within the network as well as from outside: east-west (where it is also called \u2018microsegmentation\u2019) as well as north-south. Achieve this, and you have fulfilled the journey to zero trust.<\/p>\n

Zero trust is the replacement of a defensible data center perimeter with individual defensible asset perimeters \u2013 from one to potentially millions.<\/p>\n

The DoD Zero Trust Reference Architecture<\/a>, referred to in an OMB memorandum in January 2022, describes the concept: \u201cZero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned). Zero trust requires designing a consolidated and more secure architecture without impeding operations or compromising security. The classic perimeter\/defense-in-depth cybersecurity strategy repeatedly shows to have limited value against well-resourced adversaries and is an ineffective approach to address insider threats.\u201d<\/p>\n

The OMB memorandum goes on to state, \u201cThis memorandum requires agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024.\u201d Two things are immediately apparent: firstly, there will be extensive activity within federal agencies through 2023 to fulfill this requirement (and associated vendor activity to help them achieve this); and secondly, it is no simple task. The trickle-down effect of federal mandates will ensure that adequately resourced private industry will follow.<\/p>\n

\u201cZero trust represents a fundamental shift in the way in which organizations view and approach risk (and in turn security),\u201d explains Chris Denbigh-White, cybersecurity strategist at Next DLP. \u201cMoving through 2023 many organizations are going to realize that zero trust is not so much a destination as a means of conducting the journey of information security. Yes, technology will play a vital role in this journey but should never be confused with the end of the conversation, or indeed the end of the journey.\u201d<\/p>\n

It is worth noting that some vendors call their preferred route to zero trust \u2018zero trust network access\u2019 (ZTNA). You can get further details on ZTNA here<\/a> \u2013 but within this article we will treat the two terms (zero trust and ZTNA) indiscriminately.<\/p>\n

Problems and issues for 2023<\/strong><\/h2>\n

\u201cThe most common mistake organizations make deploying zero trust or microsegmentation is underestimating the complexity of their network,\u201d says John Yun, VP of product strategy at ColorTokens. \u201cAn effective zero trust implementation requires the knowledge of all servers, applications that run on the servers, and users authorized to use those applications.\u201d<\/p>\n

Matthew Carroll, CEO and co-founder of Immuta, warns that zero trust should not be considered a complete solution on its own. The problem that it seeks to solve is partly due to the massive increase in data sharing that has arisen through the growth of cloud-based SaaS infrastructures. This will result in an increase in data processing agreements (DPA) between companies and SaaS providers. \u201cIn 2023, we\u2019ll see DPAs become a standard element of SaaS contracts and data sharing negotiations.\u201d<\/p>\n

He still fears that zero trust alone will not provide adequate security. \u201cIn 2023 we\u2019ll see a major shift in data security architecture. This will include proper access controls that effectively balance access and security.\u201d But he adds, \u201cZero trust won\u2019t work using traditional approaches because there are too many endpoints.\u201d Implementing a zero trust approach for access must still be integrated with adequate anomaly detection \u2013 zero trust for access should not be at the expense of internal visibility.<\/p>\n

The effect of Covid-19 has increased the importance of a zero trust architecture. \u201cThe Covid-19 pandemic ushered in a new era of remote and hybrid working,\u201d says Craig Lurey, CTO and co-founder at Keeper Security. \u201cThe explosion in the sheer number of endpoints, with an increasing amount of them accessed remotely, requires a higher level of security to tackle growing online threats. Under this new normal, zero trust is now the only realistic and comprehensive framework for securing modern, cloud-based data environments and distributed workforces.\u201d<\/p>\n

Joseph Carson, chief security scientist at Delinea, adds, \u201cA zero trust approach will become more essential than ever as the transformation continues. Employees should have access only to what they need to efficiently do their job. This will ensure that an attacker\u2019s ability to move within the larger business network is limited and the attack surface reduced.\u201d But he also notes that this could raise privacy issues if employers impose conditions on personally owned computers.<\/p>\n

