As IT enterprises have engaged in digital transformation, traditional methods of securing corporate resources have evolved. Agile, cloud-based applications, data and truly mobile workforces have driven organizations to re-think traditional perimeter-based security models. Zero Trust Architecture answers many of these challenges by providing a superior conceptual approach to securing corporate resources on today’s networks.
Zero Trust Architecture is an integrated security approach for users, applications, data and networks built around tight adherence of the principle of “least privilege.” In a Zero Trust world, every requested transaction is evaluated for risk before it is permitted to be fulfilled. Trust is explicitly calculated from a host of independent characteristics based upon the identity of the requestor and the context of the request itself.
Zero Trust Architecture depends upon identity in some novel ways. This dependency reinforces the importance of good identity and access management (IAM) practices as an essential building block for effective security.
How identity supports Zero Trust
Legacy “flat” networks utilize static binary (permit/deny) policies on fixed gateways to determine whether to pass or block traffic. Traffic originating from hosts in the “private” network or are automatically trusted unless governed by a statically defined rule. Higher risk resources, such as servers that communicate with the Internet are isolated into “semi-private” or “De-Militarized” zones, where traffic passing to them can be subjected to a higher level of scrutiny.
Zero Trust Architecture more effectively implements the principles of least privilege by scrutinizing each individual transaction including user, source and destination machines, and context of the transaction itself. Completion of the transaction is allowed only if its evaluated risk score falls below an established threshold.
This risk score is calculated from the point-in-time trustworthiness of each user and machine involved in the transaction. This information exists within the enterprise’s identity management systems. Zero Trust cannot exist without effective identity management systems, meaning such systems are a critical foundational building block on the journey to Zero Trust.
What is needed?
From an IAM perspective, organizations interested in Zero Trust should focus on maturing their identity infrastructure toward providing a broad range of functionality. Several traditional functions of an IAM foundation are critical in this effort.
- Ability to verify who is requesting access: Validation of the user behind an electronic identity is a critical step. Misappropriation or misuse of credentials is a common cause of breaches. Technologies such as Single Sign-On (SSO) and Multi-factor Authentication (MFA) implement controls to strengthen an organization’s authentication posture.
- Manage privileged access: Privileged access management (PAM) puts in place a set of controls to ensure that users are given only the right amount of access to complete their jobs and to track use of escalated credentials. Such controls can range from vaulting of administrative credentials to blocking escalation of privileges on systems.
- Role-Based Access Control (RBAC): These are access controls placed upon enterprise resources that limit access only to users assigned certain roles. Functions include alignment of roles to business requirements, authorization of functionality based upon roles and authorization of permissions. Like PAM, RBAC serves Zero Trust principles by using controls to ensure least privilege.
- Comprehensive logging and auditing: An organization’s identity management infrastructure can provide a wealth of information for detailed analysis. When combined with telemetry from other sources, this logging is a foundational element for the advanced visibility Zero Trust provides.
- Lifecycle and governance of electronic identities: Organizations need effective processes and policies to ensure the accuracy of the digital identities used for authentication and authorization. These include processes and technologies for scoping and aligning digital identities with the requirements of the business, as well as defining and managing the provisioning, modification and de-provisioning of digital identities.
In addition to these traditional IAM functions, enterprises will need additional information.
Device verification (including identity and hygiene)
Device verification forms a critical component of risk scores in Zero Trust. In some organizations, a device must be known in order to meet a risk score threshold. For these, precise inventories and device identification methods must form a critical component of their identity strategy.
Organizations that prefer to allow users to connect to enterprise assets using personal devices (known as a BYOD or “bring your own device” strategy), need to develop protocols for evaluating the risk of those devices. In either case, device hygiene, in terms of being free from malware or vulnerabilities, should also be considered as part of the risk evaluation.
User and device contextual information
Zero Trust-ready identity infrastructure must be capable of calculating risk scores from a broad variety of information sources beyond user identity and source machine. Factors such as device ownership, whether this user commonly uses this machine to make a request, location of the requesting device, time of day and other historical, associational or behavioral factors can affect the riskiness of allowing the transaction.
Authentication of non-human actors
Zero Trust covers transaction requests made by users, as well as those made autonomously by processes or applications. Comprehensive management of the tokens and API keys required to secure such authentications need to be considered in identity management supporting Zero Trust Architecture.
Certificate services and encryption
Digital certificates can form a critical component of the evaluation of risk presented by a specific user or host. For example, a certificate is often used to indicate association of a user with the organization or ownership of a device.
Encryption is used to encourage trust of the session itself. Both require a public key infrastructure for management, care and feeding of private keys and certificates. Organizations should carefully plan certificate authorities and thoroughly understand how their private keys are protected.
Bringing IAM and Zero Trust together
Zero Trust Architecture is a worthy security objective that promises organizations the ability to provide least privilege security for their digital transformation objectives. Achievement of this promise requires planning and an incremental approach to maturity that begins with foundational elements in IAM.
WWT offers a range of consultative products designed to help our customers accelerate their maturity on the way to reaching true Zero Trust Architecture. This includes a range of IAM offerings including workshops, assessments, product expertise, advisory consulting and more. Contact us to start the discussion today.