Identity and access management are the cornerstones of Zero Trust – both require continuous development
Zero Trust is a new, holistic approach to building an organization’s information security. Identity and access management play a key role in the implementation of the new concept. By developing both of them hand in hand, information security and user experience can be constantly improved.
Conventionally, the information security of a company has been thought of like a secret and beautiful garden in a castle, with outer borders protected by thick walls. In today’s world, this approach does not work. Hybrid work takes place in a multi-cloud environment that combines the company’s own computer room with third-party services. This kind of working environment makes it difficult to maintain a high level of security with conventional methods.
The concept of Zero Trust offers a novel solution. Instead of conventional fire walls, borders are now created with the help of identity and access management. People are trusted, but their devices are not. Thus, they are verified every time before granting access to a service, application or system. Access rights are only granted to the extent required by the person for their duties.
Zero Trust can often be built on top of the current IT infrastructure – as long as it is in good shape
The Zero Trust concept cannot be purchased directly from the shelf; it is a long-term transformation carried out iteratively one section at a time. The company may already have the technology required. In this case, the organization’s Zero Trust journey may begin without investment in technology.
On the other hand, the company’s IT infrastructure has to be in good shape in order to allow a pleasant journey. The company must know who use their systems, with what devices and access rights, and which systems they need to access. In many organizations, it is difficult to answer these questions. In addition, the situation evolves constantly as new users, devices and systems are added while some are removed.
Identity and access management play a key role in the implementation of the new concept. By developing both of them hand in hand, information security and user experience can be constantly improved.
Identity and access management play a central role
One of the main principles of the Zero Trust concept is that identity is always verified and access rights checked in near-real time when a person tries to access a system. Identity and access management are the core of this process; without them, the functionalities and the entire concept of Zero Trust are practically impossible to build.
The company may already have competent solutions for identity and access management. However, when it comes to Zero Trust, their maturity level often has room for improvement. Even if the technology is ready, its correct use requires skill.
5 pillars of building Zero Trust with identity and access management
Identity and access management offer several key building blocks for implementing Zero Trust. Here are the most important ones:
1. Authentication
In the concept of Zero Trust, the user is identified every time they enter a new application, system, or location. This ensures that the user is who they claim to be and verifies whether they should have access. There are different ways to identify the user. The access to basic systems should be straightforward, but more sensitive information may require additional authentication. The suitable method may also depend on the device or network used.
2. Identity
Identity is not the same as user authentication: while identity determines who the user is and what attributes they have, authentication verifies this. Identity is the basis for defining access rights which are granted to the user after they have been identified.
3. Catalog of access right objects
Different access rights are modeled systematically. To make access rights more understandable, they are compiled into packages based on different roles.
4. Modeling authorizations
Authorizations are modelled and kept up to date through defined processes and automation. A supervisor or the main user of a system, for example, may assign a role to a user according to the process. This is how the user is granted the access rights pertaining to the role. Depending on the risk level, the end user can also gain access to systems and applications as a self-service.
In an automated process, the system can grant the access rights pertaining to a role automatically. The rights can also be modelled programmatically. This means, for example, that all employees in a certain office are granted the same basic rights. Role mining is another method where similarities within access data are identified and roles are built accordingly.
5. Audits for authorization
In the Zero Trust concept, it is essential to keep data up to date. The shorter the period that any inaccuracies exist, the better the level of information security and user experience. Thus, the information needs to be checked periodically. In a recertification, the system or data owners are instructed to inspect the users and access right objects and to update any inaccurate information.
Identity and access management and Zero Trust resemble each other: they are all developed step by step towards a shifting goal. Although the world will never be ready for any of these concepts, we can keep making it a little better every day.
Do you need expertise in identity and access management solutions supporting Zero Trust? Get to know our services.
Author: Mika Käck works as Principal Consultant at Epical's Digital Trust team in Finland, building new Digital Identity services for our customers.
The article has been published for the first time on the Tivi magazine on November 9, 2022. (In Finnish.)