Modern IT environments are a lot different from what they were fifteen or so years ago. They have become increasingly more distributed and dynamic, with employees accessing their corporate network from various locations, using various devices.
This change has led to the breakdown of the traditional network perimeter, where the good guys are on the inside, and the bad guys are on the outside, trying to break in.
The Zero Trust methodology turns this on its head, with the mantra, “never trust, always verify”. In other words, you must assume that malicious actors already have access to your network.
Anytime a user tries to access a critical resource, whether data, applications, assets, or services, they must verify their identity, device, network path, and access rights. And all interactions with critical resources must be continuously monitored for suspicious activity.
5 Steps for Zero Trust in Active Directory
A good place to start with Zero Trust is the five-step model, which is as follows;
1. Define the Protect Surface
This involves creating an inventory of all critical assets. Any sensitive data, such as Payment Card Information (PCI), Protected Health Information (PHI), Personally Identifiable Information (PII), and Intellectual Property (IP), must be identified and classified accordingly. All third-party software will need to be listed and reviewed, as with any assets, such as mobile devices, point-of-sale terminals, IoT devices, etc. You will also need to create a list of all services that exist within your network, including Active Directory, and any DNS servers and network management protocols.
2. Map the Transaction Flows
You will need clear visibility into how traffic flows throughout your network, which involves documenting how specific entities interact with each other. This will make it easier to assign the appropriate access controls, and thus keep your resources secure.
3. Architect a Zero Trust Network
Adopt the necessary solutions to ensure that the movement of network traffic (and thus data) is controlled. Such technologies might include the use of a next-generation firewall or Data Loss Prevention (DLP) software to create a “micro perimeter” around your critical assets, and you will need to be able to inspect all network activity via a centralized dashboard.
4. Create a Zero Trust Policy
This involves creating a policy that determines how resources interact with each other. You will need to ask questions pertaining to;
- Who should have access to a resource?
- What users, applications, or services should be allowed to access the resource?
- Where is the resource (and the user accessing the resource) located?
- When, how, and why is the resource being accessed?
5. Monitor Network Traffic, Accounts and Data
You will need to continuously monitor all relevant logs for suspicious activity. This includes any logs generated by your firewall, SIEM, and DLP software. Perhaps more importantly, you must ensure that you are monitoring all events relating to the way your user accounts and sensitive data are being accessed and used.
Now that we have a basic understanding about what Zero Trust is, and a basic understanding about how it should be realized, let’s take a look at how it can be used to better protect your Active Directory environment.
5 Tips for Implementing Zero Trust in Active Directory
Tip #1: Discover and classify your critical assets
As mentioned previously, as a starting point you must define the protect surface, which includes creating an inventory of all critical resources. While Active Directory doesn’t provide any data classification tools out-of-the-box, there are third-party auditing solutions that can be easily integrated into your AD environment. Such solutions will scan your repositories, both on-premise and “in the cloud”, for sensitive data, and automatically classify the data according to your chosen schema.
Tip #2: Don’t trust admin accounts
Admin accounts with elevated privileges pose a huge threat to an organization’s systems and data. Firstly, the administrator themselves may abuse their privileges, whether accidentally or deliberately. Alternatively, an adversary may gain access to an account with admin-level privileges, perhaps via a Phishing attempt, or some other method. Either way, failing to restrict access rights for privileged accounts is a very bad idea. When an admin account requires elevated privileges, for whatever reason, they must be granted what is called “just-in-time” access, where access rights are temporarily granted, and then revoked as soon as they are no longer required.
Tip #3: Don’t trust passwords alone
Passwords may be convenient, but they are far from secure. Even the most complex passwords can still be hacked. A better option would be to use a multi-factor authentication solution that integrates with Active Directory, which requires an additional method of verification, such as something you are, or something you have.
Tip #4: Don’t automatically authenticate an on-prem AD user with Azure AD
Microsoft has invested a large number of resources into ensuring that Active Directory and Azure Active Directory work together seamlessly. While it is no doubt convenient to be able to access resources on both platforms without the need to authenticate each time, it is not in keeping with the Zero Trust methodology. As mentioned previously, with Zero Trust, the policy is to never trust, always verify. As such, you would be better off asking your employees to authenticate themselves each time they need access to a critical resource.
Tip #5: Monitor all access to sensitive data
Perhaps one of the most important areas of Zero Trust is having visibility into who has access to what data, why, when, and how. While it is theoretically possible to manually scrutinize the server logs for suspicious activity, this would not be the recommended approach, as it will likely be a slow, painful and erroneous process. A better approach would be to adopt a dedicated real-time auditing solution that will display a summary of important events via a single dashboard. Most sophisticated solutions use machine learning models to automatically detect and respond to anomalous user activity, and deliver real-time alerts to your inbox or mobile device.