Zero Trust in a Hybrid World
Zero Trust is a bloated term. So are things like eXtended Detection & Response (XDR), Active Cyber Defense (ACD).
Ultimately, none of them are new and its just the latest marketing gimmick to get folks to pay attention to vendors. At the end of the day, what we've been trying to do in the cybersecurity world for a while now is true:
- We want our products to talk to each other
- We want our products to force multiply the others
- We want to make confident decisions in our architecture, based on several confident data sources from multiple vendors
- We want to make such decisions at multiple Enforcement Points in our architectures
- We want to assume breach – meaning continuously validate actions and ensure we don't lose the entire flock when we lose a sheep
As the tainted SolarWinds supply chain taught us, it makes no sense to only apply Zero Trust principles only to cloud resources. SolarWinds taught us a compromise on-premises will lead to devastating consequences in the cloud.
Heck, as a CrowdStrike employee I built the story here, showing now only can you jump from on-premises to the cloud, but more evil, you can jump from the cloud back to on-premises.
(The above is probably a blog in itself, which I've done in the past but not on the new blog I'm on now)
I talked a lot about this topic, but at the Service Account level, which should only exist on-premises, traditionally has high privileges, in some cases, requires Domain Admin/Enterprise Admin privileges to function properly. Outside of how to secure such accounts, which I talk about here, why would we not continuously secure such accounts on-premises? What if the Service Account is compromised, and used interactively? What if its used by a rogue admin?
Circling back to Zero Trust – if we stick to the outcomes and the principles, it makes sense that we should be applying those principles to the on-premises accounts. Yet most vendor's don't do this. Or worse, some vendors do this for on-premises accounts, but only if they are replicated to the cloud and only if they are authenticating in the cloud (meaning NOT pass-through authentication where authentication still happens on-premises).
This is one of the most confusing aspects of applying Identity Protection across the hybrid estate.
I'm watching Dept of Defense push out Zero Trust 3 prong approach. First is:
- Brownfield: use existing
- Greenfield: Public cloud
- Greenfield: Private (Gov't owned) cloud/datacenter
Missing in the details are applying conditional access policies to on-premises and "legacy" authentication flows.
But for some reason, we continue to ignore on-premises. The new cool thing is cloud and we are more secure in the cloud.
Except when Golden SAML and Sunburst literally shows us that isn't the case.
Time to course correct? I sure hope so.