Best Choice! The leader in our ranking!
Perfect for beginners!
Free Demo Acc + Free Trading Education!
Good choice for experienced traders!
A Zero Risk Binary Strategy From A Trusted Source
I was at once pleasantly surprised, a little shocked and curious when I stumbled upon a binary options strategy on the SeekingAlpha website. SeekingAlpha is a large and respectable blog spot for investment and trading in the stock, options, commodities and currency markets. The mere fact that the article was hosted on such a site adds a little presitge if not reliability to the strategy. SeekingAlpha is not a place I would expect to fing affiliate marketing shenanigans.One thing that stood out as a possible warning flag was the claims of “Zero Risk” and guaranteed returns. This is not an automatic tumbs-down for the strategy but does raise concern. Undoubtedly there are many strategies that can guarantee returns, I know my own trading keeps my in the green. The claims of zero risk are more troubling. All strategies and trading systems come with risk. It is the reduction and control of that risk that marks a great trader from a good one.
The author immediately tried to allay my fears once I began to dig into the strategy. It is an aggressive strategy, meant to double an account every ten days, but does so using small incremental gains. This impressive feat is accomplished with a small 10% gain each day which leads me to believe there is an element of risk control in the strategy. The strategy is based on four basic questions; Up or down? What is the trend? Are there chances of a trend reversal? And finally, what is the expiry? The strategy itself does not rely on any of “that technical crap” in the authors own words, so should be pretty easy to employ. The thing is, after reading down for about two pages there just isn’t much mention of what the strategy really is, just endless reasons why you should trust it to work for you.
So What’s Up With The Zero Risk Strategy?
It turns out, to my dismay, to be a wolf in sheeps clothing. This is a gross and shameless attempt at affiliate marketing and not likely in your best interest. In order to participate in the strategy you have to sign up with their broker. The reason being, there is a special feature only available with this broker that allows the system to work. Trust me, this is nothing but malarky. The article is nothing but a broker review and not something I would expect to find on a site like SeekingAlpha. To bad for them Rajat98 has used them for his own devious SEO purposes. Good thing for us I got onto his trail.
The “strategy” is more of an instruction on how to use and trade binary options. In order to find out more about the so-called “Magic Step” you have to go to yet another blog, guess what I found there; A blog devoted to the Zero Risk strategy. Only there was zero informaton on it. It only has two pages. The home page, which is the exact same SEO/review page as the SeekingAlpha article, and a contact page with a ID’less email address linked to the website. Aside from the ads the only other thing that could be of any value is a PayPal link. Value to the website operators that is. This is so you can buy the Zero Risk Strategy, only I am still not sure what the hell it is. I guess Mr. Rajat Kapoor, owner and writer of the blog, thinks we’re all pretty stupid.
What Is The Point
The point is that Mr. Kapoor wants you to sign up with his broker so that he can make some money from your deposits and losses. The more you lose and the more you deposit the more money he will make so I would not put much faith in any strategy he will provide if you do choose to join him. It is not uncommon for an affiliate scam sight like this, even though it is a poor wannabe, to be directly associated with a less than savory broker so I was curious to see what I would find. If there is a connection between the website and the broker it would take the scam to a whole new level. The recommended broker is BentonMarkets, now know as Binary.com. This is a licensed and regulated broker, on the Isle of Mann by the GSC. If you are not familiar with this designation it means that Betonmarkets, Binary.com, is a casino and regulated as such. To them, binary options are games of chance, not financial investments, and are operated differently than typical binary options. At this time there is no indication of any connection between this strategy and the casino other than Mr. Kapoor’s desire to seperate you from some of your money. So at least Binary.com has that going for them.
As far as regulated brokers go, I would stay away from this one. If you are in the EU or UK and want to seriously trade binary there are much, much better choices for you. That being said there are some interesting things on the website. For one, the asset index is quite extensive and includes more indices and commodities than most other brokers. Another is expiry which is unlike what you will find with the run of ordinary brokers. You can pick expiry in seconds, minutes, days or weeks. And then choose the number of each. For example, if you choose seconds your expiry can be as many seconds away as you want with a minimum of 15. This means you can choose just about whatever expiry you want. One negative is that payouts are different as well. All options pay out $100, just like 0-100 options, but are purchased like spot binary. Once you choose your asset, option and expiry the platform will give you prices for bearish and bullish posistions to choose from. Prices will be under $100 and your profit will be the difference.
Scams and Blacklist
Scams are unfortunately all too common in the field of binary options. Dishonest brokers and reviews, or rigged robots and other auto trading services – the scams can come in many forms. So we feel it’s necessary to create this blacklist and list all known frauds and dishonest techniques in one place. We also go through the steps you can take to identify a potential scam and how to deal with the situation after the fact if you’re already a victim. If you know or suspect something is a scam, and we’re missing it on our blacklist, please let us know and we will look into it!
Why Are Stories of Scams So Common?
When any new financial instrument or form of trading first emerges, a whole range of businesses tend to get involved. It’s a fact of life that some of those product providers are going to be more trustworthy than others. This is certainly true of binary options. It is, after all, an accessible and popular method for individuals to trade the markets. What’s more, at least in their early days, binary options trading platforms tended to operate under the radar of the regulators and from any country over the internet – so it’s hardly surprising that unscrupulous operators seek to take advantage. Thanks to better regulation, a strong online trader community and honest reviews, it’s now a lot easier to tell a scam from a legitimate broker. But as with any international online marketplace, there are still some shady outfits who will leave you with less than you bargained for. So what are red flags to look out for? Here are the points to consider as you go about choosing your binary broker.
MyChargeBack.com are a company who specialise in helping binary fraud victims recover their money. They liaise with bank or credit card firms in order to get charge backs made to reclaim deposits. They will tell you if you have a valid claim via a free consultation.
Are Binary Options A Scam?
The term “scam” covers a wide range of behaviour, from providing misleading information to lure you in, through to vanishing account balances – and even dishonest trading advice. Likewise, a particular broker might not be technically fraudulent in its behaviour; it’s just that the service available on the platform (such as highly unreliable uptime or failure to reimburse funds in a timely manner) means that this is a broker that really ought to be avoided.
Best Choice! The leader in our ranking!
Perfect for beginners!
Free Demo Acc + Free Trading Education!
Good choice for experienced traders!
In all of these cases, the problem isn’t with binary options as a concept, it’s with the broker.
So it’s a matter of doing your homework before you commit to any particular platform. User reviews can be helpful (if they are genuine), but always treat such reviews with scepticism – and never make a decision on the basis of testimonials published on the broker’s website. Even trader forums can be problematic – look closely and you’ll often find that the forum is an offshoot of a particular broker’s website. Independent, thorough and comparative reviews are the safest way to ‘scam-check’ a broker. Ideally, focus on review sites that allow and encourage real-life users to get in contact and report and problems with particular brokers, so you can be sure that what you are reading is up to date.
Trusted Brokers in Russia
Below is an always up-to-date list of our top 3 trusted brokers. You can find a list of all the brokers we recommend here.
The UK’s Financial Conduct Authority (FCA) does now regulate binary options. They have already created a list of unauthorised firms. While they are not calling them scams, they are making it clear that these firms are breaking the law by trading with UK visitors – so they are best avoided. The full list can be found here: FCA Unauthorised List
By contrast, the USA along with most other EU countries do regard binary options as financial products. Depending on where they are based, many platforms will, therefore, be subject to oversight from a regulatory body. Examples include the CFTC in the US and CySec in Cyprus. A platform’s regulatory status can be a highly valuable trust-indicator for traders seeking to avoid scams. It shows that the broker has to abide by certain minimum standards when it comes to service and transparency.
Marketing “Too Good To Be True”
Taken in isolation, the act of placing a trade should be a straightforward one; and indeed, the usability of a platform tends to be a big selling point for brokers. Although this aspect of binary options is “easy”, it’s something quite different to claim that profits are guaranteed. Realising a profit through regular trading requires knowledge of how markets behave, the ability to read market conditions and an understanding of strategy. If the risks are downplayed – or outright false assertions are made (along the lines of “95% trades are successful”), these are false assurances. It’s a sign that the broker may be less than scrupulous in other important areas and that the platform ought to be given a wide berth.
Terms and conditions
Transparency is essential. Read the smallprint, and be especially wary of needlessly convoluted procedures for withdrawal of funds. Terms regarding your initial deposit can be another source of contention; for instance, if you are denied access to the deposit until a certain number of trades are made – so your money is tied to the platform from the moment it is handed over. This deposit retention is often part of wider terms associated with a ‘bonus’. CySec have sought to ban these sorts of terms by stopping the use of ‘deposit match’ bonuses. Non-CySec brands are still free to use them however, so T&C’s must always checked.
These tend to fall into two categories. The first is where you are called out of the blue and invited to sign up to a particular platform. The second occurs where you are already tied to the platform and you receive a call (or email) from a “senior broker” pointing you in the direction of particular trades. Reputable brokers do not need to make cold calls. Bear in mind “cold calls” might include emails too – any form of unsolicited approach should be considered a “cold” contact and be treated with extreme suspicion.
