Zero Trust Hardware Access

Zero Trust Hardware Access

Zero Trust Hardware Access

image

Zero Trust Hardware Use Case

A large corporate bank identified a suspicious transaction within the enterprise. Upon further investigation, it was discovered that the palm-vein scanner used for biometric authentication was compromised and, subsequently, granting unauthorized access. As a result of the compromise, the bank’s Zero Trust (ZT) model was at risk of being circumvented due to its reliance on identity-based access control.

Zero Trust is a network security model based on the principle of “never trust, always verify”. By acknowledging that threats not only originate outside the organization’s perimeter but also within, ZT eliminates the component of trust that was once automatically given to internal users and devices. Every user and device, internal or external, must be authenticated and authorized before granting access to an enterprise’s resources and data.

To implement ZT, micro-segmentation splits the network into smaller, more granular parts, each of which requires separate access authorization. In doing so, micro-segmentation controls east-west network traffic, i.e. lateral movement, as a means to reduce the attack surface. The implementation of micro-segmentation is supported by the principle-of-least-privilege whereby users only access the specific resources required to perform the task at hand. Enforcing the principle-of-least-privilege requires identity-based access control which, naturally, relies on identifying the user and their role. Identifying users is typically through multi-factor authentication, which can be done in three different ways:

Zero Trust Hardware Access Use Case

The third authentication method is perceived as the most secure since this is the most difficult to compromise. However, in the bank’s case, an attacker used a man-in-the-middle attack to bypass palm-vein authentication, manipulating the Identity and Access Management system, which ZT relies on. In doing so, micro-segmentation is ineffective as the attacker can gain complete access privileges and move laterally throughout the network.

© 2024 SRC Cyber Solutions LLP. All Rights Reserved.