loader image
Mindflow won the Jury Prize at the FIC 2022 Startup Award! Get a demo to transform your SecOps forever.

Zero Trust x SOAR is the perfect match to secure access to your data and network resources

Zero trust

Zero Trust is meant to protect your company’s resources and manage their access. Can you trust everyone and everything that wants to have access to it? No, you want to legitimate and authorize every subject – a user, an application, or a device- before accessing the targeted resource (your data or relevant IoTs sending instructions – printers, for instance). Not doing so is opening the path to attackers to access your most valuable assets.

However, as you aim to secure access to your assets, multiple trends make this goal harder to achieve. First, the Bring Your Own Device (BYOD) is developing, increasing the number of devices not owned by your company that need access to your network. More, remote working grew sharply in recent years, increasing the number of devices and de-materializing the workplace; people can work from different locations, sometimes temporary, sometimes abroad, and often on unsecured local networks.

Last but not least, companies are also more and more migrating their data to clouds. This creates a hybrid architecture, between cloud-based storage and on-premise, that is more complex to manage. As a result, black holes are left behind, and assets aren’t effectively protected, even if there’s an array of security tools trying to build a safe space!

Zero Trust was brought as an answer to this complex architecture. No one can be blindly trusted and allowed access to your company’s assets without being authenticated and authorized beforehand. However, the deployment of a mature Zero Trust architecture is time-consuming and prone to errors:

  • Zero Trust relies on a set of principles that differ from classic authentication and privilege management architecture;
  • It implies using multiple technologies that need to be connected in automated workflows by a Security Orchestration, Automation, and Response tool (SOAR).

A Zero Trust Architecture relies on a set of principles fundamentally different from your older security architecture

Why you need Zero Trust

Zero Trust model differ from older security architectures
Zero Trust leverages different ways to secure your company’s architecture. It relies on identity governance (user, roles, and systems), which paves the way for authorization and revocation of users attached to these identities and their different accesses according to their positions in your company.

This architecture sits on top of micro-segmentation and network architecture. Zero Trust leverages micro-segmentation techniques to divide your network into distinct areas down to individual levels.

It also uses network monitoring to collect and analyze information to detect suspicious behavior on your network. Then, it calls for response and general protective and preventative controls.

To sum up, Zero Trust differs from older security controls where security is added as a compensating layer on top of a large perimeter. With Zero Trust, your company is securing the relevant data from the inside out. By using the technologies cited supra, it builds security controls where they are needed inside segmented perimeters.

To achieve different outcomes
According to the Zero Trust Architecture, only trusted identities with the relevant role get access to the applications, systems, networks, and data that they are entitled to perform their jobs. This Trust is verified at every step to ensure employees are who they say they are.

This architecture limits breaches, risks, and impacts. It cannot replace a cybersecurity architecture, but it surely helps to contain incidents before they metastases into breaches and become a critical threat to your company, thanks to limiting incidents to one identity to spread to all identities in your company. In other words, it adds layers of Trust before accessing the data targeted: user trust, system trust, and behavior trust need to be compromised to access data. Compromising each layer also increases the risk of being caught before the attackers achieve their mission.

To that end, Zero Trust relies on principles

Segment the number of privileges given to your employees
One of the core principles of Zero Trust revolves around the necessity of privilege and access management. However, this management has to be deployed without impacting your employee’s ability to complete their tasks. You thus need to map the missions, the access to which data and networks, and the applications required to complete these missions on an employee-per-employee basis to the exact perimeter needed.

You cannot trust indefinitely; you always need to verify
Even if privileges and accesses are adequately segmented in your company, you cannot go on and trust them. There are multiple reasons to believe that, at some point, somebody can have access to their privileges. Let’s repeat it, no action or user is trusted in a Zero Trust architecture. You need to authenticate or verify every new entry into a system or request access to new data.

On top of this, you always have to monitor users, systems, and networks
To ensure that the Zero Trust model deployed works, you need consistent monitoring and evaluation of your users’ behavior, your data, and network flows for suspicious changes or alterations. This is to say that, on top of authentication and privileges management, there is the need for general Zero Trust monitoring to verify all actions taken within your company’s infrastructure, such as lateral movements that could reveal an undergoing attack.