\n
\"Zero<\/figure>\n<\/div>\n

\u201cIt appears remote work is here to stay and will increase into 2023,\u201d says John McClurg, SVP and CISO at BlackBerry. \u201cEnterprises should look to adopt a zero trust architecture and security model to truly secure their remote workforces. This model is defined by trusting no one and absolutely nothing by default \u2013 including users inside an actual network. By assuming every user, device or network is hostile, zero trust security forces everyone to prove who they are before access is authorized.\u201d<\/p>\n

The urgency of the pandemic and the consequent rush to implement remote working is in many cases causing problems for the integration of an overarching zero trust solution. \u201cThe majority of organizations today still struggle with allowing explicit access to applications and enforcing zero trust policies across their business. In fact, over 80% of organizations have found it difficult to implement a zero trust model, and that has a lot to do with the fact that many organizations have hybrid IT architectures,\u201d explains Peter Newton, senior director of products at Fortinet.<\/p>\n

The problem is that it is too cumbersome to have one set of policies for on premises and an entirely different set of policies for the cloud. Consequently, he says, \u201cIn 2023 we will see more IT teams shift to incorporate ZTNA across the entire network \u2013 from cloud to on-premises \u2013 for universal coverage under a single solution. And as ZTNA begins to go mainstream in the enterprise, we\u2019ll start to see organizations transition away from a pay-per-user model and start to bake ZTNA directly into their security architecture for a more seamless and consistent user and management experience.\u201d<\/p>\n

At its root, zero trust is a major extension of identity and access management (IAM) \u2013 but IAM itself is a problem that has never yet been completely solved. \u201cOrganizations are still learning the concept of identity sprawl<\/a> and the scale of their technical debt, which means that companies are just starting to realize the scale of the challenge,\u201d comments Wade Ellery, field CTO at Radiant Logic.\u00a0<\/p>\n

\u201cIn 2023, we are going to see more and more businesses slow down to speed up \u2013they\u2019ll recognize they need to put in an identity data foundation before they can justify building new, revenue-oriented projects that demand access to identity.\u201d<\/p>\n

For zero trust, he added, \u201cAs we move into 2023, senior decision-makers and security teams are discussing how they can achieve a granular-approach in real-time, and ultimately, they will come back to the issue of identity data management.\u201d<\/p>\n

More and more companies are recognizing the theoretical security benefits of zero trust and are starting their own journeys. In 2023, the difficulties in doing so will become more apparent \u2013 but it\u2019s not all doom and gloom. \u201cTo a certain extent, factors such as internal politics, talent shortages, and economic conditions play a role in any IT project,\u201d comments Hendra Hendrawan, security technical councilor at the Info-Tech Research Group. \u201cStill, organizations with a good IT or cybersecurity strategy should embark on the zero trust journey with fewer frictions.\u201d<\/p>\n

At a high level, he says a successful IT implementation generally consists of well-documented processes, good selections of technology, and great talents. \u201cCouple these with a solid security strategy, and achieving a zero trust architecture should not be a question of how but of when.\u201d<\/p>\n

That \u2018when\u2019 will be many years in the making. \u201cZero trust is a security model, not a product. Adopting zero trust across an enterprise requires careful planning and the use of complementary, multi-vendor solutions,\u201d warns Torsten Staab, principal engineering fellow at Raytheon Intelligence and Space. \u201cFor many organizations, adopting zero trust security will be a multi-year journey. Establishing a solid zero trust strategy up front and developing a phased, step-by-step implementation plan to avoid boiling the ocean and losing focus will be key to a successful zero trust implementation.\u201d But for 2023, he added, \u201cLook for additional zero trust implementation guidance and recommendations from NIST and CISA.\u201d<\/p>\n

