Zero Trust, Windows Application Security, and GO-Global
The term “Zero Trust” was coined in 2010 by Forrester™ Research analyst John Kindervag to describe a new, considerably stricter approach to user access controls and cybersecurity posture than what was then in general practice. The term derives from a Russian proverb “trust, but verify”, which was adopted and often repeated by Ronald Reagan during his presidency.
The zero trust security model is an approach to the strategy, design, and implementation of IT systems. Like the proverb, the basis for the zero trust is that users and devices should not be trusted by default, regardless of location or previous trusted relationships.
While the term was first used in 2010, it took a decade for zero trust computing architectures to prevail over traditional cybersecurity and user access practices. Traditionally, once a user or device gains access to a network, they are usually granted significant trust and given broad access privileges.
However, with the rise of cloud computing, the proliferation of mobile devices, increase in network types, and the work-from-anywhere user scenarios that became ubiquitous during the pandemic, that traditional approach proved sadly insufficient against today's’ advanced threats.
Windows® ISVs that deliver their applications from the cloud to customers located anywhere have been operating with this scenario for years. However, as attacks have become more sophisticated and widespread, it’s become super-critical for Windows ISVs to secure their applications, customer data,and application delivery infrastructure. Here at GO-Global, we have seen a significant uptick in Windows ISVs including GO-Global® as part of a zero trust initiative for Windows application security.
What’s included in a zero trust initiative, and how can GO-Global help?
Principles of Zero Trust
Perimeter security was once the focus of a comprehensive IT security plan. However, zero trust identifies 5 principles that IT needs to adopt as part of its strategy.
Consists of all users, devices, applications, data, services, and the network on which sensitive company data is transported. Due to the pandemic, users are now far more dispersed, so an organization’s protect surface extends far beyond the corporate LAN.
Cybersecurity tools in this category include those that go beyond the network edge to get as close to apps, data, and devices as possible, so security teams can identify and prioritize the apps, data, devices, and users that need to be secured. Additionally, security architects need to understand the location of critical resources and who should have access to them to implement the most appropriate solution.
Current cybersecurity controls:
After mapping the protect surface, the security and IT teams need to identify controls that are already in place. Are they deployed in the most appropriate location? Should they be redeployed, repurposed, or replaced?
Modernize architecture and leverage new cybersecurity tools:
After identifying the updated protect surface and the current set of cybersecurity tools, what does an organization need to apply to fill in the gaps or replace outdated tools?
Examples of tools being used as part of a zero trust modernization include network microsegmentation, and secure access controls for apps and data using single sign-on and multifactor authentication. To identify emerging threats, new advanced threat protection tools, many supported by AI, can push security policies to where they are needed across the protect service.
Apply detailed zero trust policy:
After putting the necessary technologies into place, security admins need to create a strict set of standards based on “least privilege” that allows access only when absolutely necessary. These least privilege policies describe exactly which users and devices should have access to which applications and services, which applications should have access to which data, and when that access is permitted.
After these policies are built, admins can configure devices and tools to adhere to the proscribed policies.
Continual monitoring and alerts:
Even with a zero trust framework in place, nothing is completely secure. IT security teams must employ monitoring and alerting tools to ascertain whether policies are working and if the existing security framework has developed cracks that are at risk of being exploited.
When malicious activity happens, the team must immediately stop the activity and conduct root cause analysis to identify the cause and fix the flaws that created the vulnerability. Modern security tools like network detection and response can automate much of this activity, reducing the time and personnel investment needed.
Challenges to Achieving Zero Trust
While a zero trust security model can deliver significant ROI, it’s difficult to fully implement. According to Gartner®, while many organizations have implemented a zero trust security model as part of their cybersecurity strategy, “only 1% of organizations currently have a mature program that meets the definition of zero trust.”
The critical challenges to achieving full implementation of a zero trust architecture as defined by Gartner include:
- Even a slight flaw in system architecture can invalidate the zero trust model.
