Zero Trust Security

According to the JumpCloud 2021 State of the SME IT Admin Report, Zero Trust security has already been adopted by 24% of surveyed organizations and another 33% plan to adopt it. Inevitably, all organizations will need to adopt Zero Trust security sooner rather than later.

At its core, Zero Trust is a simple concept: trust nothing, verify everything. This approach emerged as a response to the inadequacies of perimeter-based security in the face of distributed networks. On-prem environments were well-suited to a perimeter security model, where the building provided a layer of physical security and the network was similarly guarded by a physical security perimeter made up of firewalls, antivirus software, and VPNs protecting the crown jewels within the network. However, perimeter-based security proves inadequate in protecting distributed environments.

With Zero Trust security, devices and identities are never intrinsically trusted and are required to authenticate their identities before they’re authorized to access any resource. This goes beyond traditional perimeter-based security, which only verifies identities before granting them access to the central network; once inside, users maintain their level of trust and only need to abide by the security that each resource prescribes independently. This relies on individual resources to uphold sufficient security, becomes time-consuming for the end-user, and complicates management significantly. Zero Trust is an absolute necessity when it comes to securing your organization’s data in a distributed environment. Breaching one perimeter is much easier for cyber attackers than having to authenticate at every point of entry on your network.

Establishing Zero Trust in a Distributed Environment

As Zero Trust was designed to address the issues of a distributed environment, Zero Trust–based tools and tactics go hand-in-hand with remote and hybrid-remote environments. They help establish identity-driven policies and take a holistic approach to security. The following tools and tactics are recommended steps to implementing Zero Trust in a distributed environment.

Segmentation

Network and infrastructure segmentation can play critical roles in attack mitigation. However, segmentation should be strategic and complementary to environments and workflows to avoid siloing and unnecessary information dispersal. While centralization is beneficial to maintaining data integrity and unification, segmentation in moderation can regulate data access and minimize damage from breaches.

VLAN segmentation, for example, is a common method for securing WiFi networks. Admins segment networks based on roles and permissions, following PoLP. Some directories can facilitate dynamic VLAN provisioning, automatically assigning users to the appropriate network based on their permissions.

Encryption

Data should always be encrypted in transit and at rest. Ensure your directory uses secure, encrypted protocols for authentication and authorization, and check the encryption policies on other applications—especially those used to store or share information, like collaboration and file-sharing tools.

In addition, require all devices on the network to enable full-disk encryption. Some directory services with device management capabilities allow you to enable and enforce this policy remotely.

Testing

Organizations should conduct periodic security testing to ensure ongoing security. We recommend the following tests and checks. These suggested frequencies are minimums; always err on the side of too often than not often enough:

• Phishing tests: once per quarter.

• Penetration tests: once every six months.

• Vulnerability scans: once per quarter; every other vulnerability scan can fall under the scope of a penetration test.

• Full-risk assessments: once every six months, or when new technology is added to your stack.

• Application-specific security checks: frequency varies by application. Mission-critical ones, like your directory, should be checked at least once per quarter.

Redundancy

On principle, your IT infrastructure should never be subject to a single point of failure. Redundant infrastructure reduces downtime, protects data, and recovers quickly when facing a breach. This requires systems like data backups, high-availability (HA) clusters, and WAN failover configurations. To optimize your redundant setup, identify all mission-critical functionality, and make sure it’s prioritized in your backup configurations.

Redundancy configurations are sometimes described in terms of N, where N is the single-point-of-failure infrastructure. Thus, an N + 1 approach supplements the infrastructure with one independent backup point; 2N duplicates the entire infrastructure. Lean IT teams often take an N + 1 approach, but 2N is more secure and preferable. Even better, 2N + 1 duplicates the entire infrastructure and adds another independent backup point.

For any data you store on premises, the 3-2-1 backup rule is a good baseline to use to ensure the data is sufficiently backed up with redundancy: store three copies of your data on at least two different types of media, with one copy of your data stored off site.

Redundancy and backups are especially important in distributed environments, which are fully reliant on cloud infrastructure availability and uptime. Fortunately, cloud providers often provide redundancy and failover as part of their offerings. Make sure all your providers guarantee high uptime and check your cloud provider’s SLA and policy on redundancy to ensure secure backups and prompt reaction to any issue or downtime.

Multicloud solutions can also provide redundancy with an extra layer of security: if one cloud provider is compromised, the data would still remain intact with the other provider as well. Organizations using multiple cloud providers might consider hosting their most critical data with more than one of the providers for a fail-safe.

Reporting and Review

As I discussed previously, unified and proactive reporting is key to supporting a distributed environment. There are a few tools and practices that can facilitate reporting, monitoring, and management:

SIEM (security information and event management)

SIEM can be helpful technology for creating automated alerts, helping IT respond quickly to issues, and preventing missed events of note.

Reporting tools included with existing solutions

In distributed environments, robust insights from cloud providers and cloud directory solutions can be especially useful.

Automated data exports

Automated exports of reporting data can help your team develop workflows around reviewing and storing insights.

Security-specific tools

There are many security tools on the market, from robust, AI-powered software that spans your entire infrastructure to more tailored and focused security tools for specific needs. Different tools can offer reporting, automatic alerts, intelligent automated response to suspicious activity, and more.

Contracting with a managed service provider (MSP)

Working with an MSP is becoming increasingly common in IT organizations; the JumpCloud 2021 State of the SME IT Admin Report found that 84% of the respondents were already engaged or planning to engage with an MSP. You can contract with an MSP for different levels of service; 24/7 monitoring and management is a popular service that helps supplement your IT team during and outside of your organization’s work hours.

Employee Training

Regardless of office setup or IT environment, employees need to know how to use the tools they’re given. This need is amplified when employees are working from different locations, often without in-person supervision. Skipping or downplaying employee training can lead to incorrect tool usage, shadow IT, and a lack of security best practices knowledge. This, in turn, creates inefficiencies, discrepancies, and security vulnerabilities.