Symantec Zero Trust

At Symantec, a division of Broadcom, we understand that the world gets more complex by the minute. That’s doubly true for network security as applications live in clouds and edges, perimeters are disappearing, and users are working across the globe.

The situation is fragmented. It’s worth taking a page from shipbuilders: segment security platforms into air-tight compartments. A ship uses them to contain a hull breach and avoid sinking. A modern network architecture needs compartments for much the same reason, and an “air-tight” security posture is worth striving for.

Up to now, security protocols have asked a user who they are and let them in after a myriad of multi-factor authentication (MFA). It’s a one-time test, and after that, a user can generally move freely in the network environment. The new thinking requires us to observe and continually evaluate user behavior in real time – and to ask more questions.

Trust No One

While that may seem severe, it all rests on properly defining partitions by need or use. We all have finite resources and need to determine: who has the right to gain access? And when do I cut off or reduce access?

Protecting resources is nothing new. As a practical example, the daily limit on the maximum amount of cash you can withdraw from a regular retail checking account via ATM is a good example of balancing security and convenience.  Security comes first.

Practicing Zero Trust, or more specifically applying risk controls, enables the balance of security and usability. While we assume a breach can take place, the damage caused can be contained within understood parameters and remediation policies. This enables businesses to then categorize risk by different dimensions such as cost, reputation, user satisfaction, and productivity, and create Identity and Access Management policies accordingly.

Following Identities

The ability to observe an identity as it moves from one channel to another enables  an enterprise to achieve two very important goals.

First, to continuously authenticate or validate existing sessions of an identity to ensure it's still valid, has not been revoked, and still has the necessary privileges to access desired resources. Plus, the ability to construct a seamless audit trail for forensic or non-repudiation purposes.

Second,  a business is then maximizing the user experience by ensuring the most seamless interoperability possible, preventing multiple sign-ins and overlapping/redundant session timeouts.

Applying Zero Trust principles makes authorization truly adaptive and smarter -- by leveraging such information as User Context, Application Context, and Device Context. Is the user on a seldom-visited application from a novel device at an odd time? It pays to be suspicious.

Typical authorization decisions do not evaluate a user’s ongoing validity. That’s problematic as that identity may be experiencing hijacking or replay attempts. Nor does it take into consideration the level of assurance to which the identity may have been authenticated. That opens the door to breaches based on stolen identity credentials

Determine Confidence

When achieving Zero Trust, it is important to also pay attention to the “confidence factor,” or by extension, the “risk factor.” This metric determines how much trust is required in order for Identity and Access Management protocols to execute, which in turn leverages risk-based IAM policies to define expected behavior.

The end result is explicit verification predicated on understanding the risk of any given transaction or process. When the risk is low, the impact of a breach is lessened and certain verifications could be optional. On the other hand, when the risk is high, a breach can be highly problematic and must be mitigated by additional verification steps.

This approach balances the need for security with the need for convenience and agility. For example, an account that belongs to an administrator with a panoply of sensitive entitlements must be guarded by a strong authentication policy with mandatory MFA. On the other hand, a self-service request for an application-level entitlement may be approved automatically as long as the user’s peer group has the same level of access.

The good news is that you can leverage Zero Trust solutions no matter what your IT infrastructure looks like: all it takes is implementing the right process within those security solutions.  To learn more about Symantec’s Zero Trust solutions, read more here.