Zero-Trust endpoint security 🔐
A guide to implementing zero-trust login security in 2022
- Data breaches
The risk of a data breach is something that every business owner fears.
Stolen or hacked user credentials are easily the biggest threat to your company's information assets and one you can't afford to ignore!
Implementing zero-trust login security in your corporate environment can sometimes seem like an uphill battle. Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. However, friction introduced by changes to login security can be the cause of significant user dissatisfaction.
But it needn't be this way.
In this article, which is essentially a case-study, we'll describe how we helped one of our clients almost entirely eliminate the threat of breached credentials while increasing user satisfaction.
The entire implementation took less than 2 months to implement, test and roll out. From a user’s point of view, the solution is essentially self-documenting. Very little formal communication with users was required, therefore there was very little disruption.
What is Zero-Trust security?
Trust is a funny thing. In some areas of our lives, we’re incredibly trusting. We let strangers drive us around in cars, we fly in planes operated by people we’ve never met, and we share our most intimate thoughts with therapists we may have only just met. But in other areas of our lives, we are much less trusting. We lock our doors at night, we don’t give out our passwords, and we are careful about who we let into our personal space.
So what is zero-trust security? In a nutshell, it’s a security model that assumes that everyone is untrustworthy until they have proven themselves otherwise. Instead of trusting that people inside the network are safe, or that people outside the network are dangerous, all users are treated the same. This means that everyone must authenticate and authorise themselves and their device before they can access any resources.
While this may sound like a lot of work, it can actually simplify security in many ways. By treating all users the same, you no longer have to worry about insider threats or differentiated access levels. And because authentication is required for every action, it becomes much harder for attackers to move laterally within the network.
The IT landscape
We are focused on Windows 10 and mobile endpoints (laptops and mobile phones), since these are the most prevalent operating systems and devices in corporate environments. However, this approach also enables leveraging the model for increased security across most other platforms and applications.
It also of course, applies equally as well to desktop devices as laptops.
In this case, the client was using a combination of commonly used business devices and applications:
- Windows 10
- Google Chrome & Microsoft Edge browsers
- Microsoft 365 (office suite)
- Google Workspace (GSuite)
- Android and iPhone devices
The approach we took to secure the whole IT environment used 5 key elements of modern authentication:
Single sign-on (SSO)
SSO allows users to access multiple business systems using a single login, reducing the burden of setting up and remembering multiple sets of credentials.
Multi-factor authentication (MFA/2FA)
MFA requires users to have access to multiple sources (factors) before successfully logging in. This significantly reduces the risk associated with a single factor like a password.
Biometric login uses physical characteristics such as fingerprints, facial recognition and iris scans to identify users. It reduces the number of times a user is required to enter their password and allows users to sign in much faster.
As the name suggests, passwordless login allows users to access their accounts without needing to enter a password. Users get a push notification to their mobile device and verify identity with biometrics or a PIN.
Conditional access uses behavioural characteristics such as geolocation, device verification & MFA to grant or deny access to company resources.
Combining these 5 technologies enabled us to increase security across the board while reducing reliance on passwords, leading to increased user satisfaction.
Here's how we did it.
To simplify the solution we used a combination of technologies that are already available in many corporate Windows environments.
MFA is known to be one of the most effective mechanisms to secure login.
- Phishing attacks *
- 86%from 72%Increased by14%
- Rate of compromise of accounts using MFA **
So this is the sensible place to start. Whilst it's common to use security questions or security codes delivered by email, SMS or mobile apps, these all involve compromises, ranging from decreased security to lower user satisfaction. Our client needed a solution that was secure and simple to use, so we decided to use passwordless MFA.
We had previously implemented a Mobile Device Management (MDM) solution as part of the client IT setup. MDM enables us to monitor and configure mobile and Windows devices. A key element of the MDM solution was the ability to push apps to users' devices which is how we used it in this case. However, MDM certainly isn't a prerequisite to implementing MFA.