- There is no one-size-fits-all product that enables zero trust; rather, every organization needs to determine the combination of solutions and practices that work with its IT infrastructure and architecture to achieve zero trust.
- Organizations relying on legacy enterprise systems and technology cannot adapt a zero trust model due to outdated infrastructure.
- Adopting zero trust requires an immediate increase in the applications, users, and devices that must be monitored, meticulous adherence to software and hardware updates and maintenance, and regular audits; many organizations do not have the staff, expertise, or budget required for full implementation.
- As noted above, an organization can’t simply implement zero trust and “call it good”. To implement zero trust, IT must follow a continuous process model that cycles through the principles listed above, then start over again—requiring relentless focus that’s difficult to sustain over time.
- The zero trust model must continually evolve to accommodate how threats, technology, and business goals and practices change over time. As an example of how quickly the model can change, note that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released their first Zero Trust Maturity Model reference document in August 2021, published a revision in March 2022, and published a second revision in April 2023.
For many organizations, full implementation of zero trust architecture as defined by Gartner borders on impossible due to the cost, effort, and upheaval required to achieve it. For example, an enterprise organization may depend on one or more business-critical legacy applications, systems, or technologies to help run the business and be unable to continue to function without that legacy investment. A Windows ISV may not have the time, bandwidth, or personnel to ensure Windows application security by rewriting that application as a web-based application to enable SSO, or be reluctant to potentially alienate customers that love and depend on the application as is by replacing it with a web app.
However, it is absolutely possible to attain a significant percentage of compliance with the zero trust model. Go-Global can help.
How GO-Global Supports the Zero Trust Model
Windows ISVs can leverage GO-Global to align with the zero trust model in several areas:
GO-Global Session Protocol:
The foundation for GO-Global is a proprietary, low-bandwidth protocol for connectivity over serial lines called RapidX Protocol (RXP). RXP is adaptive, uses multiple layers of compression, and is optimized to ensure the lowest possible bandwidth utilization. Because RXP is closed source, it offers additional defense against attackers, compared to open-source protocols such as Microsoft® RDP, where security weaknesses have been found and exploited.
Client Session Encryption:
By default, GO-Global encrypts sessions using DES (DataEncryption Standard) with 56-bit key strength for all client session connections to protect against basic packet sniffers and clients intercepting raw data communications. It is fast, reliable, and offers an immediate level of security for LAN-based connections via GO-Global.
For internet communications, GO-Global offers TLS-based transport with the following encryption algorithms: 128-bit RC4, 168-bit 3DES and 256-bit AES. These higher encryption algorithms require that the administrator applies a signed TLS Certificate on the host, which can be generated using any standard Certificate Authority. Administrators can also generate trusted TLS certificates for GO-Global Hosts through the Security tab of the Host Options dialog in the Admin Console, where the GO-Global Host has a publicly registered DNS address. This allows administrators to enable strong encryption and TLS security without purchasing a certificate from a third-party Certificate Authority.
Proxy Server Tunneling:
GO-Global supports Proxy Server Tunneling, also known as HTTP Connect. This allows a user who accesses the internet via a web proxy server to connect to GO-Global Hosts on the internet. When using a proxy server keep in mind that, by default, all traffic is denied on all host ports, so the GO-Global Host should be configured to accept connections on port 443 only.
Integrated Windows Authentication:
Administrators can enhance GO-Global end users’ network security by disabling Standard authentication (prompt for user name and password) and enabling Integrated Windows authentication on the Authentication tab of the Host Options dialog in the Admin Console. With this configuration, all non-Windows clients are denied access to GO-Global Hosts, so GO-Global end users must log on to their Windows client operating systems with an Active Directory account that the GO-Global Host trusts. Additionally, user accounts local to the GO-Global Host are not allowed access. The user is authenticated asa member of the NETWORK group and access to network resources from the GO-Global Host are restricted.
