Is SSO a violation of Zero Trust?
I was browsing the Kindle Unlimited marketplace tonight looking for a gem of a self-published book that could become my next course. I approach authors with great books and see if they want to turn it into a course. I have a small production team that builds courses and at no cost or work to them they can make a few more bucks and reach a much larger audience. So I was browsing and I pigeon holed into Zero Trust. A Zero Trust NOW! book would fit my catalog but all of the books I found so far were about implementing Zero Trust programs and not at a higher level of the history, theory, architecture and examples of Zero Trust.
I don’t believe there is a big market for CISOs searching Udemy wanting to start their Zero Trust journey. But I did read through a few books and there was one good one that didn’t take me long before I fell down the rabbit hole. I had a question! And I couldn’t find him to ask him. One of my favorite things to do is chat up the authors of books I’m reading. The man’s name is Raj Badhwar and he wrote The CISO Guide to Zero Trust Security.
He writes:
The basic tenets of Zero Trust can be broken down in these areas:
No IT asset or user can be trusted
This means that irrespective of the residency of the IT asset (i.e., on the intranet or internet) or whether the user is internal or external to the organization — in other words, whether these entities are within or outside the corporate firewall — they are not to be trusted. Thus, all IT assets and users must be authenticated and authorized before they are given any entitlement or access to perform a task.
All network traffic must be encrypted
This means that all network traffic in transit, whether it is on the internal network (intranet) or public facing external (internet), must be encrypted. In a nutshell, Zero Trust calls for end-to-end encryption of all network traffic, with no exceptions whatsoever. In addition to the encryption capability, the capability must also exist to perform TLS interception (i.e., decryption) and packet level inspection for all traffic on the network edge. This paradigm has been further enhanced to also mandate encryption of all (structured and unstructured) data at rest.
Least privileged access
This means that all user entitlement and access must be provisioned using the principle of least privilege (POLP) i.e., the least amount of privilege required for the users to successfully do their job or perform the required task. Also, all user and device access must be continuously assessed and reassessed, with any overprovisioned or stale access removed proactively. The network and application access of any terminated user must be immediately removed.
Dynamic IT asset inventory
This means that all IT and network assets must be recorded within the corporate configuration management database (CMDB). This must include all users, applications, systems, and devices, with the capability to create a dynamic state of the total asset inventory on a given network or ecosystem at any given time.
All user actions must be authenticated and authorized
This means that before a user is allowed to gain access or login into an internal or external system or application, they must be subjected to multi-factor authentication (MFA) using a strong authenticator irrespective of the residency of the application (i.e., if the application is hosted on the intranet or internet) or whether the user is entitled to privileged or administrative access.
There is an issue with that last one. One of the purposes of SSO is that you only need to authenticate once. I only get prompted for MFA, once, and I can log into many applications.
So I read later in his book, that to comply with Zero-Trust models, SSO assertions must be digitally signed. Which means that you provide MFA once to Okta, Microsoft Entra SSO, etc.. and its OK for Zero Trust models if the Identity Provider then vouches for you with a digitally signed message with their private key to the application that you’re cool.
I just wanted to share this.
dimed
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, four online courses, and regularly holds webinars for new cybersecurity talent.
You can connect with him on LinkedIn.
Get 20% off all courses in our On-Demand catalog with coupon code “Welcome20”
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Also available in the Secure Style Store, download the Job Hunting Application Tracker for FREE to keep track of all your job applications.
Check out my latest book Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success published June 1st, 2024 and winner of the 2024 Cybersecurity Excellence Awards.
