Tuesday, 21 September 2010

Forrester’s Zero Trust model for security

Forrester is currently pushing their Zero Trust model for network security, where they state that hosts on the corporate intranet should be untrusted in the same way as Internet devices. This makes a lot of sense, and can be implemented to various degrees according to the risk to your business. For instance, Windows clients should be isolated from one another using IPSec domain isolation. In most cases, there’s no reason why Windows clients should be talking to anything other than Windows servers.

The Zero Trust model can also be applied on the desktop. In other words Least Privilege Security assumes that the user will eventually do something bad, often by accident and less commonly, maliciously. Using virtualization technologies we can work with the Zero Trust model but still give users the flexibility they need to install applications and experiment with different configurations.

1 comment:

Ross_Dyer said...

Having worked with security filtering technologies for so long it’s good to see there is serious momentum around tackling least privilege. There are so many examples of how ignoring it doesn’t make sense. I have recently seen a Verizon report that indicated 48% of data breaches being a result of misused privileges. Too often though you see customers struggling against even the basic step of removing local admin rights from Windows users. This is mainly due to a lack of native tools from Microsoft to manage the pain of switching to standard user profiles. Virtualisation seems to be a buzz word for resolving the issue with legacy apps, but too many just aren’t designed for virtualisation and with some it just doesn’t make sense to even try. Also administrator password management for database’s which the Forester article highlights, is high on the list of privilege lockdown priorities.

Of course zero trust is unfortunately the only way to look at managing networks, especially with everyone having access to the dangers of the web. There are so many benefits towards embracing cloud technologies, that no matter how well you protect your front door, with firewalls, web/email and dlp filtering technologies, that if you have uses with more privileges than required this increases substantially your susceptibility to vulnerabilities and compromise.

Working at BeyondTrust I have seen customers successfully make the step and remove admin rights as well as secure admin password access with 2 of the products from our portfolio. There is even the offer of a free version of the Windows Desktop solution so a customer can dip their toe into elevation of applications and Windows tasks that require admin rights, but make sense for some standard users to still execute.