A mature Zero Trust Architecture needs a wide variety of tools that need to be orchestrated and automated by a SOAR

SOAR helps you orchestrate Zero Trust Architecture
Even if the last years saw a tremendous increase in Zero Trust adoption, few are leveraging innovative tools such as orchestration and automation. This is inducing a critical lack of productivity and is prone to human errors. The metaphor used by Dr. Chase Cunningham is striking:

“If you want to dig the Suez Canal you could do it with shovels. It would suck, but you could if you had millions of shovels. But that’s dumb, and you will always need more ditch diggers. Wouldn’t it make more sense to use power tools and bulldozers and have your tools power the dig?”.

Yes, automation and orchestration can critically alleviate the burden on your teams’ shoulders. 

Zero Trust is, in itself, not a technology. It’s an architectural model. To deploy such a model based on the principles mentioned above, you have to leverage different tools. Usually, you have technologies like User Entity Behavior Analytics, User Onboarding and Offboarding management, Network monitoring, Endpoint protection, SIEM, PKI and certificates management, Cloud security, Next-generation Firewalls, IDP/IPS, and so on.

As we’ve already seen, the variety of tools isn’t an obstacle per se as long as you can manage them. Adequately ordering the tools at your disposal helps in two main ways: take the most of every tool to strengthen your security stance and stay on the edge of innovation.

We already know that there’s a need for automation and orchestration for incident response or to manage information overload. But, a SOAR can also be incorporated into broader security maintenance plans, such as Zero Trust architectures!

A SOAR answers the need to orchestrate a technology stack or one to streamline and automate repetitive tasks (remember the manual configuration of your vLANs? not so cool), especially when you’re getting started on the Zero Trust path. Let’s take Identity Access Management (IAM), for instance.

By automating IAM, you’re correlating the provisioning and de-provisioning, the real-time updates to identity information with detected changes in the authoritative source systems used by your company. As a result, it eliminates repetitive manual tasks for IT staff while freeing up valuable time for more complex tasks.

This is why we’re adding SOAR on top of this stack. We want to unlock the orchestration and automation possibilities to help your teams manage the general Zero Trust architecture and help them do one more step: remediate.

But also to do one more step: automated remediation
Besides orchestrating and automating the interception of Zero Trust violations, a SOAR also helps you remediate these breaches at machine-time speed. Although your company may have deployed a micro-segmentation and a continuous data resources’ control, any breach, if not detected fast enough, offers time for attackers to evolve in your systems and cause potential harm.

Let’s go back to IAM. Automating it also enables your teams to determine triggers to automatically launch machine responses for suspicious activities such as malicious or impossible logins. Even for essential components of a Zero Trust Architecture, you can make a substantial difference by powering IAM or even Multifactor Authentication (MFA) orchestration and remediation with a SOAR.

Yes, there’s a need to combine Zero Trust with the more classical SOAR’s incident response function. Intercepting incidents is not enough. You need to be able to act on each one of these. Also, by using a SOAR, you’re on the path to lower MTTD and MTTR metrics, which reduces the criticality of a given breach since the longer a breach goes on undetected and/or remediated, the more costs are induced.

Plus, as for detection or remediation, a SOAR helps your teams standardize and rapidly scale-up workflows. Doing this helps connect the technologies used to enforce Zero Trust amidst your company as it grows or as new and former employees come and go. Have a look at our user lifecycle management use case, for instance.

Most of all, even though a Zero Trust Architecture is deployed, it eventually all comes down to humans. As long as humans are the weakest link in your company, you need to identify breaches fast and remediate them even quicker.

Zero Trust architecture x SOAR

Paul-Arthur Jonville

CEO of Mindflow. I share our thoughts and vision about cybersecurity and how Mindflow can answer current issues on this blog.

About Mindflow

Mindflow is an agnostic and no-code SOAR making cybersecurity more accessible to face current challenges. It aims to break silos between technologies and teams, following Fusion center and Cybersecurity Mesh concepts.

Recent Posts