Zero Trust & Privileged Administrator Access
A common factor for many cyber incidents, has been the targeting and compromise of privileged users, such as Systems Administrators, and their devices. Hardly surprising as they represent the keys to the IT kingdom. The Zero Trust concept, with its emphasis on identity management and device health, provides the ideal model for organisations seeking to improve privileged access security, and can serve as a valuable and early win as part of broader Zero Trust adoption.
The key themes of NCSC’s recently published advice on protecting administrative systems may be summarised as: gain trust in your management devices; protect the interfaces to administrative systems using a tiered model where required; appropriately control privileged access to systems, and audit related activities.
The popularity and relevance of Zero Trust has grown in response to the disappearance of well-defined boundaries to corporate networks, as we become increasingly mobile, interconnected and cloud dependent. The Zero Trust approach advocates checking the identity and integrity of devices irrespective of location, and providing access to applications and services based on the confidence of device identity and device health in combination with user authentication. Zero Trust supporting technologies enable access to protected resources to be based on timely and context-relevant policies.
Controlling Privileged Access with ZT
Privileged Access Workstation (PAW) is the term used for a dedicated administrator endpoint. PAWs should ideally be locked-down to a known-good state, and only be used for administrative purposes. Health measurements as advocated within Zero Trust architectures can allow continued assurance that PAWs remain in a known good state, supporting access control polices to combine device and user authentication factors to enable management service access at the appropriate tier.
Towards Device Health Measurement
Many existing approaches to device health measurement lack the rigour of the cryptographically-based protocols used for User Identity Management. Software agents will typically do a ‘best efforts’ check of platform configuration. However, if an attacker compromises an endpoint and gains sufficient privileges, the software agent responsible for checking known system characteristics and patch-levels can be undermined.
While such agents have value in many environments, where organisations face elevated threats, such as to administrative systems, they will be better served by a device health measurement protocol that can validate the integrity of all executing firmware and software on the endpoint, with a cryptographic protocol tied to a hardware root of trust. The strength of such an approach is then based on the properties of cryptography, as with other protocols, providing confidence in the detection of attempted compromise that cannot be achieved by simple software agent inspection.
Modern general-purpose operating systems often include a level of system health measurement, but such mechanisms do not extend to much of the vulnerable software that executes, including third-party drivers and applications, leaving the endpoint reliant on weaker forms of defence such as application whitelisting, driver signing (without real PKI), and malware detection software. If an attacker can compromise an application, the compromised health of the system may go un-detected.
To address these limitations, NCSC initiated a research project, referred to as CloudClient that demonstrated how health measurements could be extended to include all firmware and software components. The project’s Measured Execution architecture cryptographically validates that all software executing on a powered-up device is authorised, and has not been tampered with. Integration with a device identity management server was achieved through the use of a standards-based Remote Attestation Protocol. Software resulting from the CloudClient project is deployed across critical national infrastructure systems today (Paradox), where there is a need to have high confidence of device health, in the face of constant and elevated threat.
Security controls for access to administrative and privileged systems should match the elevated threat that many such systems face. While standard user authentication, and agent-based endpoint security may be sufficient protection for many users within an organisation, such mechanisms fail to deter sustained and targeted attacks that higher value targets attract. The Privileged Access Workstation model, providing isolation with robust identity and health measurements as components of access control policy, allows organisations to significantly increase cyber resilience, reducing both the risk of compromise, as well as the ability to detect and recover. The Zero Trust principles provide a proven and workable model to achieve this.
Becrypt is UK supplier of cyber security software and services. We supply governments and security-conscious commercial organisations, large and small, with a range of security solutions and services – from mobile and endpoint to cloud; from funded research, to commercially available products and managed services. Becrypt have worked with UK Government and platform vendors to pioneer and deploy device health identity management products and services.