\n
\"Zero<\/a>
Zero Trust Strategies Summit\u00a0 | Virtual Event \u2013 April 12, 2023<\/a><\/figcaption><\/figure>\n<\/div>\n

IAM issues<\/strong><\/h2>\n

Foundational to implementing zero trust will be solving the existing IAM problems \u2013 and that will not be easy. The traditional approach has been to implement basic MFA involving a second-factor token delivered via a mobile phone \u2013 but such MFA is frequently broken by hackers.\u00a0<\/p>\n

\u201cMy prediction for 2023,\u201d says Ben Brigida, director of SOC operations at Expel, \u201cis that we will witness an increase in MFA push notification fatigue attacks<\/a>. Why? Because they\u2019re working. More and more, organizations are turning to cloud access identity providers for single sign-on capabilities. Attackers know that if they can get their hands on credentials for these platforms, they\u2019ll get access to critical business applications\u2014not just email. So, they\u2019re sending multiple push notification requests to users and hoping the user will just approve one to make the notifications stop.\u201d<\/p>\n

Chris Vaughan, VP technical account management, EMEA and South Asia at Tanium, calls this an MFA push exhaustion attack. \u201cThis is where an attacker sends a large number of MFA acceptance prompts to users\u2019 phone which may cause them to click accept to stop the barrage of requests. This has been largely successful in gaining access to user data and accessing IT environments.\u201d<\/p>\n

\u201cOnce considered a \u2018silver bullet\u2019 in the fight against credential stuffing,\u201d adds Marcus Fowler, CEO of federal government for Darktrace, \u201cit hasn\u2019t taken attackers long to find and exploit weaknesses in MFA and they will continue to do so in 2023.\u201d<\/p>\n

John Stevenson, senior product director at Cyren, expands on the problem: \u201cPhishing will remain an unsolved problem leading to countless account takeover attacks. As businesses enable MFA, phishers will update their tactics to defeat additional verification steps like one-time codes sent to phones or email addresses. So-called strong authentication methods that rely on mobile phones and email accounts (that were never intended to be identities) will be the first to prove insecure for high-risk use cases. Passwordless authentication won\u2019t yet solve these issues due to insufficient lifecycle management solutions and incompatibility with legacy systems.\u201d<\/p>\n

John Pescatore, director of emerging security trends at SANS, sees an additional phone-based threat to identity management. \u201cWhile mobile phones are more secure than desktops,\u201d he comments, \u201cwe will also see a greater volume of stalkerware included in downloaded apps that target consumers.\u201d\u00a0<\/p>\n

Pegasus<\/a> spyware is a prime example of this threat \u2013 it can install itself on iOS and Android devices with zero clicks. Hackers are also creating malicious stalkerware<\/a> apps and hiding them in app stores.\u00a0<\/p>\n

\u201cAs people become more accustomed to downloading family tracking software and giving away app permissions, the risk of having their keystrokes, locations, voice, and even photos and videos recorded for financial theft and other nefarious purposes will also increase.\u201d<\/p>\n

If second-factor one-time codes and passwordless authentication are not the solution to the IAM issue. an alternative must be found. Many have been suggested, from physical biometrics (including touchless fingerprinting) to behavioral biometrics and more.<\/p>\n

\u201cTouchless fingerprinting will emerge as the top authentication method,\u201d claims Chase Hatcher, VP of technology and innovation at Telos. \u201cIn 2023, organizations with a pre-existing fingerprint database infrastructure will increasingly turn to touchless fingerprinting to perform remote biometric identity verification\u201d, he says. \u201cWith regards to authentication, we\u2019ll see identity platforms backed by multi-modal true biometrics face and fingerprint and \u2018convenience biometrics\u2019 embedded mobile solutions like faceID and touchID emerge.\u201d\u00a0<\/p>\n

