Zero Trust Security Model – How BeyondTrust Can Help

Chad Erbe, Professional Services Architect, BeyondTrust
February 22nd, 2018

What is Zero Trust?

The simplest description of Zero Trust is that nothing in a network environment should be trusted until it is validated against a list of known values. This means users, systems, and processes are all validated prior to any action being authorized, whether that is a login (access), an automated process, or a privileged activity (authorization).

Using this approach, nothing in the network is assumed to be trustworthy until it has been verified. Even when a process or command is validated, strong controls are put in place to ensure that any potentially damaging activities are tightly restricted to limit possible damage to revenue generating systems.

Cyberwarfare differs from the traditional warfare models that most people understand in one significant way – it is entirely defensive in nature, and there are no offensive capabilities in a corporate environment. Unfortunately, within the realm of legality, the only option for corporations is to be able to withstand an attack from an external adversary. Developing defensive strategies, and monitoring the perimeter of the network are literally the first line of defense in the protection of a corporate network. The Zero Trust model brings a lot of focus to the potential that something, or someone within the network perimeter has been compromised. This has often been overlooked in most cyber-defense strategies because the focus has been on external threats, and the assumption has been that the internal network is safe and trustworthy.

Corporate network environments have traditionally been built with the idea of securing an external perimeter against penetration from external sources. Although this is a good starting point, it does little or nothing to secure an environment from an internal threat. Nobody likes to think that someone inside their network would do something to cause a security compromise, whether inadvertently, or deliberately, but common-sense dictates that this must be considered in a healthy security program.

It is important that the reality of an internal threat be confronted directly in a security program. Although every effort is made to ensure that users are thoroughly vetted during the hiring process, seldom do programs account for changes once the initial background checks are run, or baseline scans are run on servers.

Originally proposed in 2010, the Zero Trust security model in its purest form has largely been determined to be impractical in most customer environments. Discussions related to implementing this model are often heated, and tend to devolve to an ‘all or nothing’ disagreement over whether it should, or can, be practically implemented in a corporate environment.

BeyondTrust products support the practical and intelligent implementation of elements of a Zero Trust security model in corporate networks using pieces that make sense but don’t hamper productivity. This hybrid approach provides companies with the ability to select the parts of the Zero Trust model that make sense to implement in their environment with a common-sense approach toward long-term security. Ultimately, the goal of any corporate computing network is to assist with revenue generation, so implementing controls that don’t interfere with that goal is important to the bottom line.

BeyondTrust and “Zero Trust”

The key to implementing elements of Zero Trust within a corporate network is to concentrate on controls that restrict access from point to point within the network environment, and detect unusual activity rapidly. Restricting lateral movement within the network, or the ability to move from point to point once access is granted is key to this strategy. BeyondTrust products offer the ability to help in this area.

PowerBroker Password Safe (PBPS)

PowerBroker Password Safe helps discover and secure login credentials on all servers and network devices within a customer environment.  In addition, discovery scanning can assist with detecting and securing newly provisioned identities on servers. Using the strong controls that authorize access to specific servers, or credentials, and scheduling capabilities, it is possible to secure servers from unauthorized access. Some of the key features that are standard in PBPS that will help to control access within an environment are:

  • Access control may be limited to specific servers, or groups of servers using SmartGroup technology
  • Access control may be restricted to certain times and this can be aligned to user schedules, or server maintenance windows
  • Integration with major ticketing systems to validate whether an activity is authorized to take place
  • Integration with identity governance (IGA) products such as Sailpoint to validate user roles and enforce role based access controls within the network
  • Full Active Directory integration to validate user credentials
  • Multi-Factory Authentication (MFA) is built-in to the product and works with any Radius based MFA product
  • Fully configurable password rules to ensure that strong passwords are enforced on all servers and for all credentials that are managed
  • Scheduled password rotation features ensure that passwords are changed regularly, and also after each use
  • Included API access for automation processes to prevent having to store credentials in scripts or in other insecure sources within the network

Retina Vulnerability Management

Retina helps discover and scan assets for vulnerabilities within an environment. Applying a regular scanning schedule provides an internal and external view of the health of a customer environment.

  • Regular updates provide the ability to scan for the most recent vulnerabilities usually shortly after they are identified
  • Compliance and regulatory reports are available to meet most global security reporting requirements
  • External scanning is available to ensure the security of the perimeter, and is often required by regulations such as PCI/DSS
  • Internal scanning can constantly monitor the health of assets on a regular schedule, and reporting is integrated to bring uncharacteristic items, or discovered vulnerabilities immediately to the attention of those responsible for correcting them

PowerBroker for Unix & Linux (PBUL)

PowerBroker for Unix & Linux is an agent-based solution provides absolute control over activity on Unix and Linux operating systems. It is expected that Unix and Linux servers will comprise nearly 85% of all servers in corporate environments over the next several years. Most cloud services offer low cost Linux servers primarily, and due to the open source software model of the Linux operating system, it is a cost-effective solution for most enterprises. Developing strong controls over users and activity will be crucial to deliver peace of mind. Some of the key features that have been implemented in customer environment that provide advanced levels of control and support the Zero Trust model are:

