Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
“Access” is an increasingly major part of day-to-day life. By the time I sit down at my desk to start the workday, I’ve already gone through a dozen points of access control — including disarming and re-arming my house alarm with a code, unlocking my iPhone with Face ID, opening and starting my car with a key fob, logging onto my laptop with a biometric like fingerprint touch, and joining my first meeting of the day with a secure Microsoft Teams or Zoom link.
Be it physical or digital, access (particularly controlling access) is at its simplest the ability to grant, deny or restrict entry to something. That “something” could be your car, house, bank account, computer, mobile phone, apps, or just about anything else in today’s digital-first world.
Let’s focus on apps for a moment. They are at the heart of our daily digital lifestyle. The mobile app market is expected to generate over $935 billion in revenue by 2023. Perhaps that’s not surprising given the average person uses around 10 apps per day just on their smartphone.
Today’s enterprises are also heavily reliant on apps to drive their business as well as support it. And think of all the people who may access these business apps from their mobile phones or their home offices. With today’s hybrid work world, not to mention a hybrid-cloud-powered one, managing all these different apps (let alone securing and controlling access to them) has become increasingly complex.
The most serious web vulnerabilities today require a zero-trust model
We’re aware that with all the benefits of digital transformation there are also new risks to consider. But there are serious consequences today for businesses, their employees and their customers as this risk increasingly centers around bad actors targeting user identity and access. If you’re a fan of stats like I am, there are many out there to help drive home the enormity of this issue. For me, two of the more alarming findings are these:
- Between 2015-2020, stolen passwords and other credential-related attacks led to more incidents and more total losses — $10B — for businesses than any other threat action (Cyentia Institute IRIS 20/20 Xtreme Information Risk Insights Study). Given the modernization paths for digital fraud are only continuing to proliferate, and the use of credentials in both ransomware and digital fraud is high, the demand for stolen creds won’t slow down in the coming years.
- The #1 vulnerability of the 2022 OWASP Top 10: Broken access controls (OWASP Top 10). This includes the violation of least-privileged access to an app or resource.
Attacks targeting a user’s identity impact enterprises across the globe and across industries, though financial, IT and manufacturing are impacted the most. This, paired with the prevalence of broken access controls, make it critical to employ a zero-trust security model.
Never trust, always verify
The zero-trust mantra of “never trust, always verify” addresses today’s hybrid cloud, hybrid work and hybrid access scenarios. Securing access to all apps and resources, eliminating implicit trust, and granting least privileged access are all tenets of a zero-trust model. A key access vulnerability is in the breakdown of this approach. As OWASP describes, it’s the “violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.”
Perhaps one of the biggest challenges businesses will face when it comes to avoiding this vulnerability is extending a zero-trust app access model across all their applications, specifically their legacy and custom ones. We’ve found some organizations can have anywhere from hundreds to thousands of legacy and custom apps that are critical to their daily business.
Many of these apps (for example, custom applications, long-running apps from vendors like SAP and Oracle, and legacy systems) leverage legacy protocol methods like Kerberos or HTTP headers for authentication. These apps often do not or cannot support modern authentication methods like SAML or OAuth and OIDC. And it’s often costly and time-consuming to try and modernize the authentication and authorization for these particular apps.
Many cannot support multifactor authentication (MFA) either, which means users must manage different credentials and various forms of authentication and access for all their different applications. This only perpetuates the cycle for potential credential theft and misuse. There are also additional costs for the business to run, manage and maintain different authentication and authorization platforms.
How to enable zero-trust access within the hybrid enterprise
Modern authentication is key to ensuring per-request, context- and identity-based access control in support of a zero-trust model. Bridging the authentication gap is one of the most critical steps an organization can take to avoid the “violation of least privilege” by enabling “never trust, always verify” (per-request, context- and identity-based app access) for their legacy, custom and modern applications.
Having an access security solution that can serve as an identity aware proxy (IAP) will be key for extending modern auth capabilities like SSO and MFA to every app in the portfolio, including the legacy and custom ones. As mentioned earlier, it’s not feasible for the majority of businesses to modernize all their apps built with legacy or custom authentication methods.
The ability to take advantage of all the innovation happening in the cloud with IDaaS providers plus the improvements that come with OAuth and OIDC frameworks, all without having to modernize apps right away, is a game-changer for the business. It can reduce their risk exposure and enable innovation without disruption. The workforce can remain productive and securely access their apps regardless of what authentication method is used on the backend, no matter where those apps are hosted (or where the user is located).
Going beyond access for a holistic zero-trust approach
While I’ve been stressing the importance of access in a zero-trust security model, having a truly holistic approach to zero trust requires organizations to go beyond access and identity alone. That’s because zero trust is the epitome of a layered security approach. There are many security technologies that need to be included as part of a zero-trust environment, including:
- continuous diagnostics and mitigation
- compliance considerations
- integration of threat intelligence and risk factors
- identity management
- security information and event management
It’s also important to note that adopting a zero-trust approach and delivering a zero-trust architecture is best accomplished through an incremental implementation of zero-trust principles, changes in processes, and technological solutions (across various vendors) to protect data and business functions based off core business scenarios.
This zero-trust approach requires a different perspective and mindset on security, especially when it comes to access. Zero trust should, at best, augment what is already in place to secure and control access in your existing environment.
Businesses will need to protect against advanced threats, including encrypted threats (especially since 90% of today’s traffic is encrypted). It’s also critical to have visibility into the state of apps themselves, including how they’re performing, how secure they are, and the context within which apps are accessed. This also means protecting APIs which serve as the connective tissue between applications and have increasingly become too easily accessible and available entry points for attacks today.
All that said, how do you start to tackle this? There are a few clear steps you and your organization can take to begin your holistic zero-trust journey:
- First and foremost, make the choice to adopt a zero-trust approach. Keep in mind you cannot rip-and-replace your current infrastructure. As noted earlier, it’s an incremental process.
- Next, inventory the number of apps, both on-premises and in the cloud, your business runs and how often users access them.
- Select your trusted vendors to support key phases of your journey. For example, your IDaaS provider, reverse-proxy product, etc.
- Finally, decide if you should retire underused apps, replace some apps with SaaS, migrate others to the cloud, and identify which apps you want to modernize. To this point, given it can be a long and costly process to modernize apps, having that identity aware proxy (IAP) solution to bring modern authentication to your legacy and custom apps will be key for supporting a zero-trust model on your terms.
It may seem overwhelming to successfully control access and secure apps in today’s digital-first world. But it doesn’t have to be. If you start by taking simple steps to enable secure, least-privileged access to all your apps, you can then start phasing in a zero-trust model across your entire environment. In doing so, your business will be secured with zero trust faster than you realize.
Erin Verna is principal product marketer, access control & authorization at F5.