You should always be clear about who you are dealing with. In some situations, you might visit what appears to be an actual broker’s site, click the link to sign up only to be redirected to another broker. Alternatively a trading “service” may dictate that you use only their recommended broker. These “funnel” sites are sometimes used as a front by brokers with a poor reputation, or are working alongside them to dupe visitors (often using the misleading marketing mentioned above). A good broker will be upfront about its identity from the outset.
It’s one thing for a broker to give you access to the data and analysis tools to work out your own strategies (in fact, this is one of the signs of a great platform). It’s quite another for that broker to also offer trading advice. After all, with ‘over the counter’ binary options brokers, you are betting against the house; if the ‘house’ is making the trading decisions for you, it’s hardly likely that those decisions will be in your best interests. This form of “upselling” is often the most lucrative for the broker, and is usually the where traders lose the most. Encouraged by an “account manager”, traders are advised to deposit beyond their means and to over trade. On occasion large accounts will be wiped out in hours. The “advice” goes against any sound money management, and increases risk hugely. Always take responsibility for your own trades. Never allow a broker to make trading decisions for you.
There has to be a fair and transparent benchmark against which the broker sets its prices. This benchmark should be what’s happening in the real world; i.e. real-time market prices. If the broker reserves the right to set its own prices, you can assume that those figures will be skewed against you; in other words, a loaded deck.
Scam Brokers and Not Recommended Operators
The brokers listed below have generated a lot of complaints both directly and on the forum. The disputes vary from upselling and encouraging traders to over trade, to non-payment of withdrawals and price manipulation. There is little recourse for traders to raise a dispute with unregulated brokers, so it is generally advised that you look for trusted binary options brokers – preferably regulated in your own country where possible. “Scam” has become widely used as a term to refer to any form of poor service, but it should be noted that many of these brokers may have done nothing dishonest or illegal, but have attracted higher than normal levels of complaints. If in doubt, trade elsewhere. There are plenty of honest brokers out there.
Robot And Signal Scams
These signal providers, or robot services, are either scams or not recommended for other important reasons.
Instagram And Facebook
Beware of scams operating on social media. Again, binaries are not a get rich quick scheme. There are a huge number of accounts promising to trade on your behalf and turn $2k into $8k in a week. If these claims were true, the people behind them would not need to be running ads or signing people up – they would simply trade themselves.
Screenshots of successful trades are exceptionally easy to get – even genuinely. But these operators are unlikely to even bother trading – once you send them money, it is gone and you will not hear from them again (unless they think they can get you to deposit more). Always select your own broker, and always take responsibility for your own trades – dont let someone else trade on your behalf. If you do not understand binary options, or do not have time to trade – then do not trade at all. These scams often prey on people who lack experience.
What To Do If You’ve Been Scammed
Do you think you’ve fallen prey to a binary options scam? Read on to find out what you can do if you’ve been scammed. There are many ways to help ensure that you don’t fall prey to a scam but the reality is that even if you follow all those tips there is still a possibility you will be scammed. If that happens, what do you do? Do you sit back and take it? Do you give up on trading? No, you need to stand tall and look out for yourself. Trading is good, it is rewarding and can lead to a life in which you don’t have to go to a job and punch a clock. You can’t let the actions of one broker, signal service, robot or guru dissuade you from that path. This article is a look at what you can do if you think you’ve been scammed. It’s likely that once an issue arises you won’t be able to get your profits, it is possible to get back your initial deposit but it might take some work.
MyChargeBack.com are a firm specialising in helping victims of binary options fraud. They help claimants to explain the incident to the bank or credit card company, so that they fully understand what has happened. Some banks are unaware of binary trading and are unwilling to listen to claims. MyChargeBack help in this situation. They have a solid record of recovery from genuine claims.
If you are not yet looking for third party help, here are some steps you can take yourself:
- Document everything. The very first thing to do is to make records of everything you can. This includes the brokers, or SSP’s, terms&conditions, copies of any emails/Skype/live-chat you have had with them, confirmation of your deposit, turnover requirements for bonuses and your trading history. No matter what you do next, this information will be required in order to get satisfaction. What you do next will depend on the type of scam you have fallen prey to.
- Try to withdraw. Broker won’t let me withdraw. Contact the broker and try to find out why they won’t let you withdraw. The most usual reason is that you’ve not sent in the right ID documentation, something required by international law, and is an issue easy to fix. The next most pressing reason why withdrawals are not allowed is due to bonus terms and turnover requirements. If you haven’t met conditions you will not be allowed to make any form of withdrawal which is why you want to keep track of all your trading volume and turnover. If you didn’t accept a bonus in the first place your documentation will help you prove it. A good broker will try to solve your issues, a shady one will give you the run-around.
- Make your voice heard. Broker keeps giving me the run-around. If your broker is giving you the run-around and won’t address your issues the next best avenue for satisfaction is to let the community know what is going on. After all, it is the squeaky wheel that gets the grease. You can do this by posting complaints, with details, in forums like the one here at Binaryoptions.net. When you do this be sure to let the broker know and send them a link. They may not care, a sign of a shady broker, but when it comes to reliable brokers they will want to address your problems to avoid poor publicity. When posting complaints give as much detail as possible, just saying that a broker scammed you is not enough, proofs of fraud are what get results.
- Contact their payments provider. The broker won’t help, now what? At this point the chances that you have been scammed, and not just suffering from miscommunication, are quite high. If you can’t get satisfaction from the broker you will have to take more drastic measures. If you deposited by credit card this may mean calling the card company and requesting a charge-back. Let them know the initial charge was fraudulent and that the company in question is not returning your contact requests for best results. The Times Of Israel reported that a victim of fraud was able to get a full refund of his deposit after contacting the financial institution that processed the brokers payments. They withheld payments until the broker satisfied the claims.
- Contact the regulator. Time to call out the big guns. The great thing about expanding binary options regulation is that there is an alternative for many traders who think they’ve been scammed, you can contact the regulator. In some cases this can be a challenge as many brokers are located off-shore and hidden behind holding companies and virtual offices so be sure to do your homework. If the broker is regulated contact the agency overseeing them, if they are not regulated contact the agency which oversees financial regulation in your country. If the broker is regulated they will have to address your issue, to the satisfaction of all parties, in order to remain compliant. If they are not regulated at least you can be assured at least they will have a harder time scamming any more people from your country. At best cooperation between regulators could result in the broker being shut down for fraud.
- Be persistent. Shady brokers like to hire people who are good at deflecting questions and complaints, don’t accept what they are telling you. It may take time but eventually you will talk to the right person, or persons, and your case will be addressed. What is most likely to happen is that the combination of your contact requests, forum complaints and charges with regulators will add up to one thing, the broker giving you your money back to avoid a much bigger hassle.
How to Spot a Trading Strategy Scam
The internet is loaded with ads, articles, companies and individuals trying to provide you with the next big trading strategy that will make you rich overnight. Take pause my friend, here are tips to help you spot the scam.
A System or Only a Strategy?
First and foremost, trading strategies aren’t really going to help you become a good trader. What you actually need is an entire system. When you make a trading plan it needs to cover how you will enter markets, exit markets and how you will manage your money. It also needs to tell you under what market conditions you do all these things. That is a system, it tells you everything you need to know about how you will trade. A strategy on the other hand only tells you when to enter and exit, and may not tell you under what conditions it works best or poorly. It also may not provide guidance on position size or whether you can trade multiple assets at the same time – issues which are very important to address. In other words, a strategy may have missing pieces of information you need to be successful. We need a complete trading system…but marketers are smart, so they can easily just call the product they are selling a “system” to make it sound more complete. But is it? Here are several things to watch for which could tip you off the product is probably a waste of money:
A boxed system is one where you don’t get to know how the strategy works – it’s an opaque “black box”. For example, the product may just be a series of indicators or a service that tells you when to trade, but not why. This isn’t going to make you a better trader, because you don’t know what is happening behind the scenes. If a product or signal service stops operating you are left with nothing. Even if you made money with the product/service you have to start from scratch all over again. Make sure if you buy something it explains how it works, so that eventually you don’t have to rely on the product/service.
Extremely High Win Rates
Is it possible to have a 90% win rate? Absolutely, yet it is also possible to lose money with a 90% win rate. Stats are easily manipulated to tell partial truths or fabricate lies. Other popular tactics are saying things like “Made $500 in one day!” So what? That doesn’t actually tell you anything. If that was on a $1,000,000 account then making $500 isn’t so grand. And if they lost $3000 they day before, then making only $500 today and bragging about it is rather paltry. Read between the lines. What isn’t being said? To understand performance you need several bits of information: Account size (capital), percentage return, amount at risk on each trade, amount of profit per trade, win/loss ratio, biggest winner, biggest loser, average winner, average loser, number of trades and period over which the strategy was tested/profitable.