  • Full control over all identities on servers, and the ability to execute processes as any identity with access to the server using a trusted agent model
  • Built-in policy language that permits complete access to, and control of the remote client operating system, policy server operating system, and with complete access to external data sources for validation
    • Server information can be validated prior to authorization of any privileged activity – this is the essence of Zero Trust
    • External sources can be queried to gather detailed information to confirm activities fall within the spectrum of those that are authorized
    • Full control over policy server operating systems in a tamper-proof manner which provides a secure source of validation to validate secondary information
    • Using the policy language, virtually any command or process that is within the capability of the operating system can be performed
  • Advanced Control and Audit (ACA) features that permit the restriction of commands even within a privileged session where they may otherwise be authorized
  • Full event logging of all activities that are authorized, or attempted
  • Configurable keystroke and IO session logs provide irrefutable evidence of all activity that takes place within an authorized privileged access session
  • Advanced policy controls permit strong access controls over servers, and sessions can be initiated using non-standard ports in very secure environments
  • Privileged activities can be declined when outside of scheduled server maintenance windows, or outside user working hours
  • Advanced features that permit validation of binaries, and permissions on commands prior to authorization to ensure that they are authorized
  • Using trusted agent technology, it is possible to collect data from client systems to monitor for changes in server configurations, additional user ids, or other characteristics to compliment other tools in the environment

PowerBroker for Networks (PBN)

PowerBroker for Networks is designed to provide strong control over network devices where other tools cannot be installed. Typically, network devices provide little or no control over user activities once access is gained. Using PBN, it is possible to strictly validate all activity prior to execution.

  • Enabling administrators to perform all of the tasks necessary to compete their jobs, while enforcing least privilege on activity.
  • Using flexible policy language to dynamically query other data sources that are available in a customer environment to make policy decisions. Additional factors may include information such as:
    • Job title
    • Job role
    • Department
    • Geographic location
  • Permits integration with ticketing systems to determine whether an activity is authorized
  • Provide a detailed, irrefutable audit trail for all authorized activities
  • Generate actionable alerts based on detected misuse
  • Full session IO log recording of all privileged activities
  • Comprehensive coverage of devices on which there is little or no visibility currently
  • Industry leading audit reporting to reduce the cost of audit, and to enforce compliance of policies and standards in the network environment
  • Role based access controls that confine activity for teams and groups to only that which is authorized

PowerBroker for Windows (PBW)

PowerBroker for Windows provides strong control over Windows operating systems on both servers and desktops. This level of granular control over program execution delivers complete control over user activity and can transparently authorize privileged or administrative activity using user group or role membership.

  • Improve security with user-based rules and policy
  • Control when and how rules are applied
  • Improve efficiency by tracking trusted sources
  • Enforce complete endpoint least privilege
  • Reveals privileged application and asset security risks
  • Ensure complete application control
  • Reduce attack surfaces by removing admin rights from end users and employing fine-grained policy controls for all privileged access, without disrupting productivity
  • Monitor and audit sessions and user activity for unauthorized access and/or changes to files and directories
  • Analyze behavior to detect suspicious user, account and asset activity
  • Enforce least privilege for desktops and servers
    • Eliminate admin rights: prevent abuse or misuse of privileges on Windows assets
    • Ensure productivity: default all users to standard privileges, while enabling elevated privileges for specific applications and tasks without requiring administrative credentials
    • Allow admin where needed: proactively identify applications and tasks that require administrator privileges — and automatically generate rules for privilege elevation
    • Elevate applications: elevate application as logged on or another user, without exposing credentials

BeyondInsight, the PowerBroker Privileged Access Management Platform

The PowerBroker Privileged Access Management Platform is a central interface that provides a dashboard view of activity within the network. This interface takes input from all available sources and builds a risk profile for servers, and users to baseline standard behavior. The more products that report into the console, and the larger the data set, the better the analytics. The analytics console looks at user behavior and baseline characteristics of activity, and can report when suspicious user, account, or asset activity takes place.

Practical Application of Zero Trust

Combining all of the elements of the above products, it is possible to enforce the best elements of a Zero Trust model in any corporate environment without disrupting business processes. Zero Trust is really about knowing who is doing what within your network, and making sure that in the event that something uncharacteristic happens you have the ability to respond to control or limit any threats to the network.

As a corporate information security program matures, it is possible to intelligently apply stronger controls over activity in an environment. Shifting the focus from looking at external threats primarily to take a holistic view of both internal and external activity provides a new level of protection to a corporate network. Setting aside the tradition of securing the perimeter and trusting everything internal is the first step toward implementing a Zero Trust model. Combining many risk factors, such as server maintenance windows, user work schedules, point of origin, and behavior monitoring, it is possible to achieve most aspects of Zero Trust without implementing draconian controls that would hamper creativity.

BeyondTrust is happy to help customers who have a desire to rationally implement these elements into their security program. Please contact us for further information, and to consult on how this can be approached in your environment based on your use cases and situation.

Chad Erbe, Professional Services Architect, BeyondTrust

Chad Erbe is a Certified Information Systems Security professional (CISSP), with nearly 30 years’ experience in a Unix/Linux administration role. Chad has worked in DoD high-security environments, manufacturing, and with large financial services companies throughout his career. This broad experience has lead him to an architectural role with BeyondTrust where he focuses on Privileged Access Management, particularly in the Unix suite of products. Chad also maintains his PCI ASV certification from the PCI council.