Protect Surface/User and Device Access
As noted above, zero trust assumes that internal and external networks are potentially compromised and that no user or device should be automatically trusted. Zero trust dictates that verification, authentication, and authorization of users and their devices must be applied for users to log in and engage with the IT system, applications, and data.
Here’s how each concept is defined in a zero trust architecture.
Verification is the process of confirming the accuracy of a claim—for example, a user’s identity. When a user enters a name and password, the system verifies that that username and password are associated with a particular account.
Authentication is providing proof of identity when accessing a system. Pre zero trust, authentication was usually as basic as a username and password. With zero trust, authentication goes beyond usernames and passwords to include multi-factor authentication (MFA), one time passwords, PINs, smart cards, and biometrics.
Authorization determines a user’s access rights, i.e., what a user or device is allowed to access or do in the system; for example, the applications a user has permission to open and use.
Single sign-on (SSO) and multifactor authentication (MFA) technologies are most commonly applied when enabling user and device access in a zero trust architecture. GO-Global enables both.
GO-Global Two-Factor Authentication is an advanced authentication feature that provides an extra layer of security by optionally requiring users to enter a 6-digit code from smart phone authenticator app (for example, Google Authenticator, Authy, and Microsoft Authenticator), in addition to their username and password. This ensures that even if a user’s password is compromised, the attacker will still not be able to access the host system without access to the user’s unlocked phone. This renders brute force and dictionary password searches useless, which is especially critical remote work with vulnerable remote desktop clients becomes the norm. 2FA also reduces the burden of forcing a complex password policy.
GO-Global+ SSO: GO-Global’s support for OpenID Connect allows Windows ISVs to use modern identity providers like Okta™, OneLogin, Microsoft Active Directory Federated Services (ADFS), and Microsoft Azure® AD Seamless SSO to enable single sign-on into GO-Global® Windows hosts.
GO-Global allows IT to integrate any identity provider that supports OpenID Connect directly into its hosts, allowing them to share Windows hosts among the users they already authenticate for web applications. GO-Global’s support for OpenID Connect eliminates the need for domain controllers on the corporate network, for custom credential providers for strong authentication, and for interactive logins.
Without GO-Global, Windows ISVs that want to add SSO would have to purchase expensive and complex solutions like Citrix NetScaler® Unified Gateway integrated with Citrix Hypervisor®.
Protect Surface/Application Security
GO-Global does not install or maintain its own user or applications database. Instead, it inherits all aspects of user and data security from the Windows Server® operating system. Security settings for the user and application are configured at the Windows® OS level and are passed to GO-Global during the logon process.
Additionally, Windows file, folder, share, printer, and registry permissions are all respected by GO-Global and are central to the security of any Windows system. Unless end users are given Administrator or elevated privileges, they will not be able to access system folders, corrupt or break the server, or otherwise cause security threats.
GO-Global recommends using Windows Group Policies for all system-side security settings, especially in a load balanced server farm, to ensure consistency across all hosts.
Applying Detailed Zero-Trust Policy
Basic Installation and Default Settings: GO-Global is easily installed using a single installer executable on the host that will either install or upgrade the GO-Global software. When installation is complete, the host must be restarted to initialize the registry settings and to enable the GO-Global software and drivers.
By design, all GO-Global configuration options that enable sharing of server or client resources are disabled. Additionally, GO-Global publishes no default applications. GO-Global Host configuration, management, and security-related functions are accessed through the Admin Console under the Host Options menu. Administrators can publish applications, monitor user and host activity, and enable features such as client printing, client clipboard, encryption, and authentication using this menu.
If you are a Windows ISV looking for solutions to enable a zero trust architecture for providing your applications to customers, consider GO-Global and its multi-layered security system, including SSO and MFA.
To see GO-Global’s concurrent user pricing with SSO, and calculate your estimated GO-Global pricing, click here.