Roughly ten years ago, a man named John Kindervag came up with a new security strategy in response to data breaches: Zero Trust. At that time, most IT professionals scoffed at the idea. The culture was (and mostly still is) to protect the network and put your valuables inside it - because whatever’s on the local network is trusted and safe. With every ransomware attack we see, this has been proven to be a very poor assumption. Over the last couple of years, many have come to the conclusion that a Zero Trust architecture is the best way to move forward. It is the official recommendation by NIST. Zero Trust Architecture NIST. Microsoft has gone all-in as well.
In short, Zero Trust says that security should be built from the inside out and not the other way around. Microsoft summarizes Zero Trust into three actions: Verify Explicitly, Use Least Privilege Access, and Assume Breach.
This means that we use everything available to the Identity service to verify the person and/or the device. Is it a device I know about? Is it in an IP range that I know about? Has the user passed a local verification check (fingerprint, retina, face, etc.) on the device? Did they use Multi-Factor authentication like a dongle or a phone? Is it normal business hours for this user? Was this request made in a location that is close enough to travel to since the last request? The answer to these questions create a risk score and the ability to access critical resources may be limited by a lower score. Using just a username and password in Epicor (or any other system) cannot give you this kind of verification.
Use Least Privilege
Once authenticated, what can you do? From where? For how long? What resources are available. This mapping is a LOT of work but it’s infinitely better than the current trust practice. John has a quote, “Honey, who is the man taking beer from our refrigerator? I don’t know but since he’s in the house, it must be OK.”
Honestly, there really is little difference between our internal networks and the Internet. We should treat all of our networks as if they are open to the Internet because during a breach, they essentially are. How can we limit the blast area during a breach? Did we segment our network? Do we have honey pots set up to detect breaches and automatically react to them? Watch the news. It will happen to every company and if it’s already happened, it will happen again. So plan for it.
As for Epicor, the Rich client is no more secure than the browser IMHO. Both are susceptible to key logging, both can be attacked by supply chain methods (3rd party libraries), and neither is a source of safety to input - the server should do all checking after all.
Finally, passwords are a disaster and we’re starting to see proposals to eliminate them. If you enable Azure AD login, passwordless authentication would be available to your Epicor system in the cloud or on-prem.
Here’s a video of John Kindervag at a conference talking about the Zero Trust journy of one of his clients. Implementing Best Practices for Zero Trust You can find many other videos about Zero Trust from many other companies on YouTube as well.
If you’re a Microsoft shop, here’s a list of the new Security Certifications available:
Introducing Microsoft’s New Security Certifications - Microsoft Tech Community