Virtual shields around the globe showing zero trust architecture and identity and access management

Back to School: An Introduction to Zero Trust Architecture and Identity and Access Management

Zero Trust architecture (ZTA), also known as perimiterless security, has quickly become one of the hottest new trends in enterprise cyber security. A recent Microsoft report found that 90% of security decision-makers are now familiar with Zero Trust, while just one year ago, only 20% were aware of the concept.

The notion of Zero Trust was first presented in 2009 by John Kindervag, a former Principal Analyst at Forrester Research. In a nutshell, the term refers to eliminating the reliance on trust when managing access to sensitive data within the network, using a “never trust, always verify” approach, in order to prevent successful data breaches.

Kindervag developed this concept after noting that in many cyber-attacks, the point of entry was not the target location. Instead, hackers typically identified a vulnerability in one area and moved laterally through a network until reaching their target. Implementing Zero Trust architecture prevents this type of attack by forcing users to verify their identity at multiple points within a network before they are granted access.

Though the concept isn’t new, the Zero Trust model’s recent increase in popularity has – like many other digital transformation initiatives – no doubt been catalyzed by the pandemic. To support remote working and lower IT costs, the vast majority of organizations have now migrated at least some applications to the cloud. As a result, data is increasingly stored off-premises in environments administered by vendors or partners – a serious potential security risk if not managed properly.  At the same time, it’s now standard practice for employees to access sensitive data from a range of devices, locations and geographies.

All this means that the traditional perimeter-centric security model is no longer fit for purpose. In many cases, Zero Trust architecture is the logical replacement. Though every organization is unique, here’s how implementation typically works.

Implementing Zero Trust architecture

When building Zero Trust network architecture, organizations must first identify their so-called “protect surface” – made up of the most important data, assets, applications and services. Once decision-makers have decided what their protect surface should include, they must gain an in-depth understanding of how users interact with it, and decide who should be allowed to cross it, in what ways, and when. This is known as developing a “Zero Trust Policy”.

Once this planning phase is concluded, decision-makers must decide how best to defend their organization’s protect surface. It’s important to note that there’s no one-size-fits-all model for this, but it typically involves the following considerations:

  • Identities: Verifying and securing identities using solutions including multifactor authentication (MFA), segmentation gateways, and enterprise single sign on (SSO).
  • Endpoints: Gaining comprehensive visibility of the devices accessing a network.
  • Apps: Implementing rigorous access controls for virtual, mobile, web, SaaS and cloud applications.
  • Data: Limiting data access and data-sharing, as well as encrypting sensitive files.
  • Infrastructure: Ensuring all deployed infrastructure meets relevant security and compliance requirements.

Developing an identity and access management strategy

Successfully managing digital identities is the single most effective way to prevent a successful data breach. This is the cornerstone of Zero Trust architecture.  As such, forward-looking organizations should develop a unified, efficient strategy for managing identities across their entire complex ecosystem.

The requirements of this strategy will likely differ depending on your organization’s size, the industry you operate in, and myriad other factors. However, the below considerations are usually a good place to start:

  • Governance and administration: Before designing your identity and access management (IAM) strategy, it’s important to identify the standards with which you’ll need to comply, including any reporting and audit requirements. Once your strategy has been implemented, it’s equally important to continue using data to adjust privileges across functions as needed.
  • Identity management: Specify your sources of truth for users (this often requires collaboration between HR and IT) and plan how user accounts will be created, updated, and deleted. Identity directories (containing key user details such as roles, accounts, and privileges) should serve as your organization’s authoritative identity store. An effective IAM strategy should integrate seamlessly with your organization’s diverse identities.
  • Authorization: Developing robust, considered policies and access rules is the backbone of your IAM strategy. These rules govern which data and applications can be accessed by users according to their roles, rights, and responsibilities. This can be particularly challenging in certain sectors, like healthcare, where clinicians may take on different roles that change from shift to shift. For example, a practitioner could be working in a ward as a nurse one day, and as an educator training new recruits on the next.
  • Authentication and access management: This is where you finally execute your IAM strategy! Once it’s in place, users will be authenticated on a day-to-day basis, using modern multifactor authentication methods, and can be granted access to on-premises, cloud, and mobile applications using SSO.

A closer look at authentication and access management tools

There is a huge range of tools (and an even larger range of vendors!) that IT and security decision-makers can use when implementing their IAM strategy. Here are some of the most useful:

  • Enterprise single sign-on: SSO enables employees to access all apps, websites, and data using a single set of credentials. It offers greatly improved usability by removing repetitive manual logins and complex passwords. SSO also maximizes security by preventing credential-sharing and enforcing safer password practices.
  • Multifactor authentication: There are a variety of MFA methods available, including SMS, biometric, mobile app-based, and RFID authentication. MFA helps to ensure a user is who they say they are, adding an important layer of security to ward off cybercriminals and protect user access to sensitive data.
  • Automated provisioning: Provisioning and de-provisioning involves coordinating the creation and deletion of user accounts, as well as lifecycle management as roles evolve. By automating this process, organizations can save time, ensure all employees have secure day one access to systems and applications, and guarantee that no one retains access which they should no longer have.

Looking forward, we can expect organizations’ IT environments to continue growing in both size and complexity. As such, IT and security leaders will no doubt face an uphill battle to ensure the confidentiality, integrity, and availability of data and IT services. Zero Trust architecture and effective IAM represent just one part of an all-encompassing security strategy – but they are an essential one.