To achieve Zero Trust phase 1, Identity and Access Management must be top priority.
Zero Trust isn’t a new concept, yet with the rise of remote working and the proliferation of data across almost every sector and organisation, it has become a critical framework for enterprises to understand and implement. The major mindset shift when it comes to Zero Trust is shifting from looking at IT security access with implicit assumptions, to explicitly verifying every access element.
The Zero Trust (ZT) framework incorporates identity and access management (IAM) and requires that every user, application and machine is explicitly verified and not implicitly trusted. For instance, instead of making the assumption that a particular user is utilising a valid machine due to being in the network, there is a requirement to explicitly verify that device. Same goes for granting access to file shares just because the user is on the network. With ZT, that user must be explicitly verified and data must be encrypted.
The shift with ZT is to look at everything on the internet as open. This assists in understanding that cloud-hosted user applications or device use is usually taking place outside of the perimeter, or external to the network. Because the devices and applications are generally outside of the perimeter, the organisation has very little control unless identity and access management is put in place.
Due to the way users access networks, devices and applications for business and work purposes, the only consistent thread is the user itself, as they could be anywhere, on any device at any time. With ZT, this makes identity the control measure and it’s an essential part of the puzzle in identifying the user at the origin of trust for all other transactions. Once the user is clearly identified they can be verified explicitly across every access point irrespective of whether their resources are in the cloud, managed by a third party or on-premise.
The ZT framework takes into consideration the holistic view of the user, looking at the health of their device, the particular applications in use and the sensitivity of the data they want to access. From here, automated policies can be defined to take the necessary action step i.e. allowing, blocking, controlling or restricting access. This approach provides protection from external threats and also implements boundaries so verified employees can access their resources when they need to, in a responsible fashion.
In order to ensure a successful ZT implementation, you need flexibility in accessing applications, systems and data whilst simultaneously securing users and the elements they need to complete tasks. This is why it’s important to prioritise identity and then take further steps to secure the entire environment from there. You could do this by:
- Building strong credential requirements, for instance, some users may have weak passwords, which will most often lead to attacks. Strengthening passwords with MFA should be an early consideration.
- Minimise attack surface area to prevent hackers getting access by reducing protocols that are less secure and limiting entry access points. It’s also important to add increased control over administrative access rights.
- Minimise risk and cost by automating threat responses, this will make it more difficult for cyber criminals to enter or embed into your environment.
- Audit and log security-related events to assist in increasing awareness of potential internal attacks, or attempts to penetrate the network
- Empower users with self-help measures to make the process as easy as possible whilst also ensuring vigilance
Implementing ZT with identity and access management (IAM) can be overwhelming, especially due to the mindset shift that needs to be considered across the IT security teams and organisation at large.
Having a comprehensive and simple strategy in place can assist you with getting the first phase off the ground. Download this practical guide to Zero Trust for a simple pathway to begin your journey in implementing a Zero Trust framework with IAM factored in.
