Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.

Achieving Zero Trust Without Driving Your Users Crazy

Micro Focus Expert
Micro Focus Expert
5 0 2,182

As long as I can remember, IT’s security strategy has been to create layers of protection. And while firewalls are still a de facto IT security practice, the reality is that many of the digital services consumed today are no longer within the safety of their intranet. While some cloud-based services offer VPNs, they are typically accessed by users from a variety of locations, not just the office. Because we’ve reached a point where virtually all of our information is kept in a digital format, the stakes are higher today for all of us, users and organizations alike, than any time before. 

Introducing Zero Trust

Achieving Zero Trust.pngThis new paradigm of digital access is leading organizations to a Zero Trust model. Zero Trust is based on the idea that no access request should be automatically trusted but rather that the user requesting it should be verified. Of course, not all resources require the same level of identity verification. Someone accessing the cafeteria menu or general operational information doesn’t pose the same level of risk to the organization as someone accessing their customer, financial, or other types of sensitive information. So before Zero Trust can truly be pervasive or ubiquitous across an organization’s digital landscape, there has to be some level of intelligence controlling its applicability. Imposing a myriad of authentication requests is no more a solution than applying a static single sign-on layer across the entire environment. The former approach is unusable, while the latter increases exposure from hacked user accounts.

In the context of applying the right authentication type before responding to an access request, it’s important to point out that Zero Trust does not involve eliminating firewalls or any other kind of perimeter demarcation point. Instead, it leverages access control capabilities built into network segmentation and resource endpoints. This means that IT needs to think in terms of a new paradigm of security layers placed as close as possible to the protected resources. The big shift is that historically, those inside the firewall were subject to a lower level of identity verification compared to those on the outside. Meaning, that to a certain extent, inside users are treated as privileged users or endpoints. Using a building analogy, Zero Trust is like putting a security guard at every door, hallway, and elevator. And even at each office entry. It’s under this archetype that static authentication falls down.

Making Zero Trust Livable

Once IT decides to adopt a Zero Trust model, the next to-do item is to develop an authentication strategy and shape how it’s implemented. If done without balance, Zero Trust will serve as either a fast track to raising corporate risk, end-user dissatisfaction with repeated authentication requests, or both. But a well-planned approach will not only increase security but also maintains or even improve their user’s experience. To achieve this experience, IT needs to create a map of authentication levels to their network segments and service endpoints, defining where a simple authentication good enough, where multi-factor authentication needs to be brought in and especially important what authentication type to invoke. In this webinar on Advanced Authentication with Andras Cser, a principal analyst at Forrester, he points out that Zero Trust places new authentication requirements on organizations where imposed friction needs to be as low as possible. In short, to be successful Zero Trust requires single sign-on across the board with low friction multi-factor authentication inserted at the higher risk points within their environment. 

When looking at the variety of methods, of course, I’m going to recommend taking a standards-based perspective. FIDO2 is a great way to move away from passwords into a passive or low touch model, and NetIQ Advanced Authentication is a great a standards-based framework to plug them in to. Beyond its extensive list of integrations, its robust framework has proven itself in a wide range of environments. Using a corporate-wide authentication framework provides compelling advantages over the typically siloed architectures that are so commonplace:

  • It allows a ubiquitous set of policies for all their authentication. This does more than just drive down administration overhead, it increases security by eliminating uneven policies rampant in siloed implementations.
  • Its standards-based open architecture gives organizations the freedom to implement authentication methods that best fit their environment and user requirements.
  • Avoid vendor lock-in. Unlike proprietary implementations, Advanced Authentication’s framework helps organizations avoid dead-end solutions and sunk costs held hostage by vendor lock-in solutions.

The foundation of Zero Trust – Identity and Access Management

With today’s sophisticated threats, thoughtful implementation of Zero Trust has the potential to make life much more complicated for criminals and other outsiders. In that identities is a core foundation to security, Identity and access management plays a massive role in that endeavor. 

About the Author
25 years experience in Identity and Access Management (before the term was coined). During that time, I've worked in a variety of capacities ranging from making it all work (technical services) to managing the production of various IAM products and services (product management) to writing about how identity/access solves today's business problems (marketing).
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.