Updated on February 10, 2023.
Password security is crucial to preventing cyber attacks. It is important to find a password manager that enables the zero-trust security model to mitigate the risks of data breaches from compromised user accounts.
Here is a breakdown of this security framework and how Keeper helps with zero-trust compliance requirements.
What is the Zero-Trust Security Model?
Zero trust is a cybersecurity framework that asserts that no user or application should be trusted by default. Zero trust assumes every user and device could be compromised and doesn’t automatically trust any users or devices within the organization’s network. Anyone and anything, human or machine, is required to be verified before they gain access to the network.
How the Zero-Trust Approach Strengthens Password Security
Password security is fundamental to zero trust.
According to the 2022 ForgeRock Consumer Identity Breach Report, cyber attacks involving usernames and passwords increased 35% the prior year, leading to more than two billion compromised records in the United States alone. Unauthorized access was once again the most common attack method, making up 50% of reported breaches.
Securing employee logins through the use of a password manager is a step toward implementing a zero-trust model that can prevent and mitigate cyber attacks. Zero trust addresses the top cause of cyber attacks – weak and stolen credentials. In the United States, from 2020 to 2022, the average cost of a breach increased 16% to $9.5 million, making the U.S. the most expensive country in the world to recover from a data breach. Businesses can protect their sensitive data and save money in the long run by implementing zero trust.
The Importance of Zero Trust
The zero-trust framework enhances compliance and prevents cyber attacks caused by compromised user accounts and stolen devices. Organizations are able to prevent cyber attacks by taking the necessary steps to verify every user and device before allowing them access to the network.
According to the Zero-Trust Adoption Report from Microsoft, 96% of security decision-makers state that zero trust is crucial to their organization’s success. The model has been heavily adopted in recent years and continues to grow. Reasons that organizations choose zero trust include:
- Increased security and compliance agility
- Speed of cyber threat detection and remediation
- Simplicity and availability of security analytics
What are the Main Zero-Trust Principles?
A zero-trust solution must include several functions to ensure it is effective.
1. Monitoring and Validation
“Never Trust, Always Verify” is a common phrase used to describe zero-trust security. The zero-trust model assumes that a breach already exists and treats everything and everyone as untrusted, resulting in continuous monitoring and verification. It is crucial to regularly log activity and record anything suspicious or malicious in order for the model to work.
By continuously monitoring systems and implementing the proper tools, IT and security administrators can more easily recognize the difference between a legitimate employee login and a compromised account.
2. Principle of Least Privilege (PoLP)
The Principle of Least Privilege (PoLP) is a cybersecurity best practice, especially when configuring privileged access to confidential information and assets. Under this principle, admins restrict users to the minimum levels of access and permissions required to perform their job functions.
For example, a company may only give access to specific drives and information to the appropriate teams. Under the principle of least privilege, only the:
- Accounting team would have access to company financial statements
- Marketing team would have login details to company social media accounts
- Human resources team would have access to employee files and details
Instead of giving every employee complete access to the organization’s network, each employee only has access to what is necessary to them. If an individual employee’s account becomes compromised, the cybercriminal would only be able to access what that specific user has access to.
3. Multi-Factor Authentication (MFA)
Multi-factor authentication is an authentication practice in which a user is granted access to websites, applications and services only after providing at least one additional verification factor to validate who they are. MFA is typically set up after a user has made an account with a site or application. In addition to logging into the account, the account holder may be required to:
- Use an authenticator app on a registered mobile device to confirm the login
- Submit a 6-digit code that was delivered to the user’s email address or text message
- Answer personal security questions specific to the user
The Key Pillars of Zero Trust and how Keeper Addresses Each One
The five pillars of zero trust consist of identity, device, network/environment, application workload and data. Here’s how Keeper covers each one of them:
1. Identity Pillar
Keeper’s solution supports the identity pillar with a zero-knowledge authentication and authorization model. Identities can be entirely managed within Keeper. Our platform is capable of full integration into any existing zero-trust identity provider. Keeper’s security model supports several advanced authentication methods, including continuous validation at the vault, device and record level and real-time machine learning analysis.
2. Device Pillar
Keeper’s solution supports the device pillar with constant device security monitoring, device-based access controls and validation and data access. Keeper works with existing device management tools such as Azure’s conditional access policies. Information stored within our platform is encrypted and decrypted locally at the device level. Elliptic Curve (EC) encryption technology is utilized at the device level to protect data and support the zero-trust model.
3. Network/Environment Pillar
Keeper’s solution supports the network/environment pillar with fully distributed ingress/egress micro-perimeters, machine-learning-based threat protection, zero-knowledge encryption and record-level access controls. Information is encrypted at rest using 256-bit AES record-level encryption and device-level EC encryption. Network communication between the Keeper Vault on the device to the Keeper cloud is protected with TLS 1.3, plus additional layers of transmission-level encryption to protect against several attack vectors such as Man in the Middle (MITM) attacks, brute force attacks and enumeration.
4. Application Workload Pillar
Keeper’s solution optimizes the application workload pillar where access is continuously authorized and there is strong integration into the application workflow. By default, Keeper can be accessed over the internet without any VPN connection. Administrators can manage user role accessibility through access control policies.
Keeper’s advanced reporting and alerts module (ARAM) capabilities provide agencies with telemetry data covering hundreds of event types that can trigger real-time alerts or other threat-based actions.
5. Data Pillar
Keeper’s solution supports the data pillar with zero-knowledge encryption. Zero knowledge is a framework that ensures the highest levels of privacy and security. Encryption and decryption take place on each user’s device. Combining 256-bit AES and elliptic curve cryptography, Keeper ensures that our users’ information is safe and secure at every level. Visit our documentation portal to read more about our full encryption model.
How Keeper Supports the Zero-Trust Framework and Zero-Knowledge Encryption
Keeper is a zero-knowledge and zero-trust password manager, secrets manager, privileged access manager and remote desktop gateway. All information stored in Keeper is only accessible by the end-user. Its platform provides total control over employee password practices. IT administrators can control password use across an organization and implement role-based access controls.
For company secrets, there is Keeper Secrets Manager — a cloud-based, zero-trust and zero-knowledge solution for securing company secrets such as:
- API keys
- Database passwords
- Access keys
- Any other type of confidential data
Keeper Connection Manager provides DevOps and IT teams with instant zero-trust access to infrastructure. This agentless remote desktop gateway can be installed in any on-premises or cloud environment. Organizations are choosing Keeper Connection Manager because of its:
- User-friendly and intuitive interface
- Responsive customer support
- Quick and seamless installation
KeeperPAM is a next-generation Privileged Access Management (PAM) solution that incorporates enterprise password, secrets and privileged access management, all in a unified zero-knowledge and zero-trust cloud-based platform.