Everybody talks a good game about zero trust, but without a trusted identity, it’s impossible to implement in today’s hybrid, multi-cloud environments. Since zero trust treats every user as a potential adversary and every device that connects to the network as a potential attack vector, identities and access policies need to be more fine-grained and continuously assessed.
Consider legacy identity systems, which were designed for trusted networks. With the advent of hybrid and multi-cloud environments, implementing zero trust principles demands more layered identity and access management (IAM) using multi-factor authentication, identity proofing and threat intelligence.
Many of these features are built into today’s cloud environments, but not into legacy identity systems. As a result, enforcing zero trust principles in a hybrid world requires identity that can bridge the old and the new. For example, in a legacy identity system, signing in to an app running on-premise meant signing in to a corporate server that was self-contained with its own rules and policies.
But now, if you’re signing in through a cloud provider like Microsoft Azure, for example, it will check your device, run its own threat intelligence rules and enforce access policies. To extend these types of capabilities to legacy identity systems would require rewriting each application inside your network.
Many zero trust-based cloud identity systems use more than one channel to verify a user’s identity if it appears it may have been compromised (browser, mobile device, tokens, etc.) and implement continuous authentication to make sure they are not. When we thought we could trust everything, we just authenticated everybody once and provided single sign-on for all authorized apps.
This is no longer the case. One of the first tenets of zero trust security is to modify that first login and add additional security layers, such as multi-factor authentication. This includes tracking user activity to verify they are still using the same device and browser, for example. You’re not just checking users at the front door and letting them roam around the network unchecked. You have opportunities to say: “Hey, let’s make sure you’re still who you say you are.”
That’s why zero trust demands more advanced IAM. You need to be able to take what have become core security functions used in cloud identity and extend them to on-premise applications that have no way of asking for or interpreting things like MFA, continuous authentication, threat intelligence and risk scores. Old identity systems send very simple http headers and user data to indicate the user had been authenticated. By bridging the gap between modern identity systems and on-premise apps, it’s possible to implement very granular policy enforcement, such as controlling access to parts of the application and the data, as well as the actions users can perform inside the app, rather than just letting someone sign in or not.
Take SaaS platforms, for example. They deal in data, very rich data, and are a very attractive target for attackers. As phishing schemes increased in sophistication, SaaS platforms had to become really, really good at defending against them. They didn’t set out to explicitly become zero trust environments, but the risks associated with users accessing SaaS apps over the public Internet made them that way organically. Applying these same zero trust principles to your on-premise environment is increasingly important since the traditional security perimeter has become a thing of the past.
Consider how SaaS apps use behavior profiling to identify patterns and leverage them for authentication. Behavior profiling used to be specialized technology that was exclusively used in early adopter verticals like financial and banking platforms. Enforcing zero trust is making the need for them ubiquitous; now everybody has to use behavior profiling. For example, identity systems are paying attention to whether each login was like the last one and the 300 before: Was the identity using the same device, browser, plugins and extensions, location, IP address? Are any of those things different? What does that mean?
The cloud has essentially reduced the traditional enterprise perimeter down to individual identities. So enforcing zero trust no longer depends on keeping users in or out. Instead, we need to keep track of user behavior and recognize patterns, as well as deviations from normal activity. And that’s really different from how enterprise security worked in the past. It’s interesting that cloud platforms, which were initially considered less secure than on-premise environments, have leapfrogged their data center brethren.