There are also some other metrics that could help you out, but if you ask the company for these bits of information, and they can’t or won’t give them to you, be suspicious. You can usually get a sense of what vulnerabilities and tendencies a system has by looking at the above stats. One of the main things is that the strategy should be tested over a long period of time, and in all market conditions–up trends, down trends, ranges, volatile and sedate conditions. It doesn’t necessarily have to profitable in each of these environments, but it should have at least been traded through them all so you know that the system is profitable overall. Often marketers will only publish results for a period where strategy did very well. But this doesn’t give you a real idea of how the strategy or system works over the long-term.
- Related to stats there is something else you need to consider. If a system is profitable, that result is based on all the trades. If you buy the product or the service, are you going to trade them all? On issue many traders face when subscribing to a signal service is that they don’t trade all the signals. If you don’t trade all the signals then your personal results could be dramatically different than the typical results of the service.
Only One Direction
Avoid a system that only trades in one direction, for example only buys assets but won’t short sell them. Markets rise and fall, you want to participate in both trends.
No Trial Period
You should be able to test a product and be able to cancel without a fuss if the service isn’t for you. Usually a quick trading forum search on Google will reveal what others have shares about a product or service. No trial, no deal. Don’t trust anyone, test things out for yourself. If they won’t let you, then be wary.
Final Words on Identifying Scams
A product or service shouldn’t make you reliant on it. It should show you behind the scenes so that eventually you can trade on your own. Good products will always have customers since there are people who don’t want to do the work themselves, and there are always new traders. There is no reason to make every customer totally dependent. Be wary of stats that are thrown out. Ask yourself what the stats aren’t telling you. Also, if the stats they provide are legitimate, then you’ll need to trade all the signals to take advantage and get results typical of the service. Of course remember though, past performance is not indicative of futures results. That is way it pays to do some homework, and make sure the strategy/system/service/product is based on a long history, and has proven itself profitable over all types of market conditions. Test out a product/system/service before buying it. If they won’t let you try, be suspicious.
Case Study – JV Affiliate Marketers
In this section we will look at how you can avoid being scammed by Binary Options JV Affiliate Marketers. Its not so hard, but requires you to let go of your emotions and examine things in a logical manner, as many of the scammers use emotional greed/fear tactics to get your money. Once you understand this you can quickly and simply save your time and money with these unscrupulous dolts. Some scams are simply comical in how stupid they are, while others can be very well done con jobs that lure you in with seemingly genuine people/systems/reviews which later you find are the exact opposite, as you look at your $0 balance wondering “Where did my money go!?”.
As you will see in the numerous scam videos, all you have to do is “NOT DEPOSIT” then these scams no longer work. So next time you see videos that are of a similar nature, just know they are supporting scam systems/marketers. Understand if they require a deposit they are fly by night and even if they were not they are supporting the scammers by the nature of requiring you to deposit with a new broker. So just refuse to deposit and they go away. Not the same stories kind of stories and promises over and over all to get you to sign-up to their “free” system/bots… They are not free you have to deposit and they get paid on those deposits… So remember limited time/fast money/can’t lose!/just fund your account = don’t do it!
In this image above you can see many of the scam systems are connected to each other on the same servers most often. These JV marketers have tons of these turnkey scams as they are very low maintenance. The reason you see so many of them is after a few weeks of the new story line wares off and becomes boring they will start production on another one and keep it all fresh and new thus avoiding the wrath of their old scams being complained about and those complaints shared with others. If they keep it new they avoid this along with the fact most newbies jump from one scam to another hoping one of these will work, which none of them do because trading is a learned skill/job… So again, understand their stories and how they work, and don’t deposit .
Case Study – Scams on Social Media
Social media is a “perfect” platform for scammers and can be even more insidious and convincing, and unlike the JV marketers these people will talk to you directly, but only to a point. Once they figure they can’t get any more from you or you no longer have value to them, they will un-friend you in a heart beat. The one thing they are all after is your money, so be on the look out for them asking for deposits or sign-ups telling you about amazing profits and opportunities, which will have you end up with empty pockets. Videos such as those used with both “The Green Room” and “FB Wealth Group” will pretend to be traders/friends, while they are really just out to get your money through either signups or even trying to have you pay them directly.
Also – if you see them mention anything MLM (Multi Level Marketing) related, they are trained to lure you in, so run the other way. These people don’t play around and will say whatever is needed to get you to sign-up and invest. There is a 45 minute long interview of a person that was scammed by both “The Green Room” and “FB Wealth Group”. We named it Binary Options Horror Story because that is exactly what it is in all its gory details. If you are new to binary options read, and absorb the above warning signs fully to see how they scammed people out of their money so it does not happen to you. Notice also how the worked with the brokers directly, which implies that they can be directly involved as well.
Scammers will repeat the common element of wanting you to deposit or even asking for money directly and from there you can tell them “no thanks” and make sure to unfriend them.
What is Zero Trust Privilege?
Zero Trust Privilege redefines legacy Privileged Access Management (PAM) for the modern enterprise IT threatscape. Organizations must discard the old model of “trust but verify”, which relied on well-defined boundaries. Zero Trust mandates a “never trust, always verify, enforce least privilege” approach to privileged access, from inside or outside the network.
Zero Trust Privilege requires granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, organizations minimize the attack surface, improve audit and compliance visibility, and reduce risk, complexity and costs for the modern, hybrid enterprise.
Legacy PAM Is Not Enough for the Expanded Threatscape
Legacy PAM has been around for decades and was designed back in the day when ALL your privileged access was constrained to systems and resources INSIDE your network. The environment was systems admins with a shared “root” account that they would check out of a password vault, typically to access a server, a database or network device. Legacy PAM served its purpose.
However, today’s environment is different, privileged access not only covers infrastructure, databases and network devices, but is extended to cloud environments. It also includes big data projects, it must be automated for DevOps, and it now needs to cover hundreds of containers or microservices to represent what used to be a single server.
On top of this, we now all live in a world of Advanced Persistent Threats (APTs) that create a growing and changing risk to organizations’ financial assets, intellectual property and reputations. Expanding access and obtaining credentials is an essential part of most APTs, with privileged access being the crown jewels. Forrester (see Forrester Wave: Privileged Identity Management: Q3 2020) stated that “80% of security breaches involve privilege credentials.”
Cloud-ready Zero Trust Privilege is designed to handle requesters that are not only human but also machines, services and APIs. There will still be shared accounts, but for increased assurance, best practices now recommend individual identities, not shared accounts, where least privilege can be applied. All controls must be dynamic and risk-aware, which requires modern machine learning and user behavior analytics. Now PAM must integrate and interoperate with a much broader ecosystem including IaaS providers like AWS and Azure, with DevOps CI/CD Pipeline tools such as HashiCorp and Ansible, and with Container solutions such as Docker, Kubernetes and CoreOS.
The Six Tenets of Zero Trust Privilege
A Zero Trust Privilege approach helps enterprises grant least privilege access based on verifying who is requesting access, the context of the request and the risk of the access environment. By implementing least privilege access, Zero Trust Privilege minimizes the attack surface, improves audit and compliance visibility, and reduces risk, complexity and costs for the modern, hybrid enterprise. Zero Trust Privilege is built on six tenets, which are covered in detail below:
Today, identities include not just people but workloads, services and machines. Properly verifying WHO means leveraging enterprise directory identities, eliminating local accounts and decreasing the overall number of accounts and passwords, reducing the attack surface. Many large organizations have standardized on Microsoft’s Active Directory, but with Zero Trust Privilege you don’t have to standardize on any particular directory. In fact, you can keep different populations of identities in different directories. The important part is to establish identity for users via HR-vetted enterprise directory identities, meaning these identities are automatically disabled when the person’s employment is terminated. The last thing you want is a database administrator (DBA) to leave, but still, retain their privileged access rights.
A best practice for privileged access is to establish unique accounts for each administrator to use for admin purposes. Microsoft suggests that these be “Alternate Admin Accounts” (commonly referred to as “dash a” due to the typical “-A” appended to the user’s account) that are associated with the admin user but are separate from the admin’s end user identity, which is typically a publicly-known account with an email address. This way, if the public email account gets compromised, it does not expose their Alternate Admin Account.
To verify who, we must also apply Multi-Factor Authentication (MFA) everywhere. During login, upon password checkout, at privilege elevation — anytime there is a new request. With privileged access we must know with certainty who is on the other end before granting access. MFA is a must-have, passwords are not good enough. Let’s face it, 10% of you probably have the word “admin” as your password – that’s not going to cut it. The good news is MFA is way easier than before, when you used to have to wait for 120 seconds for a new 6-digit code to come up and type it in. Now users just get a push notification to their phone and/or just touch their FIDO key.
When implementing MFA, it is critical to enforce National Institute for Standards and Technology (NIST) Assurance Level-2 at a minimum for admin functions. This means a dual challenge: something you know, and something you have. A good example is a password combined with a push notification to your phone, or an OTP generated by your phone. For most critical assets it is recommended to increase even further to NIST Assurance Level-3, where possible. This includes two-factor authentication with a password in addition to a hardware-based cryptographic token, such as a smart card or FIDO key. Google claims they have not had a single successful phishing attack since they implemented FIDO keys for all users.
