Covid-19 destroyed the last vestiges of the traditional security perimeter. Increasing insider threats and attacks targeting remote workers have forced a paradigm shift already in the making. As a result, this shift has organizations around the world rethinking their security perimeter. The "castle" model that once reigned supreme — with firewalls acting as the de facto security perimeter — is no longer enough to keep IT infrastructure safe from outside threats. In its place, a new security model has emerged that transcends boundaries and embraces the more abstract concept known as "trust", specifically Zero Trust.
What is zero trust?
Before the pandemic, companies were already experiencing an uptick in cloud adoption and remote work. Still, many organizations continued clinging to traditional security models. When Covid-19 hit, the pandemic tossed the business world into chaos as organizations scrambled to accelerate their cloud migrations and rapidly expanded remote workforces desperate to ensure business continuity. The models that relied on firewalls, physical security, and ACLs to prevent bad actors' intrusion crumbled. It became impossible to safeguard systems as the existing boundaries eroded, and workers retreated to their homes.
Insider threat data has shown for years that security teams cannot trust anyone. And in a world that has gone remote, it becomes harder to prevent attacks and limit vulnerabilities. People with privileged access can become disgruntled or unknowing pawns. Highjackers can access credentials, employees aren't immune to malicious motivations, and even well-meaning employees can accidentally disclose sensitive data or expose the organization to risk.
The Zero Trust approach takes the "fortress" model and completely re-imagines it. It's no longer about only distrusting outsiders. Zero Trust Models assume you can't trust everything and everyone — locking down all privileged resources by default. Access to resources is granted strictly by request, only after careful vetting of both the requestor and the access level to verify that the access falls within the organization's risk tolerance. Each attempt to access privileged data is assessed, logged, and time-limited. Under the Zero Trust Model, once an access request gets processed, the information is noted to allow pattern tracking and flagging for anomalies.
Why take the journey
Moving to a Zero Trust Model is a journey. The process doesn't happen overnight. Although it takes time and a security paradigm shift, Zero Trusts Models offer the benefits of advancing security and compliance programs to a more mature and modern state.
By its nature, Zero Trust delivers better visibility into how an organization's data is being utilized and accessed by different identities. In-depth visibility allows organizations to generate better contextual information about access patterns throughout the IT ecosystem. This transparency improves future access request decision making while providing consistent access records — and proving continuous compliance throughout the review period.
Undertaking the Zero Trust journey decreases risk significantly while reducing both the impact and scope of damage should an incident occur. By removing administrator access and other permanent privileges, there is no longer a golden key account that, if compromised, offers up all the data.
Moving toward a Zero Trust Model demands a shift in the mindset of an organization's security architect. At its core, identity must be the new security perimeter. All identities — including and beyond human users — must be addressed. Identity and Access Management must incorporate Identity Governance & Administration (IGA) in a meaningful way. There must also be a recognition that zero standing privilege is the path to a real Zero Trust Model.
The Foundation is identity
The principle of Zero Trust relies on the foundation of identity. Gaining access requires a risk-based analysis. Instead of viewing identity as a part of a group, contextual identity information (such as average peer usage and the requestor's roles, permissions, and prior access requests) gets evaluated to determine if granting access at the specified level is appropriate. Included in the analysis should be device information, user behavior, and peer analytics that are native to the Identity platform or ingested from integrated security applications.
Zero trust vs zero standing privilege
Part of the shift in moving to a Zero Trust Model is the use of Zero Standing Privilege. Zero Standing privilege in and of itself is not Zero Trust. Instead, it's the application of the principles of Zero Trust to privileged access management. Zero standing privilege eliminates the abstract concept of an administrative account that has permanent access to privileged data. Access rights get determined on an as-needed basis. So no identity has a default access level. This forces privileged access to be requested, evaluated, granted, or denied — then logged and monitored.
Meaningful identity governance
Organizations also need a complete picture of where critical and sensitive data resides and what privileged access is currently available. Part of starting the process is identifying what items require privileged access and which items pose no danger. Undertaking the move to Zero Trust requires more than just having an identity solution in place. Achieving Zero Trust requires an identity platform to meet specific capabilities. Primarily, it needs to be the authoritative source for granting access. However, identity solutions must incorporate IGA in a meaningful manner and apply zero standing privileges to make true Zero Trust a reality.
Incorporating IGA in pursuit of Zero Trust demands a risk-based identity solution. Risk-based systems gather data throughout an organization's IT ecosystem and utilize it to determine an access request's validity. Leveraging this contextual identity information requires in-depth visibility across all platforms and applications within the organization's ecosystem — whether cloud or on-premises. This information is fed to the access control software at the onset and forms the basis for access requests in the future.
A modern identity solution also merges IGA, granular application access, cloud security, and privileged access into a SaaS solution, providing frictionless access and just-in-time elevated access. This framework enables Zero Trust programs to secure business, without becoming burdensome, and monitor every application's privileged activity.
Understanding relevant governance regulations are critical for implementing compliance controls that matter. Identity solutions apply these controls for risk-based evaluation of access requests. Without these rules driving the process, you cannot build a Zero Trust environment.
Fully configured risk and compliance controls govern how to grant access. These rules ensure that access meets compliance regulations, including SOX, HIPAA, and PCI. An identity system needs to have robust logging for requests and access to ensure continuous compliance remains upheld. Logging provides auditors evidence that they meet compliance. It also allows for in-depth tracking of what privileged access, to which identities, was granted. Feeding this information back into the access decision-making process helps to flag when an identity requests access in an abnormal manner such as after hours, in constant succession, or on assets outside their purview.
It Takes a village
Migrating from a "fortress" mentality to a Zero Trust Model demands collaboration between business and IT from inception to implementation. Each brings perspectives to design processes and rules by which identity and access management will operate. In the process, business and IT help the organization secure critical assets and ensure continuous compliance.
A rewarding journey
Moving to a Zero Trust model is not a journey for the faint of heart. But like many challenging experiences, it comes with great rewards. Zero Trust allows an organization to mature from a "good vs. bad guys" mindset to a complete understanding of how its resources get utilized both on-premises and in the cloud. Zero Trust streamlines the audit process, reduces the burden of compliance, decreases risk, and lowers security TCO. It leads to greater agility — allowing businesses to undertake new initiatives, efficiently maintain operations, and rapidly react to market shifts.
Yash Prakash, Chief Operating Officer, Saviynt