How to Implement a Zero Trust Model

For as long as the Internet has been around, businesses have adopted physical and virtual security with perimeter-based architectures. However, the explosion in adoption of SaaS apps, cloud computing, and mobile devices, has driven a dramatic shift in moving apps, services, and data from behind the traditional perimeter.

The business network is no longer defined by the firewall. The Internet is now the modern business network. Traditional perimeter-based security models have grown ineffective against more prevalent and growing threats like phishing, malicious insiders, and device compromise. As traditional perimeters diminish, organizations should never make assumptions when it comes to authorizing access. “Zero Trust” should be assumed, literally meaning trust no one.

What’s the key to securing this new landscape? It starts with identity! Having the ability to verify a user’s identity is vital, particularly when it comes to Identity and Access Management (IAM) across cloud and on-prem platforms. With “Zero Trust,” access should no longer be granted based on network location—rather—it must be informed by an authenticated user’s authorized access, information about the device they are using, and contextual information about what is normal for the type of access request.

Implementing a ‘Zero Trust’ model

User authentication, user authorization, and device trust
As a company, we’ve adopted a ‘zero-trust’ philosophy, not only for our own network infrastructure but for the entire OneLogin product suite. Our products enable customers to effectively and securely adopt a ‘Zero Trust’ model as an alternative to the traditional ‘walled castle’ model where privileged access is based on the network location of the host. OneLogin offers enhanced functionality in this space through SmartFactor™ Authentication which takes into account several contextual factors of an authentication request, leverages machine learning to calculate the risk associated with the authentication, and if the calculated risk exceeds a certain threshold, the user will be prompted to complete an MFA challenge to further verify the user’s identity.

OneLogin enables customers to configure and enforce policies on individual users, user groups, or specific applications. These policies are enforced when users authenticate into services that federate authentication to OneLogin. Policies are determined and enforced by a variety of factors which include:

  • Frequency and type of MFA
  • Device certificate verification
  • User app assignment
  • User role assignment.

Establishing device trust is another key component to informing access. OneLogin integrates with endpoint management and security solutions to establish and define device trust. We believe that providing mechanisms that allow device information to be gathered and used for conditional access decisions is critical to the Zero Trust model. Additionally, OneLogin Desktop and OneLogin Protect obtain device health data directly from the device. This information is then available to the OneLogin Risk Engine (UEBA) for further analysis and risk assessment.

The flexibility of OneLogin’s solution enables customers to meet the critical requirements that underpin the Zero Trust framework. The OneLogin policy engine authorizes certain applications to users and informs role assignment within those applications. Adaptive MFA, endpoint services like OneLogin Desktop, and OneLogin Protect integrate with other endpoint solutions to verify users and their devices before access is granted.

“Un-Trust” the corporate network
Corporate networks have long been the path to privileged access by implementing policy and network design that trusts the corporate network. Traditionally, employees have connected to VPN to gain remote access to applications. In the zero trust model, no network is privileged and access is granted based on validating user identity and device trust. This approach is extremely easy to adopt for applications that are offered as SaaS, but there are many organizations that need to host applications on-premise and don’t want to publicly expose the application to the Internet. If an on-prem app can’t be exposed publicly and access can’t be granted based on a trusted network, there needs to be a solution that enables users to access the application. OneLogin Access enables users to access these applications by providing an identity-aware proxy. OneLogin Access leverages the entirety of the OneLogin platform and its policy engine to verify users and their devices to inform access instead of granting access based on network location. With OneLogin Access, access to on-prem applications do not require networks to be trusted and the application doesn’t need to be unnecessarily exposed.

Maintain Visibility on Access
Having visibility into who is accessing what, when, where, and how is a critical component to effectively securing privileged access. OneLogin provides APIs access to event logs which enable customers to integrate any number of tools for SIEMS or other logging and alerting systems. Splunk and Sumo Logic are examples of partners that offer their customers plug and play connectors to OneLogin to help facilitate with minimal or no additional coding on the part of the customer.

Next Steps
Now is the time to start planning your evolution toward adopting the Zero Trust model. OneLogin is dedicated to developing and offering our customers solutions that help them on their journey to fully adopting Zero Trust.

Ready to implement a Zero Trust model for your organization? Learn about the four principles and tools you need to get started.

Related Articles