Stay on the cutting edge. Subscribe to our blog.
Not all identity-based platforms are created equal
Now that identity-based microsegmentation has become the standard for zero-trust security, there are a number of vendors whose platforms are built on firewall technology that are trying to position themselves as identity-based.
For example, here’s how this works in one prominent vendor’s platform. Every ten seconds, an agent queries netstat, a common network tool that enumerates all connections in and out of the server. The dash-P option (process) in netstat then makes a best-effort approach to identify the process associated with each connection. Because it is best effort and not continuous, you don’t always know which process is associated with which connection, especially for short-lived, ephemeral processes, a weakness attackers can exploit.
The platform then assigns a label to that connection that says a specific process lives at that address, such as the Chrome browser. Labels don’t have to be limited to processes. You could also place geographic labels on a connection, for instance, such as Geo=Boston.
Here’s how that plays out. The local security authority subsystem service (LSASS) in Microsoft Windows authenticates users logging on to a Windows computer or server, but to do this, it needs to communicate with the Active Directory servers, where permissions and identities are stored. The microsegmentation system will set a policy saying, “Hey, this machine at this address uses LSASS, so it’s allowed to communicate with the Active Directory server.”
There are advantages to this method, because it helps enable firewall orchestration. But it solves none of the security issues associated with using firewalls to enable microsegmentation and zero trust. Once the connection is allowed, it is designated as safe, and any process can use that connection to communicate with Active Directory. That’s a huge problem, because if an attacker compromises Active Directory, they basically have the keys to the entire kingdom.
Here’s an analogy to help illustrate how this method differs from identity. Let’s say you are Snow White, and the witch has shown up at your door bearing a basket of apples. Thanks to identity-based zero trust, Edgewise can identify not just that the fruit is an apple, but it can identify individual apples down to their basic components. If the apple has been poisoned, Edgewise will recognize it and stop Snow White from eating it. But because poor Snow White is using a label-based system, not only does she only see an ordinary apple, she’ll think everything else in the basket is also safe.
Identity is a foundational element for creating an effective, resilient zero-trust environment. So dig deeper into vendor claims around identity, and verify if they are still depending on firewalls and network addresses or using software and machine identity. Make sure you’re using the real thing.
Want to learn more about how Edgewise can enable identity-based zero trust security in seconds with just one click? Contact us!
1 *Gartner, “Market Guide for Cloud Workload Protection Platforms,” Neil MacDonald, Tom Croll, 14 April 2020.