First, we need to start with why it is important to have a “request and approve” access process. It makes sense that a database administrator (DBA) should not have default rights to access all databases, only to the ones they need to work on that day. That way, if that DBA’s credentials are compromised, we have limited the attack surface. For each request, it is important to know WHY somebody, or something is performing privileged activity. To do this, we must understand the context behind the request for access, and review and approve the request based on the context provided.
The concept of least privilege is to only provide the needed level of privilege to perform a certain task and only for the amount of time necessary to perform that task. To execute least privilege, the granter of access must understand the context to be able to make the appropriate access decision.
Recording the request context typically includes associating the request with a certain trouble ticket and providing a reason, as well as what is being requested and for how long. Once the request is contextualized, then it must be routed for approval and this workflow can be as simple or complex as you would like to make it. For larger companies to best achieve this step, it’s likely going to involve the integration of a PAM solution with an enterprise grade ITSM (IT Service Management) solution like ServiceNow or IGA (Identity Governance Administration) platform like SailPoint Technologies.
Secure Admin Environment
When accessing privileged resources, it is critical that we do not either enable malware access to servers or introduce infections during our connection to servers. To achieve this, we need to make sure access is only achieved through a clean source. Zero Trust Privilege means preventing direct access from user workstations that also have access to the Internet and email, which are too easily infected with malware. Access should only be granted through approved Privileged Admin Consoles, which can be achieved in many ways, including web-based access to sensitive systems via an administrative jump box, such as the Centrify Zero Trust Privilege Services with its Connectors.
Modern cloud jump boxes with distributed connectors are a great way to achieve a secure admin environment for distributed organizations. In the past you only had to secure access from inside your network. But the beauty of a properly designed Zero Trust Privilege Admin Environment is it not only allows remote staff to access resources 24×7, but it is well-suited for outsourced IT or outsourced development users because it alleviates the need for a Virtual Private Network (VPN) and handles all the transport security between the secure client and distributed connectors.
Distributed jump hosts or “connectors” serve the dual purpose for load balancing in the same network and for supporting multiple, different private networks. These connectors go where the resources are located, such as DMZ, IaaS, or Virtual Private Network with private, mutually authenticated connections. These secure connections allow Web-based SSH or RDP that works from any location. For outsourced, third-party users it includes federated in-bound authentication, meaning authentication can depend on a partner’s directory of authorized employees, providing much higher identity assurance.
Grant Least Privilege
Least privilege as a concept is more common than you realize. Think of physical access control at your office: different levels of users have different access rights, and to get access to certain areas you must request and be approved. This is all very well recognized in the physical security space, and the same logic applies for logical security. It applies when granting granular role-based access to privileged resources.
Another objective to granting least privilege is to limit lateral movement across the network. This is the primary way attackers get access to sensitive data: they start in one location and move laterally until they find what they are looking for. If we zone off what they have access to then we can stop lateral movement. Just like nobody should have a single key/badge that accesses everything, you really don’t want to use the root account on a server, as it gives too much access and has no attribution to the actual user, who we’ll call “Bob.” Instead Bob should login directly to the target system with his alternate admin entitlements that give him access to restart only a particular set of servers. If he needs to change the configuration or access a different target system, then he must request access for a specified period of time through something like ServiceNow and may be asked for Multi-Factor Authentication (MFA). Once complete, Bob’s entitlements will reduce back to just what is needed.
For privileged sessions, it is of course best practice to audit everything. With a documented record of all actions performed, audit logs not only can be used in forensic analysis to find exactly the issue, but also to attribute actions taken to a specific user. Because these sessions are so critical it is also best practice to keep a video recording of the session that can be reviewed or used as evidence for your most critical assets or in highly regulated industries. There are multiple regulations including PCI-DSS for payment card data that specifically requires this level of auditing.
Monitoring and session recording can be achieved through either a gateway- and/or host-based technique. Host-based ensures that sessions cannot be bypassed, as well as to also provide process launch and file system change auditing, which is a highly desired technique for your most critical resources.
If you have a security department, a good practice is to integrate this audit data with your existing Security Information and Event Management (SIEM) system or Cloud Access Security Broker (CASB) service for automated mining where risky activities can be identified and alerts raised.
Zero Trust Privilege controls need to be adaptive to the risk-context. Gartner promotes CARTA – Continuous, Adaptive, Risk and Trust Assessment – and it’s absolutely required for Privileged Access too. Zero Trust Privilege means knowing that even if the right credentials have been entered by a user, but the request comes in from a potentially risky location, then a stronger verification is needed to permit access. Modern machine learning algorithms are now used to carefully analyze a privileged user’s behavior and identify “anomalous” or “non-normal” (and therefore risky) activities and alert or notify security.
Adaptive control means not only notifying of risky activity in real time, but also being able to actively respond to incidents by cutting off sessions, adding additional monitoring or flagging for forensic follow up.
Machine learning allows companies to pore through millions of events and scan for that needle in the haystack on an ongoing and continuous basis, which would never be achievable by manual forensics. Even more valuable is performing machine learning-based analytics inline and in real time and thus being able to enforce truly adaptive preventive controls and not just after-the-fact detective controls.
To deliver Zero Trust, today’s Privileged Access Management (PAM) solutions cannot rely on simply vaulting away shared accounts. They must cover, in detail, both Privileged Account and Session Management as well as Privilege Elevation and Delegation Management. But clearly that is not enough. To sufficiently verify who (or what) a requester is, today’s cloud-ready Privileged Access Management (PAM) must include Privileged Identity and Access Management, Multi-Factor Authentication as well as Privilege Threat Analytics.
Legacy Privileged Access Management (PAM) did a great job of serving yesterday’s threatscape, but in a modern enterprise IT world, to protect yourself, your company, your customers, and your investors, a Zero Trust Privilege approach should be applied.
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Privilege
In 2020, Zero Trust Security gained popularity due to its simplicity and effectiveness. Yet despite a rise in awareness, many organizations still don’t know where to start or are slow to adopt a Zero Trust approach.
Natasha: Hello everybody. On behalf of Centrify, I’d like to welcome you to today’s webinar titled Debunked: 5 Myths About Zero Trust Security. Before we go into our session, I wanted to go over a few housekeeping items. Today’s webinar is an interactive session. We’ve put together a few poll questions to get your input, and we’ll share those as we go through the hour. Please submit your questions, if you have any, via the chat box throughout the webinar. We’ll try to answer questions as they come. Then we’ll also save some time at the end of the webinar.
Natasha: Also, as some of you know, the first 20 registrants who are in attendance today will receive a free Echo Dot. Congratulations. I will be reaching out to each one of you to get your shipping address throughout the webinar. Now let’s get started.
Natasha: In 2020, zero trust security gained a lot of popularity as more organizations recognize that zero trust is the only approach to security networks. That’s the good news. The bad news is that when it comes to implementing a zero trust security model in their own organizations, many still don’t know where to start. There are several misconceptions surrounding zero trust that further impede adoption.
Natasha: This might explain, while despite the rising awareness about zero trust security, an incredible 66% of companies were still breached last year, with some averaging five or more separate breaches in just 12 months. Given the reality of today’s dynamic threat landscape, zero trust security is the antidote to becoming statistics. As we kick off 2020, there’s never been a better time to rethink the outdated enterprise security strategies and move towards zero trust security.
Natasha: My colleagues Tony Goulding and Torsten George will review with you the five myths about zero trust security and illustrate best practices on how to execute the security in organizations independent of size and industry. Welcome to both of you. Torsten, why don’t you give us a quick rundown of zero trust security and create the foundation for today’s discussion.
Torsten George: Sure. Thanks, Natasha. According to Gartner, organizations have stepped up their efforts to prevent cyber attacks, investing an estimated $114 billion in IT security this past year. This is up $10 billion compared to 2020. That’s a huge investment. However, every morning I’m getting up at 4:30 to check on the news and every morning I read about the next data breach. As a matter of fact, there’s about, as Natasha mentioned, two-thirds of companies that are still getting breached. Worse, of those that are getting breached, they’re getting breached not once but an average of five or more times in 12 months’ period.
Torsten George: That makes me really start scratching my head. We’re spending $114 billion in security, but that doesn’t seem to deter the hackers at all. Something is wrong with this picture here. Before we move on to the next slide, we wanted to really get your views on this with our first poll question. Please take a few seconds to tell us what you think the leading cause of data breaches today is. Okay, let’s take a look. Privilege abuse and bad actors inside a company are tied for the number one spot. Congratulations. That’s a great result.
Torsten George: We conducted studies, and there are a lot of other studies out there just last year, and that showed a completely different picture. At that point in time, a lot of people still believed it’s malware, it’s anything else than really the human. But, fortunately, things have changed. Thanks for submitting your opinion. Let’s move on.
Torsten George: You would hope that with $114 billion in your pocket that our industry’s catching up with the cyber adversaries. Unfortunately, though, things are not getting easier for security practitioners like you. In fact, the enterprise landscape have gotten much more complicated in the last decade. Systems and data were inside the network perimeter. Now 90% of organizations are moving workflows through the cloud. They’re automating processes with that, storing data in huge data stores, terabytes of them, and what used to be a seamless server is now spread across hundreds of containers or microservices.
