A Zero Trust Approach Begins with Secure Identity and Access Management


Posted on by Ambler Jackson

Due to the increase in digital business and a distributed workforce, many user, application, and device identities request access to organizational assets from inside and outside their network. These permissions raise the complex issue of determining who and what is requesting access to an organizations resources, whether access should be granted, and how access should be managed.

If access is granted, the organization must navigate access management with granular access policies that provide the least amount of access necessary to perform a specific function or task. The complexity of the issue can be addressed only with a strong identity and access management (IAM) strategy. While an IAM strategy is necessary to maintain a strong security posture, implementing such a strategy becomes even more critical as organizations adopt a Zero Trust approach to security.

The Challenge: Walls Are Falling Down

There’s no longer a continuous line or wall forming a boundary between an organization’s assets and bad actors. With the increase in hybrid work models and a distributed workforce, an organization’s assets can potentially be accessed from anywhere in the world, and, of course, threats continue to escalate.

To meet business demands and protect against escalating threats, organizations recognize the need to shift their mindset around security and are adopting a Zero Trust approach to securing their assets. A Zero Trust approach assumes that no identity is inherently trustworthy. The approach focuses more on who you are than where you are when accessing the organization’s network.

The Evolution of Zero Trust

Security professionals are shifting away from verifying identities once at the perimeter to continual verification of each user, device, and application. Zero Trust, created by John Kindervag, is now more than 10 years old. The strategy has been widely adopted by both private and public sector organizations as a strategy to protect against modern cyberthreats. For organizations working on Zero Trust implementation solutions, it is apparent now, more than ever, especially with the increased adoption of cloud and remote work, that IAM is necessary to successfully implement a Zero Trust Architecture.

In fact, the January 2022 Office of Management and Budget (OMB) Memorandum, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, states that the Zero Trust strategy places significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication (MFA), noting that without secure, enterprise-managed identity systems, adversaries can take over user accounts and gain a foothold in an agency to steal data or launch attacks. The OMB Memorandum lends further support for the widely held notion that IAM is necessary to implement a Zero Trust Architecture.

IAM Is the Foundation of a Zero Trust Approach

As the OMB points out, the foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, security professionals must verify anything and everything attempting to establish access. Organizations must be certain of the user or device identity requesting access to their assets. Once an identity is authenticated, its identity determines the level of access granted.

This is why IAM is foundational to a Zero Trust Architecture. It really is the first step necessary to enable a Zero Trust Model. Modern authentication is a key component of secure IAM, and modern authentication includes solutions like MFA and other passwordless authentication methods used to establish trust between parties.

Considerations for Secure IAM

Evolving business needs around cloud applications and mobile devices, combined with rising threats, and the need to reduce costs, require organizations to consider flexible IAM solutions that are automated, cost-effective, meet their current business demands, and offer future-forward scalability. So, organizations must not only implement a Zero Trust Architecture to mitigate risks posed by modern threats, but they must give due consideration to investments in the tools and solutions that will drive the implementation of their IAM policy and achieve secure identities. This might include solutions like enterprise authentication to support secure remote access for a mobile workforce, a secure virtual private network (VPN), secure access to virtual desktop infrastructure (VDI), and unified access policies and single sign-on for web-based applications. The way to achieve this is by implementing modern authentication and authorization protocols, policy-based access, and adaptive authentication.

Conclusion

To meet new and changing business demands that will allow organizations to digitally accelerate and implement a Zero Trust strategy, it is imperative that security professionals develop an IAM strategy that includes solutions that will set them up for success. IAM forms a critical part of the Zero Trust Architecture. It is, indeed, step one.

Contributors
Ambler Jackson

Attorney,

Identity

access control authentication identity management & governance security awareness zero trust

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs