Exploring Zero Trust Privileged Access Management: A Fireside Chat

The state of cybersecurity is more complex and challenging than ever before In a recent SANS webinar, Tony Goulding, an expert with over 25 years in the security industry, shared his insights on Zero Trust and privileged access management (PAM). Tony's extensive background includes decades of hands-on experience and thought leadership in cybersecurity. Currently, he works with Delinea, a leading company specializing in PAM solutions, formed from the merger of Centrify and Thycotic. With his deep knowledge and practical experience, Tony offers valuable perspectives on the evolving landscape of cybersecurity and the critical role of Zero Trust principles.

What is Zero Trust?

Zero trust is not a product you can buy: it's a model, a framework, a set of best practices. The core principle of Zero Trust is to treat every asset as if it's connected directly to the internet, eliminating the traditional notion of a trusted insider.

This approach is crucial given today's dynamics, including hybrid cloud environments, ongoing digital transformation projects, and a dispersed IT infrastructure. Work from home continues, outsourced IT services are on the rise, and cyber threats like ransomware, phishing, and Artificial Intelligence (AI) -driven attacks are becoming more sophisticated. Tony explained, "Zero trust is important as a modern approach to cybersecurity that helps address these dynamics."

Why Zero Trust Matters

The Zero Trust model is vital in addressing these dynamics. Instead of the old security tenet of "trust but verify," it's now "never trust, always verify." This means every access request could be a threat, and every user must continuously prove their legitimacy.

Tony also pointed out that Zero Trust involves more than just technological changes. "It encompasses people, process, and technology. Organizations can determine their own path, focusing on the areas where they need to invest most."

Privileged Access Management in Zero Trust

PAM is a critical component of Zero Trust. Tony emphasized that "seventy to eighty percent of breaches involve compromised privileged credentials." Effective PAM reduces the risk by granting administrative rights just in time, for a limited duration, and then revoking them once they are no longer required. This approach keeps the risk curve low, only spiking temporarily when elevated permissions are necessary.

PAM isn't just about human accounts but also headless service accounts, especially in cloud environments. The cloud's elastic nature introduces more risks that need to be managed, so it's essential to protect service accounts that authenticate to each other.

The Evolution and Implementation of Zero Trust

The shift from implicit trust in early networks to today's Zero Trust model reflects the need to mitigate advanced threats by focusing on identity and access management (IAM). Implementing Zero Trust can be challenging due to its complexity. Organizations need to prioritize based on their unique needs and risk tolerance, starting with areas like PAM and multi-factor authentication (MFA).

Tony shared his thoughts on MFA, noting that "the barrier to adoption of MFA at all major access control gates has dropped." With a good PAM solution, centralized policy management of MFA is achievable. AI and behavioral analytics also play a role in enhancing Zero Trust defenses, helping to identify anomalous activity within session recordings and making it easier to react to new threats. Tony mentioned, "AI tools can help identify anomalous activity within session recordings, making it easier to react to new threats."

Future Trends and Priorities

Looking ahead, Tony sees cyber insurance and regulatory pressures driving Zero Trust adoption. Cyber insurance policies are now insisting on MFA and other Zero Trust principles, making it essential for organizations to prioritize these measures to mitigate the risk of ransomware and other advanced threats.

He also highlighted the role of regulations: Zero Trust is becoming an adopted framework across various industries. Implementing it can help organizations meet a wide range of security and privacy-related requirements.

Use Cases and Success Stories

Tony shared several examples of successful Zero Trust implementations, including Google's BeyondCorp. Google shifted access controls from the network perimeter to individual users and devices, allowing their employees to work remotely without a VPN. This is a prime example of Zero Trust in action.

He also discussed the importance of protecting privileged accounts, noting that most organizations recognize that privileged accounts represent the biggest attack surface, and hence, the biggest risk to their business. Effective PAM is crucial in mitigating this risk. "The cloud's elastic nature introduces more risks that need to be managed," Tony said, "so it's essential to protect service accounts that authenticate to each other."

The fireside chat underscored the importance of Zero Trust and PAM in modern cybersecurity. Tony Goulding's insights provided a clear understanding of Zero Trust principles and their practical application. As organizations navigate the complexities of today's threat landscape, adopting a Zero Trust framework can significantly enhance their security posture.

IMPLEMENTING A ZERO TRUST ARCHITECTURE is not a one-size-fits-all solution; it requires careful planning, implementation, and ongoing management. For those interested in delving deeper into the subject, SANS recently released a Zero Trust strategy guide. This document is an excellent resource for anyone looking to learn more about the principles, implementation strategies, and benefits of adopting a Zero Trust Architecture in their organization.