Like many security professionals who have been in the industry for a while, my interactions with zero-trust style computing started long before it was called “zero-trust”. Back in 2004 we published a research paper regarding our work on making smart cards autonomous peers on the mainstream computer network. This paper (“Secure Network Card: Implementation of a Standard Network Stack in a Smart Card”, ISBN 978-1-4020-8147-7) enabled end-to-end secure communication between applications running on smart card and any remote server on the Internet. One reason we developed this model of communication was to remove the “stitching-point” inside a PC the smart card was connected to. Why? Because we did not trust the computer. The goal was allow smart card to talk to a remote server without anyone else listening to the communication, not even the PC that belonged to the user. Several applications were developed using this model.
The current zero-trust model focuses on the same principal of trusting no one, but also adds frequent checks at the point of data or application access. These checks are repeated at each interaction, or as defined by the business model.
On this theme, we (Thales) recently worked with Ping and BeyondTrust to demonstrate a zero-trust integration, which was presented at the IDSA master-sessions in Identiverse 2018. The title was “Delegation of access management and trust elevation for privileged access”.
- Thales (Access Management, 2FA)
- Ping (Single Sign-On)
- BeyondTrust (Privileged Access Management)
Details regarding this zero-trust integration as as follows:
PingFederate provides single sign-on (SSO) capability so users can login to service providers (SP’s) and has a well-defined method to delegate two-factor authentication (2FA) to third parties. This 2FA delegation is done through adaptors, integration kits or simple configuration from admin console.
Thales has two products. SafeNet Authentication Service (SAS) supports a wide range of 2FA options (such as hardware OTP tokens, GrIDSure, mobile OTP, push OTP, SMS, etc.), while SafeNet Trusted Access (STA) product provides SSO and access management (AM) capabilities.
BeyondTrust provides privileged access management (PAM) solution through PowerBroker platform, which can control admin/root access on Windows and Linux servers.
All these products use open standards (e.g. SAML, OIDC, RADIUS etc.) and can therefore interface with other third party products. In this demo/integration we will demonstrate the following capabilities. Connection to SP’s and SSO is handled by PingFederate, PAM is handled by BeyondTrust, while AM and 2FA are handled by Thales via STA and SAS respectively. This integration demonstrates how different components from different IDSA member companies can work together to offer SSO→AM→2FA→PAM chain of service to customers.
Scenario 1: A user goes to a service provider (e.g. Salesforce) which relies on Ping for SSO. Behind the scenes, AM and 2FA is provided by Thales. Conversely service providers that rely on Thales can now instead point to Ping for SSO, while still maintaining AM and 2FA services from Thales. It could be possible to get additional permutations, but that is outside the scope of this integration.
Scenario 2: An admin goes to a BeyondTrust app to start a VM image. The initial authorization to launch the VM image is done by using PingFederate for SSO, STA (Thales) for AM, and SAS (Thales) for 2FA. The admin then issues an elevated command within the VM console that requires additional privilege or re-authentication. BeyondTrust command shell intercepts the elevation condition and sends a 2FA request to Thales, to do step-up authentication. Once step-up authentication is done (e.g. by sending a push notification to admin’s phone) the privileged command is executed.