OVERVIEW
Your organisation has cascading sets of people it interacts with. In the core, there are full-time employees. They have badges, access cards, accounts, organisationally-issued hardware. They use the IT-managed hardware and software to achieve their job, including a VPN to access services remotely. You create IT-managed identities, often in systems like Google G Suite or Microsoft Active Directory.
The next tranche of team members are contractors. Indeed, these users you might treat most no differently than the full-time staff. But some contractors are in specific job roles which do not require them to have IT-managed hardware or accounts. They may be specialists who work outside the building. These users might have no corporately-managed identity. Examples might include Transit drivers, Janitorial services.
After these people we have team members that are even more digitally-disconnected. Seasonal temporary workers. Temporary consultants. Workers from affiliated but arms-length organisations. In a Municipal environment these could include lifeguards for the pool, workers with the Library system, or local Social Services providers.
Traditionally these other tiers of users were ignored from an IT standpoint. Paystubs were delivered on paper, policies were posted on a bulletin board. Some organisations would use shared-accounts on Kiosk (shared) computers for online learning management systems.
Covid-19 has accelerated the thinking around these users. How can we furlough users, tell them to “check the Intranet” for details on what has changed/when they can come back to work if they have no access to the Intranet? How can we ask them to use a mail-drop for their pay stubs or timesheets if we are asking them not to come in the building?
Identity management (Authentication) and role-management (Authorisation) are the two key disciplines we need to improve if we are to solve the issue of connecting the digitally disenfranchised.
Zero Trust Architecture
A Zero Trust architecture allows us to have seamless access to any resource, from any device, for any user, from any network. And, does it more securely. Zero Trust splits the User Identity from the User Authorisation. It moves from a perimeter-based security practice to a fine-grained user & resource control.
Zero Trust (as defined by NIST SP 800-207) is a term for evolving cybersecurity from static network perimeter-based security (e.g. VPN) to an architecture that focuses on the user(identity) and the resource(authorisation).
The core requirements:
- Simple, secure, Identity. Make it trivial for you users to login with a single username/password, single-sign-on, multi-factor authentication.
- Decouple authorisation from Identity and from each Application.
Once these are achieved you can simply, securely, move access to individual systems to the users who need them. Those digitally disenfranchised users can access that corporate Intranet, including if their employment has been suspended, including if they have no corporate email address, device, VPN.
Evolving beyond the VPN
For many years the VPN was the gold standard of remote security. You kept your inside network isolated except for a few users with curated software on managed devices.
The VPN has a large cost. Managing the client software. It’s a stateful device, it does not scale well as we add users. It doesn’t behave well with foreign network firewalls. But, and most importantly in 2020, it nearly completely breaks remote collaboration tools. A VPN forces all traffic through the corporate network. So your video conferencing flows from your home to your company, and then back out to the Internet to the other people. In this model the corporate network becomes a choke-point: rather than scaling as you add staff, your performance drops off, the productivity goes down. Work from home has accelerated this problem.
The VPN also was masquerading as a secure solution. Years ago every server had a well-known port and IP. VPN rules, in conjunction with a firewall, were written to try and segment, isolate all pairwise communication. Now that users are remote, mobile, we cannot know their IP. Some services have moved to SaaS and cloud, the IP is unknowable. Many organisations now have little or no network segmentation. The VPN has become a giant on-off switch rather than a precision allow/deny method. Once you VPN in, you are infinitely trusted, the opposite of zero-trust.
Zero Trust provides a means for each connection to assert who its from, and to what it is going, with what requirements. This can be policed in a very fine grained fashion without the bandwidth or security challenges of the VPN. Treat each application as if it were on the public Internet, then secure it, no VPN is needed.
Identity Evolved, Multi-Factor Authentication Simplified
Identity is core to a person. They are the same person whether they use USER@gmail or USER@corp to identify themself. A core method of simply demonstrating identity is OpenID Connect. This secure, web-based protocol works with all devices. It is simple enough for the average consumer to use. You often see it as “Login with Google” or “Login with Facebook”.
In conjunction with OpenID Connect, we propose federating multiple sources of Identity. These can include affiliated organisations (the Library, the Police), or social providers (Google, Facebook, Twitter).
To confirm identity we propose ubiquitous, simple, multi-factor authentication. In a corporate world these are often done with RSA SecureID fobs, or USB Universal 2nd Factor devices like YubiKey or Google Titan.
In this newly expanded Identity world these become expensive and complex. We propose instead using a device that all users have easy access to: their mobile phone.
A mobile phone can support Web Push: the user will receive a push notification on their registered device “Is this you trying to login”. It can support Authenticator Apps (Twilio’s Authy, Google Authenticator, Microsoft Authenticator, etc) with QR-codes and PIN numbers. But, more interestingly, with the WebAuthN standard, it supports biometrics. This allows users to login securely, simply, with a fingerprint or face blink, in conjunction with the device they registered.
To reduce or eliminate the provisioning cost we propose Trust-On-First-Use: the user is challenged to set up their multi-factor authentication the first time they login. This reduces risk, increases security, without increasing cost.
Multi-factor, something you know with something you have, achieved, for no cost. Simple enough for a consumer. Strong enough for the corporation.
Identity-Aware Web Application Firewall
Each application has an intrinsic set of roles (admin, teacher, student, …). Adding a web-application firewall in front means we can police this access, using the identity of the user in conjunction with the identity of the application. Without configuring a complex Layer-3&4 firewall. Without introducing a VPN.
The Web Application Firewall will then increase the security of the application by reducing common risks such as Cross-Site-Scripting, SQL Injection. The end result is more secure than the previous corporate-firewall-vpn-enclave. And simpler.
Recommendation
Every organisation has more users than they would believe who they need to securely interact with. It is uneconomical to treat them all as full time employees.
Using a Zero Trust architecture, securely solving Identity including 3rd party Identity providers federated in, with simple, secure multi-factor authentication, and adding an external Identity-Aware Web Application Firewall can break the log jam.
Make any application available to any user on any device, on any network today. Without a VPN. And increase your security while doing so.