ServiceNow Zero Trust Access product spotlights ServiceNow's commitment to providing a highly secure strategic platform to build business workflows and simplify processes. Cybersecurity strategy and data breach prevention are frequent topics at company boardroom meetings. The Zero Trust Security Architecture framework provides guidelines for businesses to operate efficiently with reduced risk and minimal friction. ZTA aims at helping customers achieve a better overall security posture and improves user security.
The Zero Trust Access security architecture assumes no user or device is trusted by default. This means that all access to applications and data is granted on a least privilege basis only after the user's identity has been verified and the risk of the request has been assessed.
Based on the principle recommended in the NIST Zero Trust reference architecture (SP.800-207), these four key capabilities help organizations move towards zero-trust security architecture.
- Adaptive Authentication
- Multi-factor authentication
- Dynamic privilege reduction
- Continuous Verification - (Future roadmap)
Dynamic privilege reduction using the Zero Trust policy-based session access
This feature allows organizations to dynamically reduce user privilege in a web session based on a variety of factors, including IP address, location, authentication method, and attributes shared by the identity provider (IdP). This can help protect organizations from unauthorized access and data breaches, even when high-privileged users access applications from untrusted devices or locations.
Typical Use Case:
A typical use case for dynamic privilege reduction is when a high-privileged user logs in to ServiceNow from their personal device. Example: An HR support agent wants to access HR services when s/he is on vacation. In this scenario, the organization may want to reduce the user's privilege to basic employee roles allowing them to access the HR services while removing high-privilege roles like ITIL. This will ensure that the HR support agent user can only access his own cases but cannot access the HR support cases of other users as support agent on the personal device. This can help to protect the organization from the risk of a malicious actor gaining access to the user's high-privileged credentials and using them to steal data or launch attacks.
How It Works:
Dynamic privilege reduction is implemented using adaptive authentication policies. These policies use attributes like device status(managed/unmanaged), risk score, etc., shared by the organization's SAML-based identity provider along with IP address, location, and authentication method used for login for assessing risk. After verifying the user's identity, ZTA policies will be evaluated to assess the risk of the request. Based on the results of this assessment, ZTA will then dynamically reduce the user's privilege in the session to the appropriate level configured by the security administrator.
The ZTA policy configuration has two actions available Remove Roles or Limit to Roles.
- Remove Roles: When the configured user logs in, the roles provided in the Role or Group List are removed for the session.
- Limit To Roles: When the configured user logs in, only the selected roles are provided to the user, and all the other roles are removed for the session.
Please follow the product documentation for detailed configuration steps. Here is the product video explaining the configuration steps.
Benefits:
Dynamic privilege reduction offers numerous benefits for organizations, including:
- Increased security: Dynamic privilege reduction can help to protect organizations from unauthorized access and data breaches.
- Reduced risk: By reducing the privilege of high-privileged users, organizations can reduce the risk of a malicious actor gaining access to sensitive data or launching attacks.
- Increased flexibility: Dynamic privilege reduction allows organizations to grant users the appropriate level of access, regardless of their location or device.
For more information please visit: ServiceNow Zero Trust Access.
- https://nowlearning.servicenow.com/lxp?id=learning_course&course_id=d2f3ec6a97ab59948934b67e6253af25