Torsten George: With this extended to attack surface, we all know that the risk or breaches have increased. You can read about it every day. What can be done? What do all of these breaches have in common that could assist us in defining a more effective defense strategy?
Torsten George: When you do a fact check and look at postmortem analysis of data breaches, you will find out that 80% of today’s hacking-related data breaches involve compromised privileged credentials. 80%. That’s an absolute stunning number.
Torsten George: If we apply these facts, one thing really becomes obvious. Organizations need to recognize that permit of their security, which focuses on securing endpoints, firewall, to networks provides no protection against identity and credential-based threats. Until we start implementing an identity-centric security measure, it can compromise and techs will continue to provide a perfect camouflage for data breaches. That’s why it’s important to rethink your enterprise security strategy and move towards zero trust security.
Torsten George: Based on the realities of today’s dynamic threat landscape, we have nowadays to assume that untrusted actors already exist both inside and outside the network. If we can’t necessarily trust any longer that the system administrator is really who he claims to be, we have to remove trust entirely from the equation.
Torsten George: In the old days, we’re following the mantra “always trust and verify”. However, today this is no longer sufficient. That brings us to zero trust. We have to apply this concept to any of our access decisions.
Torsten George: Now zero trust security is not something that Centrify came up with, or a security model that just recently emerged. But it was conceived by Forrester in collaboration with the US-based National Institute for Standards and Technologies in 2020. So quite a few years back. Meanwhile, companies like Google have adopted the security strategy as part of their security admission.
Torsten George: The zero trust core principles are very simple. First, you have to assure that all resources are accessed securely, regardless of their location. In other words, there’s no longer a trusted zone. Secondly, you have to apply a least privilege approach and strictly enforce access control. Of course, in a zero trust world, all users are initially untrusted.
Torsten George: Then the third step is really inspecting and logging all traffic and access requests. Even if traffic originates in your LAN, you have to assume that you can’t trust it. You have to analyze it. The implication of zero trust is never trust, always verify. It does not matter if you’re in the networking or outside the network. All access, regardless of user type, be it a privileged user, be it your contractors, be it your outsourced IT, all of them, and regardless of the infrastructure that you access, must be verified as far as your trust.
Torsten George: Natasha mentioned at the beginning that we have seen quite a bit of momentum for zero trust. Since its detection, the early benefits have evolved dramatically. Nowadays, zero trust has become a mindset that drives businesses’ strategic security initiatives to allow decision-makers and security leaders to move toward pragmatic implementations.
Torsten George: The entire security industry is talking about zero trust. Numerous thought leaders, Centrify is an example, Cisco, Symantec, Palo Alto, you name them, have embraced it and now use it to market and position their capabilities as well as guide their future outcomes. Even some recent M&A activities are tied back to the desire to incorporate zero trust capabilities into the acquirer’s technology portfolio. Example is Cisco acquiring Duo Security or Okta acquiring ScaleFT.
Torsten George: While not all analysts agree on zero trust as a common nomenclature, analyst firms like Gartner, which uses the term CARTA, or 451 Research, and Cooper-General Corp embraced the zero trust model as a needed concept to tackle today’s threatscape. When zero trust was initially introduced to market, it was just a concept. However, today it has grown into a security framework that is being used by a growing a number of businesses and government agencies.
Torsten George: What you see in this slide is really the result of an IDG 2020 security priorities survey, whereby 71% of security-focused IT decision-makers are aware of the zero trust model, with already 8% actively using this in their organization and 10% at least piloting it. Following in the footsteps or your peers will definitely yield tremendous benefits as zero trust security is proven to minimize the attack surface, improve audit and compliance visibility, introduce risk complexity and cost for the modern hybrid enterprise.
Torsten George: We talked about it, and we want to make this interactive. It’s time for another quick poll. Where are you in implementing zero trust security in your organization? Oh, wow! All of you researching. That’s why you’re on this call. That’s great. Tony, let’s start really talking about the myths that often hold us back also.
Tony Goulding: All right. Let’s do that. Thanks a lot, Torsten. Hi, folks. This is Tony. I’m going to talk about these five myths. It’s the title of this webinar. Torsten gave you a pretty good introduction, actually a great introduction, to zero trust security and really why this model is shaking up to be the definitive approach to security, especially today in the digital age.
Tony Goulding: Now both Torsten and I, we do a lot of traveling. We’re on the road a lot. We evangelize the concept of zero trust security wherever we go. We end up speaking with a lot of folks about this paradigm shift, and we’re frequently getting their insight, which helps us shape our message even further.
Tony Goulding: But, unfortunately, there are a number of misconceptions surrounding the topic of zero trust security and zero trust privilege in particular. That tended to slow down at auction, questions about its total functionality, its applicability across different-sized organizations, and to what kind of steps or how you would go about implementing this, let’s say a phase one through a phase three. For our audience’s benefit, what we’re going to do now is we’re going to look at the top five myths and we’re going to, hopefully, debunk them. Torsten?
Torsten George: Okay. Sure. Let’s talk about myth number one, which deals with the fact that many believe that really zero trust security is really something that should start with data integrity. Of course, ultimately hackers are after data, correct? So is this really the case? Tony, why don’t you address this myth a little bit in more detail?
Tony Goulding: All right. Thanks, Torsten. In the earlier slides that Torsten presented, he mentioned that 80% of today’s breaches are caused by the abuse of privileged credentials. It only really takes one compromised privileged credential to impact potentially millions. Now millions can be in the form of users, it could be dollars, it can be lost opportunity due to intellectual property theft. But until organizations start implementing identity-centric security measures, account-compromised attacks will continue to provide a perfect camouflage for data breaches. The path to zero trust should always start with identity.
Tony Goulding: Now for its part, Gartner recommends putting privileged access management on top of an organization’s list of security projects. That should come first and foremost. Let’s stop here and let’s take another poll. We’ll see how many of you with privileged access management are only using a password vault. If you’re only using a vault, click on the ‘Yes’ button. Otherwise, click on the ‘No’. We’ll just give it a few seconds to populate.
Tony Goulding: All right, let’s see what we have. We have about 40% only using a password vault and the remaining 60% of the audience are using something in addition to that. Hopefully, especially for those that answered yes, as we continue down this path, you’ll get a sense of why vaults alone is not enough and how zero trust securities or trust privilege can really help us better protect ourselves and mitigate the risks for just using a vault alone. All right. Let’s move on then. Let’s take a look at privileged access management and let’s determine how it can contribute to achieving zero trust security.
Tony Goulding: Now this diagram basically starts with legacy PAM. Legacy PAM solutions have been around for decades. Legacy PAM was designed way back in the day when all of your assets, all of your privileged access was pretty much controllable. IT was in control and everything was within a fixed boundary.
Tony Goulding: This is not a new message. We’re all familiar with the analogy of the fort and the moat surrounding the fort, but all of your systems and resources reside pretty much inside a network that you could control.
Tony Goulding: Now the environment was basically consisting of administrators, system admins accessing predominantly servers. They typically use the shared local account available on the systems that they manage, which would be a shared root account on LINUX and UNIX or a shared administrator account on Windows.
Tony Goulding: Typically, they would check out one of those privileged accounts so that they could use it on those systems, and they’d use a vault in order to do that. They would access servers, databases, network, devices, et cetera. For that purpose alone and in that type of dynamic, legacy PAM definitely served its purpose.
Tony Goulding: However, in today’s environment, we see quite a different look. We see that privileged access not only is involved with helping us administer access to infrastructure, database, and network devices, but now we’re extending to the cloud. Now we have to consider other environments as well, cloud environments. That might include big data, Hadoop type of projects where we need to protect access to the various clusters and the hundreds of thousands of nodes that those clusters consist of.
Tony Goulding: It’s also got to consider automation. DevOps is not coming to play where we’re doing lots of automation for scale and for speed and rapid development. Also, we’ve got a lot of our customers now who are taking their old monolithic applications and they’re spreading them across containers. It could be hundreds of containers that now represent the application that used to be a single app on a single server, as well as microservices as well.
Tony Goulding: With this expanded threatscape, a legacy PAM solution simply won’t suffice. We need a cloud-ready zero trust privilege solution, and that has to emerge has being our direction. Now that doesn’t mean we no longer use the legacy tab as we see in this diagram. It’s really a combination of both because the majority of organizations are hybrid in nature.
Tony Goulding: Cloud-ready zero trust privilege is designed to handle requesters that are not only human. We’ve also got a lot more machine-to-machine, application-to-application, service-to-service using APIs, et cetera. The requesters are very, very much different.
Tony Goulding: Now we still have shared accounts. We’ll always strive to get rid of shared accounts, especially local accounts, but that’s not always possible. But for increased assurance, our best practices recommend using individual identities where we can apply a least privilege model. An example of that would be logging in instead of as a fully loaded administrative account that’s shared. We login as ourselves with minimum privilege. Then we can apply privilege elevation.
