User Activity Monitoring (UAM) Emerges as a Key Enabler for Zero Trust Security

What does UAM have to do with Zero Trust? 

At a high-level, Zero Trust is an approach to risk management. It advocates that users and devices on an organization’s network should not be entitled to access—or use—resources without explicit and continuous verification and validation. “Never trust, always verify,” the mantra of Zero Trust, places the burden of access and usage verification on security organizations.  

People often think that Zero Trust is mostly an issue of confirming people’s identity. However, that’s just the beginning. Verifying who people are or what they are entitled to access isn’t enough to determine the risk because role-based access policies seldom change. Even when the context such as time of day, geographical location and device used (managed or personal), etc. are used to calculate risk, the approach falls short of identifying whether a user’s credentials are compromised, or the user has malicious intent.  

Consider the following scenario: a pharma researcher who has legitimate access to intellectual property is working from home:

• He connects via company VPN and accesses highly confidential data on a company-managed device 
• He uses the device to access personal websites and ends up being a victim of a malware attack. We can argue that deploying technologies like secure web gateways would prevent such a scenario. However, with VPN split tunneling, any internet traffic to a personal website will not get inspected.  
• Next, the managed device starts beaconing to an external site/ device. The bot installed on the machine begins to call home.
• The researcher accesses confidential data using the machine. He still has legitimate access to the data. 

On its own, the researcher's access to the confidential data is verified even when the additional context is put in place. True Zero Trust systems need to control access and usage. Understanding user behavior thus becomes key to identifying and mitigating risk. Knowing when the device is beaconing to an external site is indicative of a compromised user, and at that point, data access should be limited. This approach would also exonerate the user from malicious intent.  

Considerations for using UAM in Zero Trust 

For a successful UAM deployment, organizations need to have a comprehensive approach that takes their culture and values into account, complies with regulations, and furthers user education.  —

• Start by involving key stakeholders, including worker advocates, HR, and legal departments. The security and IT teams should implement controls and aid in the investigations but should not be involved in any decisions. 
• Clearly document the program's goals with a focus on identifying the security risk versus employee performance.
• Communicate the goals and high-level approach with employees. The level of transparency may depend on business and policies.
• Limit access to monitored data and ensure that the watchers are also watched to remove any human bias and errors. Examples of such controls may be disassociating the users’ names from the risk data, applying the principle of least privilege, and designing a workflow that ensures approval from stakeholders for investigations. 

Done right, UAM programs will be compliant with regulations, protect user and data privacy while driving Zero Trust security to identify and mitigate risky user behavior. 

Interested to learn more about Forcepoint’s approach to Zero Trust security? There’s still time to register for our Cyber Voices Zero Trust Summit happening next week. Expect to hear discussion from cybersecurity leaders at organizations such as Accenture, Amazon Web Services, Forrester and Microsoft and more like the session below: