For many organisations, zero trust has reached the top of the CISO agenda. While the zero-trust model has been around for a few years, it has rapidly gained momentum in recent times. Its popularity is driven by the digitalisation of the workplace which has made the network perimeter more porous. In addition, businesses across industries are responding to the demand to be more agile and efficient by embracing new ways of working. This brings an increase in both the number, and the type, of identities that need to be managed in their networks. At its core, zero trust is based on the principle of maintaining diligent access control for all users of network and systems resources. Therefore, it is a model with the capability to scale and evolve as the number of digital identities interacting in the organisation grows.
In itself, that sounds like nothing new, but the zero-trust model comes with a renewed focus, understanding and managing that access at a much finer level of detail. Something we can all probably agree is needed in a world where over ninety per cent of people will click accept to all the terms and conditions by default. Just as users are likely to be overly trusting and open themselves up to cyberattack as a result, organisations can be too trusting as well. Think of how often you share a login with a colleague or download data for them to use outside the intended app or software. Have you ever shared banking or personal details with a member of the finance team you’ve never heard of before? This may even be the norm within your organisation, where often our good intentions to provide a smooth and easy experience for customers, partners and contractors can lead us sharing access unwisely.
At the centre of any question relating to access control is the critical concept of trusted identity and the need to truly understand the access that is being requested, provided and used over time. This therefore means having strong authentication, fine-grained authorisation, good lifecycle administration, and excellent audit and control mechanisms. In short, it means getting IAM right, taking ‘management’ to the next level and truly ‘governing’ the identities within your organisation as they mature and evolve over time.
What does it mean to have to have a zero-trust security model?
The first principle of zero-trust is removing the assumed protection of the “private network” – you’ll often here people use the term “assume network compromise”— meaning accept the fact that you no longer have complete control over your network. This does not mean opening the door to the bad guys, but accepting the fact that the adversary can and likely will get “network access” to your applications and data. If recent data breach headlines have proven anything – it’s no longer a case of if but WHEN a breach will happen.
Today’s network perimeter has expanded way beyond the LAN and now includes remote people, applications and cloud services that literally span the globe. This means that the former ‘castle and moat’ metaphor no longer works; the zero-trust model acknowledges that no matter how deep your moat, if you have a drawbridge then there’s a chance you have an invader in your midst. The days are gone where IT managers could lock the door to the office or data centre at the end of the day and sleep easy. However, the underlying concerns about access remain – who is accessing what data and why? Therefore, whether someone is accessing IT from their desk, a coffee shop, or Antarctica nothing should change as far as trust goes.
The role of identity governance in zero trust
Having a robust identity infrastructure gives organisations the ability to build a more dynamic and identity-aware environment, one which understands not just access patterns but how this relates to the way your organisation operates. Building a virtual map of connections between identities in your organisation to better understand how identity infrastructure truly operated can help highlight outliers. This could be identities with high levels of access rights or an above-average number of collaborators, who might be at a higher risk of being targeted by cyberattacks. Having identified outliers, IT teams can focus their efforts on activities such as retraining employees in cybersecurity awareness and weeding out excess access permissions.
Strong administration processes and accurate governance are also the bedrock of improving compliance. These can ensure that essential access policies (from separation of duties to GDPR) are followed and can be audited for compliance purposes. Providing a centralised view over identity to business data, wherever it resides, can also drive business value by letting IT teams focus their time on more strategic tasks.
Having a truly trusted source of controls and oversight is required to ensure that stronger authentication and deeper authorisation are delivered in a timely manner. The process of ensuring that the right accounts, entitlements and attributes are in place is where identity governance and administration come into play. This allows organisations to control the lifecycle of the very policies and data that now drive this on-going process. Instead of hampering the productively of your team, it can reduce the friction caused by a traditional ticketing system and quick, automated access provisioning lets users get the access they need when they need it – but nothing that they don’t.
Zero trust is a way of thinking: an approach not a specific product or single solution. Nor is it a final answer to all businesses’ cybersecurity worries, but more a method for evolving strategies and being prepared as new threats emerge and new business requirements come into play. The entire concept strives to challenge every organisation to think differently about how they build applications, networks, and security controls. It means placing identity at the centre of the security architecture and truly understanding who should have access to what and how that access is being used. Identity governance plays a central role in delivering on that vision, providing a security architecture that is more real-time, more contextual, and able to predict, understand and govern appropriate access in the new world of zero trust.
Darran Rolls, CTO, SailPoint