Tony Goulding: Now all controls that we have, they need to be dynamic and they need to be risk-aware, so we’re not just basically saying yes or no based on a static rule. That requires more modern technologies, machine learning, behavioral analytics. PAM needs to integrate and interoperate with a much broader ecosystem, including infrastructure as a service providers, like AWS and Azure, and with DevOps tools like HashiCorp, Ansible, Jenkins, other tools like that in the CICD pipeline, as well as container-based solutions such as Docker and CoreOS. This modern threatscape, it can’t be served with an appliance-based vault alone.
Tony Goulding: Moving on to this next slide, we’ll take a look at our model here for zero trust and really our approach towards it. To achieve this zero trust, organizations, they need to discard the old model, as Torsten mentioned, a “trust and verify”, and that relied on very, very well-defined boundaries.
Tony Goulding: Zero trust mandates a “never trust, always verify” and enforced least privilege approach to privileged access. It’s from the inside or outside the network. Basically, our attackers are already inside the network. But without a well-defined boundary, then our network is just massive.
Tony Goulding: Now zero trust privilege requires granting least privilege access. We have to base that on verifying who is requesting that access. As we see on the slide here on the left, verify who. We need to know who that individual or who that application or service is.
Tony Goulding: The context of the request is also equally important. We need to make sure that we understand the context in which that request is being requested. Also, the risk of the access environment itself. If we implement least privilege access, then organizations or customers are able to minimize the attack surface. We can improve our auditing and compliance visibility. We can reduce risk, we can reduce complexity, and costs for the modern hybrid enterprise that has a mix of on-premises as well as cloud-based infrastructure.
Tony Goulding: Starting with verify who, it’s really about today’s identity as we saw in the previous slide, including not just people but also services and applications and workflows in the cloud. We really need to verify who by means of leveraging enterprise directories. A lot of our customers have multiple directories. We may have users in LDAP and AD, and cloud directories.
Tony Goulding: We want to eliminate local accounts. By doing so, we can decrease the overall number of accounts and passwords and reduce the attack surface. In terms of contextualizing the request, again, we want to include context within that decision-making process. That might be in the form of a valid trouble ticket that is causing an administrator to actually perform a privileged task.
Tony Goulding: We want to provide a reason as well as to what’s being requested and for why, so when we make an access request that goes through an approver, they have all the context they need to say yes or no. Now once this request is contextualized, then it has to be routed for that kind of approval. Again, we can include other contextual factors such as IP address, location, date and time, et cetera.
Tony Goulding: Now securing the administrative environment. When we’re accessing privileged resources, it’s very critical that we don’t enable or spread malware to the endpoint, to the service that we’re trying to access. We don’t want to introduce infections during our connections to servers. To achieve this, we need to make sure that access is only achievable through a clean source.
Tony Goulding: Now zero trust privilege means preventing direct access. If I’m on a user workstation, I need to have remote access to a server. I’m not going to be granted direct access to that server. If my access is approved, if I have the right roles in order to achieve that, then I will be going through some kind of intermediary that ensures any malware on my system does not spread to the target systems. That is securing the administrative environment.
Tony Goulding: Now granting this privilege, that’s a big court of what we’re talking about here, which is granting just enough privilege just in time both on that server as well as just for accessing resource and assets on that server, as well as preventing lateral movement. If I’m an attacker and I compromise an account, if that account has the least amounts of privilege, then I will be, hopefully, prevented from moving laterally to try and get access to a more privileged account or additional resources.
Tony Goulding: Now just-enough privilege is what we’re talking about to get the job done. Just-in-time privilege is based on temporary access. We want a simple request process that we can use to request legitimate access, giving that approver the context they need to make an informed decision, and then basically I get back only the rights I need to do the task at hand. Once that task is completed, those rights are taken away.
Tony Goulding: If you look at a graph of a risk profile, instead of it being constantly high, as would be the case if I’m given a shared privilege account like root or administrator, it only gets high for those times when I need that elevation to do a legitimate task, no more.
Tony Goulding: Now auditing everything, obviously from a compliance perspective, we need to audit everything. We need a documented record of all privileged access that have been performed. Now audit logs that can not only be used in forensic analysis to find an issue and resolve an issue, but also to attribute those actions taken back to an individual user. With shared privilege accounts that are vaulted, root, administrator, article, SSA, these are all anonymous accounts. We need to be able to tie activities back to an individual.
Tony Goulding: Now because these sessions are so critical, it’s also best practice to keep a video recording of the session that can be reviewed or used as evidence when things are compromised, especially in highly regulated industries. Now there’s multiple regulations, including PCI DSS, the payment kind of data, that specifically requires this level of auditing.
Tony Goulding: Finally, we come to adoptive control. Adoptive control is leveraging modern technologies that, quite frankly, legacy PAM doesn’t have. That is using things like machine learning and adopted MFA to add that additional security layer and to detect abuse, privileged access abuse, before it turns into a data breach. We’re talking real time alerting at the point of access.
Tony Goulding: That doesn’t just mean logging into a vault. There’s multiple points of access that an administrator will touch. It could be vault logging, it could be password checkout, it could be requesting a remote session, or it could be on the server itself when you’re requesting privilege elevation. All of those are access control decision points, and they require this rigor to be applied at those levels as well. After this discussion, I guess, let’s see how the audience feels about whether vaulting alone is sufficient.
Torsten George: Before we go there, I wanted to inject the question that came in as it relates to secure admin environment. Wade was asking if the securing admin environment dependent on the request and therefore integrated into the controlled workflow.
Tony Goulding: Yes, it is. Securing the admin environment is really all about trusting the user as well as trusting the device that they’re coming from. As we’ve mentioned, if you’re remote, we can’t always trust that device.
Tony Goulding: But the infrastructure, the design of our solution, has what we call a scalable connected model. Basically, what we want to do is ensure that these, especially remote users where we have no control over their device and we don’t know whether they’re infected or not, it’s really that intermediary that is the trusted clean source. That is the lockdown source of establishing connections to the endpoint.
Tony Goulding: As an example, as a remote user, I may access, let’s say, the Centrify vault through a browser-based session. That alone doesn’t attach me to a target network if I’m coming in through a browser. I’m not coming in through a VPN, so kind of secure VPN-less remote access. But it’s the actual connected layer that we introduce that has the SSH or the IDP session to the downstream server.
Tony Goulding: By doing that, we have total control over how the endpoint is accessed, and we isolate that user’s desktop from the equation. If they do have malware, it’s not going to spread to the target server.
Torsten George: Another question is in the context of contextualizing request. Scotty is asking, “How much support to help desk that zero trust have?”
Tony Goulding: How much support to help desk does zero trust give us? As far as a help desk user is concerned, I mean very often we find that in a help desk scenario, let’s say I’m on a system and we want to actually implement or install additional software, then a help desk person may need to work on that server or on that desktop with elevated privileges in order to perform an administrative task. Often that involves having to logout the original user that’s there and then login as an administrator in order to do that.
Tony Goulding: But with our host-based privileged access solution, we have the ability to run as another user. As a help desk individual, I could access the application, I could run as a privileged user. The credentials I’m using to login are not exposed to the original user, and so then I’m able to perform that administrative task and get the job done.
Tony Goulding: But very often help desk is more associated with end use, a desktop type of scenario. What we’re really focusing more on here is administrative use of service and infrastructure, which doesn’t usually involve a help desk type of scenario. Hopefully that answered the question.
Torsten George: Okay. Any other outstanding questions, we will address at the end. Let’s move on then. As Tony mentioned, we were interested, after what he laid out here, if you have change of mind when it comes to if vaulting alone is sufficient or not. Click ‘Yes’ if you still believe so. If you get reservations, again, click on ‘No’.
Tony Goulding: All right, we’ll give that a few seconds to populate before we move on.
Torsten George: Oh, you did a great job, Tony.
Tony Goulding: Well, I can’t say I’m surprised, but it’s nice to have 100%. We do have a lot of people attending the webinar, so it’s not like two people. That’s pretty good. All right, let’s move on to myth number two.
Tony Goulding: Torsten, you’ve mentioned earlier that Google was one of the first organizations that adopted the zero trust security model as part of their BeyondCorp initiative. Now obviously by using this tech giant as an example, many of our listeners, especially when we’re out on the road, they fell for the same myth as many others and believed that zero trust security, zero trust privilege is only applicable to large organizations. What’s the reality here, Torsten?
Torsten George: Okay. Quite frankly, the reality is that nobody is safe from falling victim to credential-based cyber attacks. I mean we all read or heard about major breaches at Equifax, Uber, Under Armour that really impact millions of consumers and has really large financial consequences. The latest research by Ponemon Institute estimate that the average cost of data breach nowadays is at $3.86 million. That’s a huge number. Always there’s focus on the media on these big consumer data breaches, but, in reality, government agencies are also under severe attacks. Senate phishing attacks and the OPM breach are just a couple of examples.
Torsten George: What many may not know is that it’s not just large, well-known brands. It affects us all. 61% of small businesses were breached in 2020. SMBs don’t have access to the same resources as their counterparts. It’s unfortunate that 90% of small businesses go even out of business within six months of an attack. As a small business owner, you’re funding situation is obviously not comparable with the likes of Google. However, driving towards zero trust security doesn’t need to break the bank.