We would always recommend the use of password managers to increase password security. However, many clients don’t want to roll- out a dedicated password manager app. There can be a relatively steep learning curve and they are also not always 100% reliable, which can cause challenges, especially among less technically-minded users. Microsoft Authenticator is primarily used for MFA but has seen some really useful developments over the last 12 months enabling it to also be used as a password manager. Whilst this functionality isn't as fully featured as many off-the-shelf solutions it more than compensates for this in simplicity, versus the additional friction of using multiple applications.
The 2nd element to put in place was SSO. As mentioned, single sign-on centralises login to multiple systems. We wanted users to be able to access multiple systems using the same authentication system.
The mechanism we used to link login to Google Workspace with the Windows login involved linking Azure Active Directory to Google Workspace using SAML. This had other significant benefits. The first was that it allowed automatic provisioning/de-provisioning of users. The second benefit was centralising user setup for both Azure AD and Google Workspace within Azure AD. Finally, it allowed granting only particular users access to Google Workspace.
It's worth mentioning that this doesn't only apply to Google Workspace, there are thousands of other SSO integrations enabled using SAML SSO.
Also, if you haven't yet migrated your user directory to the cloud and your Active Directory is currently on-premises, you can also still use SSO via Azure Active Directory Domain Services (Azure AD DS) to link your on-premise AD implementation to the cloud. This provides you with the same integration options as Azure AD.
We intended to use biometrics for authentication on both Windows laptops and (Android and iPhone) mobile devices when logging into and verifying identity in the Microsoft Authenticator app.
On laptops, we used Windows Hello for Business, which uses PINs or biometrics such as facial recognition depending on user preference. Fingerprint recognition could just as easily be used if corporate devices have fingerprint readers, as many do these days.
This means that users can (if they choose) unlock their laptops just by looking at them - a significant improvement over having to remember a password.
It was really important in this case to cause as little diruption to users as possible. Passwordless allowed us to not only offset the risk of a data breach by not requiring users to enter a password. It also allowed us to provide a more convenient login experience.
As well as all the other security features described above, conditional access adds yet another layer of security to authentication and authorisation flows. Conditional access rules can be tweaked to meet the needs of a particular organisation.
In this case, we used conditional access with the following rules:
Mandating MFA for all users
All users must go through the MFA process when they log on to use any of the corporate applications. This doesn't mean users are challenged every time they want to use an app, they are only challenged when appropriate, for instance when a particular risk is detected:
Security risk-based access
The risk-based access policy tracks user behaviour and can either block access or require MFA when a login is detected that falls outside of normal usage patterns. This can be very useful if your users' usage patterns are usually relatively predictable. For example, if they don't do a lot of international travel (obviously pretty common these days), or if they don't commonly use anonymous or malicious IP addresses.
Require compliant devices
Our client's mobile devices (laptops, desktops and phones) are setup to use mobile device management (MDM), this validates that devices are in compliance with various security rules and settings.
If access isn't from a compliant device it won't be granted.
Block legacy authentication
Some legacy authentication mechanisms are considered insecure or less secure than they should be.
This rule restricts access to only those mechanisms that are considered secure.
Other conditional access policies
As mentioned, conditional access policies can be tweaked according to your organisation's preference and risk profile. Microsoft has recently released a bunch of templates to make this process even simpler.
It's also possible to use any of these policies in the report-only mode which allows you to track how they'd affect user authentication before implementing them.
Finally, we pushed a Chrome (and Edge) extension (via MDM), which allows users to access 3rd party cloud applications based on their Windows login.
In this case, it means users can access Google Workspace (or any SSO application) without needing to input their credentials or re-authorise.
- Windows 10 Accounts – Chrome/Edge extension
There are plenty of 3rd party software vendors that offer similar setups but in this case, we started from the point of the OS (Windows 10) and chose to leverage the power of Microsoft's infrastructure rather than implement the cost and complexity of multiple 3rd party solutions to achieve a similar result.
This entire setup involved no extra costs for the client and significantly increased their security while simultaneously improving users' login experience.