A Path to Achieving Network Security ZEN
Finding a balance between a pleasant user experience and stringent security requirements can be a challenge. User authentication has become increasingly complex over the years, blending usernames and passwords with second factor authentication, like One Time Passwords (OTP). In many cases users need to re-authenticate many times a day depending on the applications or devices they use. For many users extremely long and complex passwords blend across work and personal accounts which reduce security and increase frustration and confusion. Is it even possible to balance heightened security and enhance the overall user experience? Adobe believes this is possible. We want to share our Zero-Trust framework for achieving this balance, through “ZEN.”
The Zero-Trust Enterprise Network (or ZEN) project from Adobe is an initiative based upon numerous best practices and principles from various digital workspaces. Since there is no “off-the-shelf” solution to fully deliver on these principles today, ZEN is pioneering technology and workflows to make the path to a zero-trust network more efficient and attainable. The ZEN initiative strives to accomplish the following:
- Remove the need for VPN and replace usernames/passwords with a certificate-based authentication and multiple options for second factor authentication (2FA). 2FA will only be required as needed based security policies.
- Leverage existing device management and network controls combined with machine learning to control access.
- Help prevent unwanted lateral movement within the network during an incident or breach scenario.
- Better automate management of access to internal applications to streamline the overall user experience while also tightening security controls.
- Deploy a “trust score engine” that will better automate access rules based upon real-time data.
How do we enable the initiatives above?
- Through management of the ZEN experience – all machines must be supported by corporate to receive the ZEN experience.
- Use of our existing Mobile Device Management (MDM) solution to help enforce policy, security settings, and secure lifecycle of ZEN certificate (distribution, renewal, revocation of certificate).
- Integration with our identity solution which will assist with seamless performance of certificate authorization (improve the authorization experience, reducing the need for employees to use their username/password) and check device posture.
- We’ve been working closely with VMWare and OKTA engineers on integrating both platforms to make this happen, you can learn more about the strategic partnership via this blog: https://blogs.vmware.com/euc/2018/05/vmware-okta-journey-digital-workspace.html.
- Network access to on-premise applications – seamless access to on-premise apps will be available via a proxy solution which will perform same cert-authorization and posture check. The proxy is secured using background checks and will revoke access if user/device posture changes.
- Through our Trust Score Engine – our security intelligence team leverages machine learning and data science to create trust scores of users and associated devices.
- Device trust is made available to employees via a user-friendly self-service portal.
- Future plans will show employees how to remediate and improve trust scores.
- Restrict access based on pre-defined criteria.
- Today the trust score is a basic function – derived using authentication logs.
- Future plans include capturing network log data and app log data to refine the risk score to determine the posture of user and device and restrict access in real-time.
- Device trust is made available to employees via a user-friendly self-service portal.
We are looking forward to expanding these initiatives and are eager to continue our journey to the next-level of digital workspaces.
You can learn more about our ZEN initiative from our white paper on Adobe.com or our recent webinar with the Cloud Security Alliance (CSA).
Den Jones
Director, Enterprise Security