In a world where employees regularly access resources and services in a multi-cloud IT environment that can be connected to by BYOD equipment, corporate firewalls and VPNs are no longer enough to provide sufficiently robust network security. The zero trust security model continues to gain traction as an answer to the new landscape of perimeterless security. This article briefly reviews the zero trust model and highlights the central role identity and access management (IAM) plays in supporting such a model.
The traditional perimeter approach to security attempts to build a wall between internal trusted resources on your local network and external untrusted resources on the Internet. The implementation of a perimeter approach typically involves establishing network zones with resources classed as privileged, trusted, demilitarized, or on the Internet. Within the demilitarized zone, companies place their riskier external-facing IT resources, such as VPN gateways and web servers.
The speed at which network perimeters have dissolved at most organizations calls for a new approach, though. Hosts on an internal trusted network can now directly communicate with untrusted hosts. Hackers can breach the perimeter through single points of failure and easily move laterally through a trusted network until they get the data they want.
The zero trust model has a simple message: trust nothing on the network and always verify access requests. It doesn’t matter if an individual or device requesting access to resources is inside or outside the network—nothing is ever trusted by default.
The zero trust model originated as far back as April 1994. However, security professional John Kindervag popularized the approach and outlined it in a 2010 paper entitled, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security”.
A primary outcome of zero trust is that even in cases where a user or device becomes compromised, it’ll be difficult for hackers to move through the network and gain access to sensitive information because they’ll need to prove who they are at every step rather than receiving automatic trust. In this sense, zero trust provides damage containment.
When building a zero trust architecture, you attempt to shift from trusting users and devices by default to requiring explicit verification continuously. The common factor across all access requests to corporate resources, including data and applications, is the user requesting the access.
User identity data is key to ensuring the right people get the right level of access and that this access is continuously monitored. Well-defined policies must intelligently define when to grant or restrict access. In fact, many cybersecurity analysts now regard identity as the new perimeter.
With user identity at the center of a zero trust model, it’s clear that IAM controls and policies are crucial in providing access while maintaining a robust level of security on your network. Zero trust models must depend on contextual risk scores that use all relevant information available to allow or block access. This context needs to include the identity of the user, the user’s normal patterns of access, and the sensitivity of the information being requested.
Importantly, the zero trust model must be implemented in a way that minimizes friction for end-users. If users have to enter passwords every single time they try to do something, frustration quickly ensues and you have a serious user experience problem on your hands. Single Sign-On (SSO), which lets users authenticate to multiple apps and service with a single set of credentials, seems to heavily conflict with the continuous authentication needed in zero trust architecture.
Modern IAM solutions can provide a level of contextual information to help navigate the obstacle of implementing zero trust without ruining user experience. Real-time behavioral and contextual data about a user, their device, or location can be fed from IAM systems into a zero trust risk engine. When the risk changes, there should be another authentication request.
The highest maturity phase in the zero trust model has adaptive and continuous authentication and authorization at its heart while also providing frictionless access. Risk-based access policies implemented with the aid of IAM solutions can help get you there.
Organizations need to use strong multi-factor authentication to verify users. This authentication method strengthens security by requiring users to provide two or more pieces of evidence from distinct categories to get access to services or applications. IAM solutions can provide support for implementing multi-factor authentication.
To minimize user friction, organizations can plan for an eventual shift to biometric and “passive” data such as a fingerprint scanner, an iris scanner, or face recognition technology as the second factor when authentication is required.
The need for identity lifecycle management in the context of zero trust is critical. If your IAM solution can help with de-provisioning accounts when they’re no longer needed, you’ll reduce any information security risks that stem from orphaned accounts.
Additionally, proper identity governance from an IAM solution ensures you can effectively and securely manage a user’s access through role-based access controls. With such controls, users should only gain access to the resources strictly needed to perform their daily tasks. Limiting access in this way is referred to as the least privilege principle, and it’s a governance policy that is central to the successful implementation of zero trust.
Tuebora’s machine learning and analytics solution creates metrics-based IAM decisions to support your zero trust efforts automatically and at scale. We make identity data available via REST APIs so that you can refine your access control policies, governance, and lifecycle management to support a robust zero trust implementation. Tuebora Pass provides full multi-factor authentication support.
Contact us today for a demo of our IAM platform.