March 15, 2019

How to Achieve a Zero Trust Architecture

Trust is a precious commodity for businesses. Without trust, it can be hard for a company to close deals or even to get their proverbial foot in the door with clients and customers. However, there’s another group that thrives on trust—one that will seek to leverage the smallest amount of access to steal a company’s most sensitive data or cause the company harm: cybercriminals.

Criminals will try to leverage trusted systems on a business’ network to carry out attacks without being detected—taking sensitive data and sending it to external servers, or downloading malware that can be used to take over network nodes. The most effective way to counter the abuse of a trusted system or resource on a network is to use a “zero trust architecture” that never gives access to other devices and systems on the network without verification.

How can your business achieve a zero trust architecture? There are a few key requirements for building a network that employs zero trust to the fullest:

Creating Strong Network Segmentation

One of the key principles of a zero trust framework is that it should restrict lateral movement in the network as much as possible. In a normal, trust-based cybersecurity architecture, the defenses of the network are focused on the perimeter, with few — if any — security measures to keep those already in the network from moving from one asset to another.

Creating strong network segmentation using internal firewalls and other access restriction methods helps to create a zero trust architecture that keeps attackers from being able to freely move from one database or resource to the next.

Gaining Visibility into All Network Traffic

Another key aspect of a zero trust architecture is that it monitors all traffic on the network—logging the origin points and destinations of every request made. However, gaining this visibility is often easier said than done.

A couple of cybersecurity tools that can help establish more granular visibility into a network are:

  1. Next-gen firewalls that inspect data packets for their contents as well as their origin/destination information.

  2. Security information and event management (SIEM) systems that log activity on the network for later analysis.

These tools help to identify traffic on the network and trace it back to its point of origin—increasing traceability and security for your network.

Enforcing Multifactor Authentication

Many attackers attempt to use stolen account credentials to illicitly access business networks and the sensitive data contained therein. There are two relatively simple ways to apply a zero trust strategy that counters these credential-based attacks:

  1. Use a Policy of Least Privilege for User Accounts. A policy of least privilege (POLP) is a cybersecurity strategy where network administrators restrict each user’s level of access to the bare minimum needed to complete their basic job function. This way, if a user’s account credentials are stolen (or the user chooses to abuse their privileges), the damage is minimized since that user is locked out of any system they didn’t need for their own work.

  2. Use Multifactor Authentication for All Users on the Network. Multifactor authentication combines several identity verification strategies to ensure that unauthorized users cannot access network resources. By combining something the user knows (such as a password), something the user is (biometrics), and/or something the user has (such as a USB authentication key), it becomes much harder for malicious actors to hijack user accounts.

The first of these strategies helps prevent internal attacks from doing damage while the second prevents outside attackers from being able to hijack employee accounts. Remember, a zero trust architecture means that no one is to be trusted—everything must be verified.

Can Kandji for macOS Help You Achieve a Zero Trust Architecture

Kandji can help provide security for Macs and enforce some key security measures needed for a zero trust architecture. For example, with Kandji, you can:

  1. Disable Root Users on Macs. The “root user” is a superuser account that has access privileges that allow for unlimited freedom of action on a macOS device. Disabling root users can greatly enhance security for Macs.

  2. Disable the Ability to Log into Another User’s Active Session. Devices running macOS have a privilege setting that allows any user to unlock someone else’s active session—potentially letting them view sensitive or personal information.

  3. Enforce OCSP and CRL Certificate Checks. Not even certificates should be
    automatically trusted—not until their trust chain has been verified. Using this setting helps ensure a strong, zero trust approach to certificate verification.

  4. Enable Firewalls and Stealth Mode. Kandji provides the ability to enforce the use of per-device firewalls to increase each Mac’s security and enforce network segmentation. Enabling “stealth mode” makes macOS devices unresponsive to unsolicited probes—dropping that traffic automatically. This is a must for a zero trust architecture.

  5. Enable the “Gatekeeper” Whitelisting Control. Gatekeeper is Apple’s application whitelisting solution that keeps downloaded applications from launching if they come from an unverified source. This helps prevent accidentally-loaded malware programs from launching.

These are just a handful of the macOS security controls that are included in Kandji. By leveraging these and other security for Mac settings, you can implement a zero trust architecture that protects your business from attack.

Curious about Kandji? Try it out for free on up to 10 Macs today!

New call-to-action 

Subscribe to the Kandji Blog

kandji badge

Secure Your macOS
Fleet Today

Sign up quickly and easily using your Gmail or Microsoft Office 365 business account or a verifiable business email address.