Zero Trust & Privileged Administrator Access
A common factor for many cyber incidents, has been the targeting and compromise of privileged users, such as Systems Administrators, and their devices. Hardly surprising as they represent the keys to the IT kingdom. The Zero Trust concept, with its emphasis on identity management and device health, provides the ideal model for organisations seeking to improve privileged access security, and can serve as a valuable and early win as part of broader Zero Trust adoption.
The key themes of NCSC’s recently published advice on protecting administrative systems may be summarised as: gain trust in your management devices; protect the interfaces to administrative systems using a tiered model where required; appropriately control privileged access to systems, and audit related activities.
The popularity and relevance of Zero Trust has grown in response to the disappearance of well-defined boundaries to corporate networks, as we become increasingly mobile, interconnected and cloud dependent. The Zero Trust approach advocates checking the identity and integrity of devices irrespective of location, and providing access to applications and services based on the confidence of device identity and device health in combination with user authentication. Zero Trust supporting technologies enable access to protected resources to be based on timely and context-relevant policies.
Controlling Privileged Access with ZT
Privileged Access Workstation (PAW) is the term used for a dedicated administrator endpoint. PAWs should ideally be locked-down to a known-good state, and only be used for administrative purposes. Health measurements as advocated within Zero Trust architectures can allow continued assurance that PAWs remain in a known good state, supporting access control polices to combine device and user authentication factors to enable management service access at the appropriate tier.
Towards Device Health Measurement
Many existing approaches to device health measurement lack the rigour of the cryptographically-based protocols used for User Identity Management. Software agents will typically do a ‘best efforts’ check of platform configuration. However, if an attacker compromises an endpoint and gains sufficient privileges, the software agent responsible for checking known system characteristics and patch-levels can be undermined.
While such agents have value in many environments, where organisations face elevated threats, such as to administrative systems, they will be better served by a device health measurement protocol that can validate the integrity of all executing firmware and software on the endpoint, with a cryptographic protocol tied to a hardware root of trust. The strength of such an approach is then based on the properties of cryptography, as with other protocols, providing confidence in the detection of attempted compromise that cannot be achieved by simple software agent inspection.
Modern general-purpose operating systems often include a level of system health measurement, but such mechanisms do not extend to much of the vulnerable software that executes, including third-party drivers and applications, leaving the endpoint reliant on weaker forms of defence such as application whitelisting, driver signing (without real PKI), and malware detection software. If an attacker can compromise an application, the compromised health of the system may go un-detected.
To address these limitations, NCSC initiated a research project, referred to as CloudClient that demonstrated how health measurements could be extended to include all firmware and software components. The project’s Measured Execution architecture cryptographically validates that all software executing on a powered-up device is authorised, and has not been tampered with. Integration with a device identity management server was achieved through the use of a standards-based Remote Attestation Protocol. Software resulting from the CloudClient project is deployed across critical national infrastructure systems today (Paradox), where there is a need to have high confidence of device health, in the face of constant and elevated threat.
Summary
Security controls for access to administrative and privileged systems should match the elevated threat that many such systems face. While standard user authentication, and agent-based endpoint security may be sufficient protection for many users within an organisation, such mechanisms fail to deter sustained and targeted attacks that higher value targets attract. The Privileged Access Workstation model, providing isolation with robust identity and health measurements as components of access control policy, allows organisations to significantly increase cyber resilience, reducing both the risk of compromise, as well as the ability to detect and recover. The Zero Trust principles provide a proven and workable model to achieve this.
About Becrypt
Becrypt is UK supplier of cyber security software and services. We supply governments and security-conscious commercial organisations, large and small, with a range of security solutions and services – from mobile and endpoint to cloud; from funded research, to commercially available products and managed services. Becrypt have worked with UK Government and platform vendors to pioneer and deploy device health identity management products and services.
Dan Patefield
Dan Patefield
Dan leads the techUK Cyber Security programme, having originally joined techUK in August 2017 as a Programme Manager working across the Cyber and Defence programmes. He is responsible for managing techUK's work across the cyber security eco-system, bringing industry together with key stakeholders across the public and private sectors. Dan also provides the industry secretariat for the Cyber Growth Partnership, the industry and Governmnet conduit for supporting growth across the sector. A key focus of his work is to strengthen the public-private partnership across cyber security to support further development of UK cyber security policy.
Before joining techUK he worked as Forum Lead for the Westminster eForum. In this role he had a focus on the technology and telecoms space, on issues ranging from Broadband and Mobile Infrastructure, the Internet of Things, Cyber Security, Data and diversity in tech. Dan has a BA in History from the University of Liverpool.
- Email:
- [email protected]
- Phone:
- 020 7331 2165
Jill Broom
Jill Broom
Jill is techUK’s Programme Manager for Cyber Security, working across the cyber eco-system to bring industry together with key stakeholders across the public and private sectors.
Prior to focusing in on techUK's cyber security work, Jill was also part of techUK's Central Government programme team, representing the supplier community of technology products and services to Whitehall departments.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
- Email:
- [email protected]
- Twitter:
- @honeybroom
- Website:
- www.techuk.org
- LinkedIn:
- https://www.linkedin.com/in/jill-broom-19aa824
Annie Collings
Annie Collings
Annie joined techUK as the Programme Manager for Cyber Security and Central Government in September 2023.
Prior to joining techUK, Annie worked as an Account Manager at PLMR Healthcomms, a specialist healthcare agency providing public affairs support to a wide range of medical technology clients. Annie also spent time as an Intern in an MPs constituency office and as an Intern at the Association of Independent Professionals and the Self-Employed.
Annie graduated from Nottingham Trent University, where she was an active member of the lacrosse society.
- Email:
- [email protected]
- Twitter:
- anniecollings24
- LinkedIn:
- https://www.linkedin.com/in/annie-collings-270150158/
