Zero Trust Security for Identity and Access Management

Sundaramoorthy | December 8, 2021

As the IT industry is moving the infrastructure towards multiple models like Hybrid, Cloud and Multi-Cloud models, ensuring security is the biggest challenge. Let us dive into how the combination of Zero Trust and Identity & Access Management can ensure improved security in the networks.

What is Zero Trust Security?

Zero Trust is a model which was first introduced by Forrester Research. Even though it was not entirely a new concept, it has gained its own place in the rapidly growing IT industry for its security-oriented results on network security and architecture

Zero Trust is a network security model that is based on a strict identity verification process. According to the framework, only authenticated and authorized users and devices can access applications and data

Why Zero Trust?

As growing business networks become targets to the hackers, global business players are in need of an up-to-date security model that effectively adopts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps, data, and networks wherever it is positioned.

Below are few reasons why we should adopt Zero Trust

  • Productivity

Empower the network users to work with enhanced security anywhere, anytime, on any device.

  • Cloud Transition

Enables digital transformation with security intelligence on complex environments like hybrid, and multi-cloud.

  • Minimal Risk

Blocks the security gaps and reduces the risk of lateral movement.

Key Principles of Zero Trust

Verify Explicitly

Authentication and authorization must be done based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

Ensure Least Privileged Access

User access must be limited with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.

Assume Breach

Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

Zero Trust Key Targets

Below are few key defense areas of Zero Trust Security Model in the complex networks:

  • Identities
  • Data
  • Infrastructure
  • Network
  • Applications
  • Endpoints

Zero Trust Security on Identity and Access Management

Identity and Access Management is the first step of Zero Trust security model. Identity is a core element of Zero Trust to verify explicitly. As soon as Zero Trust is implemented, it will unify the Identity and Access Management environment in cloud and on-prem applications and resources.

If all the applications, data, infrastructure, machines, and users are in the open internet, with Zero Trust we differ from a traditional model of implicit trust to explicit verification.

  • Instead of assuming the Identity of the user that is in high session because of the network which the user is in, verify the identity explicitly
  • Verify the device explicitly, instead of assuming the user has a valid machine because of the network
  • Explicitly classify and encrypt data, instead of allowing access to file shares because the user is on the network

Identity Centric Security

As we progress, more processes and data are being moved to the internet. When a user accesses their cloud hosted email from a device outside of the secured network, all the elements of the activity fall outside of the secured networks. The device, network, and application (code and hardware) are not in your direct control.

With the many networks, devices, and applications required in our daily business, the only common denominator is the Identity (User), which concludes “Identity is the control plane”. It is critical to establish who the user is as the core of trust for other transactions. If the Identity of the user is not known, no other system access control or security is enough. Once we are sure of who the user is, we can explicitly verify every element of access whether our resources are on-premises, in cloud-hosted servers, or managed by third-party SaaS.

A robust Zero Trust strategy considers the full context of the session to determine its overall risk,  the identity of the user, plus the state of their device, the apps which are accessed by the user, and the sensitivity of the data which the user accessed. This analytical data which helps admins in deriving the policies for block listing, white listing or to control it by deploying additional authentication controls such as MFA, restricting functionality such as downloads, or applying compliance controls such as terms of use. By bringing such controls in place, its difficult for the hacker to access the networks. This strategy not only protects against external threats, but it also helps create guardrails so well-meaning employees can use organizational resources responsibly.

A framework of controls such as additional authentication factors, terms of use, limited access, and other session semantics regulates access. This guarantees we are “secure at access” in our Zero Trust approach.

Vulnerable Scenario

Let’s discuss a simple example of a vulnerable scenario. Consider an access card to the building premises which is lost by an Identity user, if the access card is not blocked in time and the same access card is identified by a threat, it’s a potential gap in the security. This is the place where the Zero Trust need to be enforced, where the suspected user holding illegal/toxic access must prove the Identity externally with Zero Trust. In this case, the threat surface will be filtered, and security will be ensured.

Checklist for securing the Identity Infrastructure

This checklist will help quickly deploy critical recommended actions to protect your organization

  • Strengthen your credentials
  • Reduce your attack surface area
  • Automate threat response
  • Utilize cloud intelligence
  • Enable end-user self-service

A successful Zero Trust strategy requires seamless and flexible access to applications, systems, and data while maintaining security for both users and the resources they need to do their jobs. It requires being cloud-ready, starting with identity, and then implementing above check list to secure all areas of your environments.

About the Author –

Aravindh S

Sundaramoorthy

Sundar has more than 13 years of experience in IT, IT security, IDAM, PAM and MDM project and products. He is interested in developing innovative mobile applications which saves time and money. He is also a travel enthusiast.

Back to blogs

SHARE