\u201cIn 2023, more people will protect their critical accounts with methods other than logins and passwords,\u201d adds Ricardo Amper, founder and CEO at Incode. \u201cWhen creating accounts, they will provide multiple factors such as biometrics, government-issued identity documents, and information from reliable sources to prove their identities. When authenticating access to these accounts, they will use biometrics, providing more security for their private data.\u201d<\/p>\n

Donnie Scott, CEO at Idemia, has a more specific US identity prediction for 2023. \u201cIn 2023, every jurisdiction that issues an identity will have deployed, be in the process of deploying, or considering the deployment of a digital form of mobile identity\/mobile-driver\u2019s license. Arizona was the first US state to adopt mobile IDs followed by Oklahoma, Delaware, and Mississippi. Up to 30 states, including Colorado, Hawaii, Ohio, and the territory of Puerto Rico, are in the process of making mobile IDs available to their residents. We will only see this increase.\u201d<\/p>\n

He is very upbeat about the potential. \u201cThe benefits of this model, where biometrics meets identity, are a citizen-controlled assertion of identity, backed by the Government\u2019s high standard of proof against who that person is. This combination results in a high assurance, privacy protected model.\u201d<\/p>\n

But the problem for this, and virtually every other means of remote identification, is that ultimately it identifies a mobile phone and not necessarily the owner or current user of that phone. A compromised phone can still lead to a compromised identity. Absolute proof of personal identity for perfect zero trust is very difficult.\u00a0<\/p>\n

And we haven\u2019t even mentioned machine identities, which are equally important in a zero trust architecture, and present their own problems.<\/p>\n

Summary<\/strong><\/h2>\n

\u201cModern security solutions that remove the implicit trust from users, devices, services, and workloads, regardless of the location will become the norm,\u201d says Stefan Schachinger, product manager network security at Barracuda. \u201cThe \u2018context\u2019 of who, what, when, where, and how will become key security components in a world of continuous zero trust evaluation that will defend against ever more stealthy threats. In 2023, just detecting and blocking malicious events will no longer be sufficient. You need to investigate and remediate everything.\u201d<\/p>\n

Achieving a solid zero trust architecture won\u2019t happen overnight. It\u2019s not a product you can buy and run. It will require the integration of different security solutions \u2013 some of which may already be present while others will need to be purchased, implemented, and integrated, seamlessly. Many companies will start the journey in 2023, and many others will make progress \u2013 but getting close to the destination will probably take years.<\/p>\n

Nevertheless, \u201cZero trust represents a new cybersecurity paradigm that offers numerous benefits to organizations of all sizes and industries. Deploying a zero trust approach to access management can be especially effective, creating a virtual \u2018locking of shields\u2019 between governments and the private sector,\u201d says McClurg. \u201cThis allows for closer cooperation to better protect critically important infrastructure and services.\u201d<\/p>\n

\u201cI like to keep this stuff abstract,\u201d Steve Riley, field CTO at Netskope, told SecurityWeek<\/em>. \u201cI want to eliminate implicit trust from every layer: from the network, from applications, from virtual machines and from the data objects. Instead, I want the situation where every interaction is mediated by something, and the level of confidence in that interaction is measured by the context and the signal surrounding.\u201d<\/p>\n

Related<\/strong>: The History and Evolution of Zero Trust<\/a><\/p>\n

Related<\/strong>: White House Publishes Federal Zero Trust Strategy<\/a><\/p>\n

Related<\/strong>: Demystifying Zero Trust<\/a><\/p>\n

Related<\/strong>: Universal ZTNA is Fundamental to Your Zero Trust Strategy<\/a><\/p>\n

The post Cyber Insights 2023 | Zero Trust and Identity and Access Management<\/a> appeared first on SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

About SecurityWeek Cyber Insights | At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum […]<\/p>\n","protected":false},"author":2,"featured_media":16925,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[143,187,31,188,34,94],"tags":[],"class_list":["post-16924","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyberinsights2023","category-iam","category-identity-access","category-microsegmentation","category-network-security","category-zero-trust"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16924"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16924\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16925"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}