In our first article in our series on the newest thinking in cybersecurity, “How to Be a Zero Trust Organization,” we described the Zero Trust environment, and how it is built on a never-trust/always-verify approach to all entities and transactions in the enterprise. Protections must be applied at four levels – user, application, data, and network – and we briefly sketched out the four steps required to achieve Zero Trust security. In this article, we dive into the first step: establishing a repository of trustable identities and authenticated accounts, understanding that all four steps must be integrated and uniformly applied to secure digital assets.
Trustable Identities in a Zero Trust Organization
Digital identities, at different levels of privilege, underpin all digital transactions. In the enterprise, identities are used to log in to the network, access data and applications, and enforce organizational policies.
A repository of trustable identities is a foundational element of Zero Trust security. These identities inform other security measures, including access control, logging and monitoring, threat detection, and other security operations. Digital identity is used to secure privileged access, ensure application security, data protection, network security, and cloud security. In a Zero Trust Organization, where assets must be protected as if each asset was likely to be exposed to the full range of cyber threats, security is achieved by tracing processes and transactions back to a trustable identity and its approved entitlements.
Figure 1 illustrates the importance of identies in protecting applications, data, networks, and the cloud. In the environment pictured, the importance of strong identity governance in establishing a repository that contains and defines the full landscape of identities cannot be overstated.
A Zero Trust Organization must support:
- A repository of trustable identities (trusted for a discrete operation or for a finite amount of time) maintained through strong identity governance
- Infrastructure for multi-factor and risk-based adaptive authentication
Building Trust in Identities Through Identity Governance
Gartner’s perspective on identity governance is that “security and risk management leaders responsible for identity and access management must ensure that only the right people get access to the right resources (e.g., applications and data) at the right times for the right reasons.” Identity governance tools manage digital identity and access rights across multiple systems and applications.
The following four identity governance processes are critical for creating and maintaining identities that can eventually be trusted under certain parameters:
- Identity Lifecycle. Zero Trust Organizations maintain digital identities and their attributes throughout the life of their association with the organization. That includes onboarding, transfers, and offboarding. Strong identity lifecycle processes ensure that the organization’s repository of digital identities is comprehensive (i.e., it covers all employees, contractors, and third-parties), is continuously updated with their attributes and access information, and that organizational changes and the movement of people from one role to another do not result in people collecting more privileges (and therefore access) than they are entitled to.
- Access Requests. A business-friendly process and user interface (UI) through which parties can request access to applications and data is characteristic of efficient, productive, and secure organizations. In a Zero Trust Organization, users are helped to make well-informed requests for privileges. This helps minimize requests (and approvals) for more access than a party requires while reducing the use of IT help desks to reset passwords and unlock logins. This, of course, saves time and expense while improving the user experience.
- Access Certification. Periodic review and certification of access ensure compliance with organizational policies. A Zero Trust Organization’s robust access certification process cleans out stale and unused access periodically and helps enforce the principle of least privilege, in which a user is granted access to what he or she needs to perform their job and no more. (See, “How to Be a Zero Trust Organization”)
- Policy and Role Management. In a Zero Trust Organization, the rules that define and control identity security include policies that govern segregation of duties, passwords, and access. Automating those policies helps improve security while enforcing the principle of least privilege.
Among other benefits, strong identity governance builds trust in an organization’s digital identities and the access accorded them. Zero Trust security requires confidence that the organization knows who a person is, his or her role, and what they should be able to access by virtue of that role. Investments in identity governance are well worth the time and cost.
The Critical Role of Risk-Based Adaptive Authentication
Gartner defines user authentication as the real-time corroboration of a person's digital identity, with an implied level of trust. Authentication ensures that access is granted only to trustable identities. Fine-grained authorization ensures that the principle of least privilege is definitively and consistently implemented.
A dynamic work environment and constantly evolving threat landscape means that authentication requirements must be adjusted in real time. Zero Trust Organizations apply multi-factor and risk-based adaptive authentication to their sensitive and business-critical applications, using location, time, and other contextual information to modify authentication requirements as appropriate. For example, an account that can access a critical data repository from corporate headquarters should not be able to access that same repository from another place at an unusual time of the day – or from an untrusted device – without additional challenges. These can include security questions, a token, one-time password, or biometric validation. Adaptive authentication is particularly relevant when access is requested from untrusted mobile devices or to cloud applications.
In a Zero Trust Organization, single sign-on (SSO) can offer the significant benefits of better security and user experience. The security benefits of SSO include centralized policy enforcement, centralized session management and terminations, fewer passwords to manage (reducing vulnerabilities), and the ability to enforce access control policies on third-party and cloud applications.
SSO also offers measurable business benefits. Internal and external users are freed from the burden of remembering, storing, and managing multiple passwords of varying strength across multiple applications. SSO solutions also can track an employee’s activity, and when SSO is offered to customers, the organization can develop a more detailed profile of their behaviors, allowing for more tailored and attractive services and product offerings.
Identity and authentication are core elements of a Zero Trust security infrastructure and work in concert with other solutions to secure applications, data, the network, and the cloud.
In our next article, we address Privileged Access Management (PAM) in the Zero Trust Organization.