Zero Trust is a hot topic these days, but there’s one critical aspect to building a strategy that’s often overlooked.
That’s the need to include a disaster recovery plan for Active Directory (AD).
Active Directory controls who can get into your systems. If it’s not part of your Zero Trust strategy, it’s like building a fortress and leaving the keys under the welcome mat.
According to Gartner, more than half of cyberattacks through 2026 will be aimed at areas that Zero Trust controls don’t cover. The impact on your business can be disastrous.
Let’s take a closer look at how a Zero Trust approach to Active Directory can help protect you from the fallout of an attack.
Why is Zero Trust a big deal now?
The idea behind Zero Trust is simple. Essentially, it says that you shouldn’t trust anyone (or any device), even if they’re already inside your network.
This mindset has shifted because of a fundamental change in our operating environments. In the past, we focused on protecting the perimeter around our systems. If someone had permission to come in, they were considered safe.
Now, that perimeter no longer exists. It’s been erased by the rise of remote work and hybrid environments as well as the sheer velocity of traffic. At the same time, the hackers have found more sophisticated ways of breaking in.
That’s why Zero Trust is transforming the way we do security. It’s such a big deal that U.S. President Biden issued an executive order highlighting the compliance with the Zero Trust security requirements as a must for the success of the federal agencies.
Getting started with Zero Trust
Zero Trust is based on three principles:
- Verify explicitly. Everyone must prove who they are and their permission levels. As part of your Identity and Access Management system, this should go beyond the traditional ID and password approach to employ techniques like multi-factor authentication.
- Use least privileged access. For example, employees should be given access only to the applications they need to do their jobs and no more.
- Assume breach. If you’re prepared for a large-scale compromise, you’ll be in the best position to minimize the damage and make a quick recovery.
It sounds straight forward, but here’s the thing. Zero Trust is easier said than done. There’s no silver bullet or single technology to take care of it for you. Every organization must develop its own security blueprint.
Where to begin? I suggest you start with the third principle: prepare for the worst. Assume there’s a breach and implement risk mitigation strategies for your most critical assets. Given the potential consequences of an attack, Active Directory should be high on that list.
Implementing Zero Trust for Active Directory
Guidelines by NIST provide advice on how to develop a Zero Trust architecture. To meet the NIST standards, it’s essential to develop resilience against cyberattacks. That’s why AD backups should always be treated separately from other systems. Storing them in a highly secure location, inaccessible from your current environment, can keep them safe, even from insider threats.
he NIST approach also stresses that you should ensure that any communications related to Active Directory recovery is securely encrypted, regardless of the network’s location.
Similarly, make sure that access to AD recovery tools is tightly controlled according to Zero Trust principles. Administrators must be fully authenticated, preferably using multi-factor authentication, before they can gain access.
And finally, you need to test your ability to recover Active Directory on a regular basis to continually monitor and improve your security posture.
There’s an easier way
At Itergy, we can take care of it for you with a turnkey Active Directory Proactive Recovery Solution. The service guarantees that we’ll restore your AD forest in less than four hours. That kind of resilience is at the heart of Zero Trust.
Contact us today to implement Zero Trust for AD
Baha Bechikh is a Security Analyst with Itergy.