Torsten George: I had recently a get-together with some friends, and one of my friends runs a small business. He knows what I’m doing, and he was asking, “Hey, is there a beer budget that I can apply?” Yes, there are. We will talk about the steps that you can take. You don’t have to implement everything at once. Nobody expects you to mimic what Google has done. But it really can be achieved, it’s affordable. Thus, company size or budget should not be a deterrent to give up on pursuing the zero trust security strategies. Let’s look at another myth that was born by looking at the BeyondCorp example.
Torsten George: When Google established their zero trust security architecture, they decided to rebuild their entire network from ground up. That’s why many observers believe zero trust security always requires a rip and replace of the existing network. Let’s find out if this is really true. Tony?
Tony Goulding: All right. Thanks, Torsten. Yes, Google, BeyondCorp, I guess, unfortunately, it is a bad example. It tends to represent more of the exception than the rule. The reality is that implementing a zero trust architecture is really an authentication of the current security controls that you have. It’s not necessarily a rip and replace.
Tony Goulding: Now it does help if the vendor that you’re choosing has control over all of those products and services and applications, and they’re built organically so that they fully integrate. But you can describe this process as a journey towards zero trust security, which is reflected by the maturity model that you see or the journey that you see on the screen here, and it really can be step-by-step.
Tony Goulding: The idea here is that a lot of our customers find themselves in the danger zone that you see there. Too many passwords, too many accounts, and too much privilege. What we’re trying to do is move away from that danger zone. Best practices recommend to start by establishing identity assurance.
Tony Goulding: Now this could be done, for example, by deploying MFA everywhere, which is a common first step. It gives you tremendous value. MFA is not as complex as it’s been in the past. If it can be applied everywhere, I mentioned earlier about the multiple access control decision points. If you can apply MFA optionally at each one of those decision points for additional identity assurance, you can really pull down that attack surface dramatically.
Tony Goulding: Now in the next step, it’s recommended to take action to limit lateral movement, and we mentioned that earlier. It’s easier to limit lateral movement if an account that gets compromised, let’s say, by an attacker has the least privilege. If that account that’s being used consistently by IT for routine login and maintenance is a fully privileged account, if that get compromised, it can be easily used to move laterally.
Tony Goulding: We can do that also. I mentioned earlier about remote access, if we can use VPN-less remote access, where the remote user, let’s say, an outsourced IT, a third party, or even internal IT that’s working remotely, if they’re not using a VPN to gain access to your internal resources, then we can protect them from network access in a broader sense and we can also surgically place them on that target server instead of perhaps giving them exposure to other service within the network.
Tony Goulding: Ideally, the next step on the journey then is to enforce that least privilege by, for example, enforcing just-in-time privilege. We mentioned access request and control. If I have a least amount of privilege as an administrator on a box, but I need to restart the web server or install some software, then having the ability to get those additional entitlement to achieve that particular task by requesting just in time but just enough privilege no more, then that helps controls that attack surface as well.
Tony Goulding: Now ultimately you want to be in a position of auditing everything, as we mentioned, but the reality is that every organization is different, not just related to the ecosystem but also from a risk appetite and a risk tolerance perspective. This maturity model can be adjusted to meet individual need, but it does represent, broadly speaking, all of the different touch points that should be a consideration for you in trying to increase your maturity and reduce your overall risk. Okay, next slide then.
Tony Goulding: When we look at the steps that are specific to zero trust privilege, it doesn’t have to be complicated, but there are some proven best practices. The last diagram was like a maturity model of things you can do. This diagram is really a little bit more prescriptive in terms of a phase one, two, and three, what a lot of our customers have actually done in terms of adopting the best practices necessary to achieve zero trust privilege. You’ll find that Gartner recommends a very similar three-step approach as well.
Tony Goulding: But the first phase gives you some quick and effective wins. I mean let’s face it, privileged access management can be a complicated beast. Getting simple, quick wins early on is always a boon to such a project. But the first phase gives you some of those. It puts some basic controls in place.
Tony Goulding: Those basic wins could be discovery. You can’t manage what you don’t understand or you don’t know. Discovery is a great way of getting all of your privileged accounts, resources in place, vaulting away those privilege credentials, especially when you can’t get rid of local accounts, vaulting them away so that they’re properly managed. But again we’ve already ad nauseam spoken about the vault is not enough. You can’t simply stop there, with just vaulting what you discovered.
Tony Goulding: Phase two involves reducing that attack surface. The principal way we do that is consolidating identities. Like many of our customers in the danger zone, they’ve got identities everywhere. An administrator may have 10, 20, 50 different accounts spread throughout multiple systems.
Tony Goulding: Identity consolidation is all about eliminating local accounts as far as humanly possible. Then giving those users or administrators a single identity. Then we’re managing a single identity, we can better control what they’re allowed to do on those various endpoints by doing that. We’re also implementing both privileged elevation controls as well as workflow for that just-in-time privileged access, the request approval mechanism we mentioned earlier.
Tony Goulding: Now one of the lowest hanging fruit in this particular phase is MFA for all privileged users. Nobody should be allowing an administrator to login to a business-critical server without prompting for a second-factor authentication. Now, of course, if you have more advanced tools like privilege analytics, you can put context into play there so that you’re not binary or on a rolloff, you’re actually only prompting for that second factor if the context suggests that the risk is too high to just let them in.
Tony Goulding: That final phase involves hardening the environment by air gapping administrative accounts, following things like Microsoft best practices, so Microsoft’s enhanced security administration environment, the ESAE, is one such set of best practices. Shutting down dangerous workarounds by putting host-based monitoring, using advanced behavioral analytics, as I just mentioned, and finally adding assurance level three.
Tony Goulding: NIST is very, very popular. It’s tracked and adhered to by a lot of our customers, not only in the federal government but also non-governmental customers. They’re looking for those extra assurance levels. NIST assurance level three, for example, is not just about a second factor, but it’s about the use of a physical second factor. Working up to that assurance level three gives you that more mature stance. It gives you additional risk mitigation, especially for those ultra-sensitive servers where, for example, PII lives, credit card information, or healthcare information.
Tony Goulding: None of these has to be complicated. It sounds complicated, but it doesn’t have to be. Centrify and the partners that we work with, we’ve got many years of experience putting together these types of solutions in some of the world’s largest and most complex environments.
Tony Goulding: I guess that brings us to our next poll question. Please take a moment to share where you are in terms of implementing zero trust privilege, zero trust security within your organization. Give that a few seconds to populate before we move on to our fourth myth.
Tony Goulding: Okay. We have some results in here. It looks as though we’ve got about a quarter of the audience is doing discovery in vaulting, which is no real surprise there based on the earlier answers to people using a vault. Identity consolidation is interesting with least access privilege. Maybe we could have separated those two out. But identity consolidation is great, least access privilege is awesome.
Tony Goulding: The high assurance hardening is zero. We don’t have anybody taking that extra step of doing a lot more host-based auditing and session recording, perhaps with behavior analytics and contextual-based access controls. We have about a quarter of the audience who have really not started on any of this, which is scary, but, hey, that’s why we’re all here, is to learn and discover what’s possible and what’s achievable. All right. Thank you for that. Let’s move on to the fourth myth.
Tony Goulding: Most organizations that we’ve spoken to, they look at zero trust as something that is exclusive to on-premises, something that can’t be applied to the public cloud, especially in hybrid environments. The infrastructure in the public cloud is basically not under their control. Let’s get some insights from Torsten on myth number four.
Torsten George: Sure. We all know that it’s really impossible to stop the cloud migration movement. All the stats you can find from leading research firms confirm that businesses of all sizes have started and continue to outsource their IT environment into the cloud. By doing so, all their sensitive data now resides outside their traditional network perimeter.
Torsten George: Hackers have missed that trend and are nowadays including hosted environments in the tech cloud. I don’t know if you’ve heard about last year there was a big attack on Tesla, whereby compromised credentials were used to gain access to their AWS DevOps environment, and it served the hackers as their own cryptomining operations center. They didn’t have to pay for it, Tesla did. Just one example.
Torsten George: It’s really important to adopt zero trust security not only in your own infrastructure, but extend the security model to your cloud environments. At the end of the day, you’re applying the same zero trust security best practices and tools to the cloud. The rules haven’t changed, only the location of your data. Zero trust can easily be extended into the cloud as you’re treating this outsourced infrastructure like you would with any of your internal data centers.
Torsten George: To round things off, myth number five. We hear about this a lot in the field. As Zero trust security was conceived as a response to the new threat landscape, many believe that its benefits are primarily focused on minimizing an organization’s risk exposure. Is this really the only benefit that zero trust security delivers? Tony, please enlighten us.
Tony Goulding: Yeah. Thanks, Torsten. Yeah, clearly, that is . We’re leading the witness here. That’s clearly not the case. We’ve worked with a number of analysts. We’ve done our own research, but certainly we’ve worked with Forrester, and they conducted multiple studies to look at the advantages and the benefits of zero trust security.
Tony Goulding: As expected, the results prove that organizations can reduce their risk exposure. Certainly during the initial rollout, that risk exposure reduction can be dramatic. It can be 50% or more, to be more precise. But in addition, organizations that they’ve interviewed experienced an average of $5 million in cost-savings related to breaches, which is not insignificant.
Tony Goulding: Now interestingly, the most mature organizations preferred an integrated platform approach instead of points or custom one-off solutions. By taking that strategic approach, that led to an estimated 40% reduction in IAM, identity and access management, and privileged access management technology costs as a percentage of their IT budget. Those are massive savings.
Tony Goulding: But as Torsten was alluding to, it’s not all hard benefits that you gain. Zero trust privilege, it also contributes to a business confidence that’s required in the form of enhancing customer and partner experiences. If they feel as though they’re then secure, that they’re applying modern security to protect their best interests, then you get better partner experiences and customer experiences. Also, more and more about daily life is mobile. Empowering your mobile workforce is another benefit that you can get from implementing this type of solution.
Tony Goulding: Also, Dev and DevOps, I mean let’s not forget Dev and DevOps. A lot of our customers are aggressively moving to the cloud and using containers and microservices. Their developers are frantically working to create very scalable applications and services in the cloud, and so they become the focus of many attacks. Securing what they do, being able to vault away passwords and secrets that they use routinely within their pipeline, as well as securing their access to assets, what they’re allowed to login to and what they’re allowed to do. Should the Devs be able to access the production systems or the QA systems, et cetera? These are all important benefits that we get as well from using privileged security in this manner.
Torsten George: That’s real great information, Tony. Thank you. Let me quickly summarize our discussion for our audience. It was a lot of information to digest. We’re able to debunk the top five myths about zero trust security and learned that, number one, the path towards zero trust security starts with privileged access management as far as zero trust privilege, and not like many believe with data integrity.
Torsten George: The second thing is that, in addition, zero trust is universal, meaning it applies to organizations of all sizes and industries. Furthermore, it’s affordable. Think about the beer budget next time you sit at the bar.
Torsten George: We also learned that zero trust security doesn’t require a rip and replace, but rather augments existing security controls and can be implemented step-by-step over time. Importantly, it was also discussed that zero trust concept expands beyond traditional network perimeter and covers the ever-expanding attack surface, including public cloud environments.
Torsten George: Last but not least, zero trust security offers a broad range of benefits, from risk and cost reduction to increased confidence levels and empowering your modern enterprise projects. As we wrap things up, before we start with further questions, let’s take a look at our last poll. We really would love to hear from you on what other topics you’re interested in for future webinars. Please take a few seconds to review and respond.
Torsten George: Oh, it looks like people really want to drill more into the zero trust security concepts and how zero trust privilege can help their organizations. We will definitely take that into account. Let’s see what other questions came in here. While we’re looking through the questions, you can also . If you need to contact, you already have our contact information. Please join us for future webinars, events. You can find all the links there. Then also if you’re really interested to get your fingers onto the solution, we offer a 30-day free trial. With that said, let’s see.
Torsten George: There is a question here from Steve, asking, “We’re currently using a password vault. But based on your presentation, it appears that approach doesn’t meet the full zero trust requirements. Can you elaborate on this a little bit?”
Tony Goulding: Yeah. I think you figured out that part of our message here is that password vaults are not enough. We find a lot of customers are using just a vault, and that might be just because they got an audit finding that said, “Hey, you’ve got too many shared privileged accounts in the hands of the admins, and it’s insecure.” They get a ding and it’s like, “Well, password vault is an easy way of basically reconciling that.”
Tony Goulding: But from an overall enterprise security perspective, just having that vault and continuing to perpetuate the use of shared privilege accounts and local accounts especially is simply not enough. Going back to some of the slides that we had on the maturity model, if all you’re doing is the vault, then you really are leaving yourself exposed.
Tony Goulding: We have a lot of customers actually who’ve implemented the vault. If I’m an attacker, I’m going to bypass that vault. I’m not going to necessarily say, “Oh, look, they’ve got a vault.” I’m going to try and compromise infrastructure by going through the vault, which is if all you have is a vault, that’s the single point of failure as well, because it’s typically where your policies are applied. A lot of vault vendors do their command filtering there, they do their session recording there. If an attacker gets onto your network and goes laterally to different servers, then you’re bypassing that vault completely and you don’t have any session recording on what’s going on.
Tony Goulding: Augmenting a vault, a vault has its place, but augmenting it with a host-enforced privileged access management solution is . Oh, have we gone to mute? Sorry. We might have muted there. Augmenting the vault with a privileged access management solution that’s at the host level can mitigate those risks. It also provides the more fine-grained authorization necessary on the host. You can only see so much of what’s going on if you’re a proxy at the vault and you’re trying to filter commands.
Tony Goulding: On the host level, we get fine-grained session recording and auditing, including process-level auditing, which can go quite deep. We can figure out if attackers are trying to hide privileged activity inside a script file or behind an alias. We can do constant monitoring at that level and alerting, which you can’t very easily do up at the vault level.
Tony Goulding: Also, we get the ability to basically consolidate those identities in a much more efficient fashion. What we want to do is get rid of those local accounts, give everybody, for example, a single active directory identity that they can then use to login to their resources wherever they happen to be.
Tony Goulding: Certainly, as it comes to more modern approaches like in the cloud, if I stand up an instance, let’s say, of Linux in the cloud, I want to be able to login to that instance with my own AD account without having to replicate AD infrastructure into the cloud. These are some of the benefits that we get, certainly with the Centrify solution that’s fairly unique, is the ability to support authentication and login to those instances without replicating that infrastructure into the cloud. I might have wobbled a little bit there, but hopefully that addressed part of that question.
Torsten George: Okay. A question from Kevin from our audience, “What tools and approaches are available for database access? It seems that a lot of the conversation has focused on server access. What about database administrators? We know we need to mature and not let engineers connect directly to databases.”
Tony Goulding: Yeah. There’s a couple of things there. I mean, for example, our vault is not unlike many vaults, isn’t it? It’s not just a password vault. It stores generic secrets as well. But it can also store database accounts. Let me give you a use case.
Tony Goulding: Maybe I’m a database administrator. I login to the Centrify vault, the privileged access service, and, based on my role, maybe I have the ability to login to a database or to checkout a database password. Maybe I have to request that. But ultimately we do have the ability of managing those database accounts within the password vault infrastructure.
Tony Goulding: Then, further, you may use intermediary applications like Toad. What you want to do is access a database through that intermediary service. We have the ability of enabling that from within the vault infrastructure as a secure remote session, but governing whether or not that user really should have the ability to do that. Hopefully that answered the question.
Torsten George: Okay. Then we’ve got a question that is focused on MFA. Vernat is asking, “We’re using Google authenticator in a limited scope. Are there any other such alternatives you would suggest?” It’s more about the MFA methodologies that you should apply for lock-in, for privilege elevation, and talking about the assurance levels, basically.
Tony Goulding: Yeah. I mean we’re big proponents of MFA. Obviously, it’s a means of mitigating risk through additional identity assurance. Certainly if you’re a bot or a piece of malware that’s running there, then they don’t have the fingers necessary to open up and authenticate on a phone and respond to that. It’s great in that respect.
Tony Goulding: But to answer your question, yeah, we have built-in MFA support. We like to give our customers a bit of a leg up. Most of our customers do already use third-party tokens for multifactor authentication, and we support the bulk of the common ones out of the box, whether it’s RSA SecurID, Radius-based, host-based OTP, OAuth, SAML, all of these different types of mechanisms. We support those. I guess we’re unlike a lot of the vaults out there that focus more exclusively on storing stuff.
Tony Goulding: We also have a built-in authentication framework. We can generate these tokens within our own service without relying on third parties. That becomes really useful for when a lot of our competitors, let’s say, the service-to-service or application-to-application password management, when an application needs to authenticate to another one, it’s all about having programmatically the ability to check a password out of the vault in order to login.
Tony Goulding: But passwords are inherently insecure. By talking to our service, they could actually use a stronger token that’s not long-lived like a password. They could use a SAML token or an OAuth token in order to do that authentication, which is much, much stronger, and they are ephemeral tokens that will only last for the duration of that session.
Tony Goulding: From an MFA perspective, yeah. We’ve got that down in spades. We do it at vault login, checkout, remote connections to the servers and on the server itself, not just on server login but also on privilege elevation. Nobody else does that using a single unified framework. That’s part of our benefit is organic . We’ve built all this stuff ourselves. We haven’t OEM’ed it, we haven’t acquired it, we haven’t tried to Frankenstein it together. It all works in a unified way.
Torsten George: Okay. Thanks so much, Tony. I think these were all the questions we can take in today’s webinar. Natasha, why don’t you take us off?
Natasha: Great. Thank you all for joining us. I will be sending the slides and the recording in the next 24 hours, so keep an eye out for that. We hope to see you at our next webinar. Thank you all. Thank you, Torsten and Tony.
Torsten George: Thanks, everybody.
Best Choice! The leader in our ranking!
Perfect for beginners!
Free Demo Acc + Free Trading Education!
Good choice for experienced traders!