As long as I can remember, IT’s security strategy has been to create layers of protection. And while firewalls are still a de facto IT security practice, the reality is that many of the digital services consumed today are no longer within the safety of their intranet. While some cloud-based services offer VPNs, they are typically accessed by users from a variety of locations, not just the office. Because we’ve reached a point where virtually all of our information is kept in a digital format, the stakes are higher today for all of us, users and organizations alike, than any time before.
Introducing Zero Trust
This new paradigm of digital access is leading organizations to a Zero Trust model. Zero Trust is based on the idea that no access request should be automatically trusted but rather that the user requesting it should be verified. Of course, not all resources require the same level of identity verification. Someone accessing the cafeteria menu or general operational information doesn’t pose the same level of risk to the organization as someone accessing their customer, financial, or other types of sensitive information. So before Zero Trust can truly be pervasive or ubiquitous across an organization’s digital landscape, there has to be some level of intelligence controlling its applicability. Imposing a myriad of authentication requests is no more a solution than applying a static single sign-on layer across the entire environment. The former approach is unusable, while the latter increases exposure from hacked user accounts.
In the context of applying the right authentication type before responding to an access request, it’s important to point out that Zero Trust does not involve eliminating firewalls or any other kind of perimeter demarcation point. Instead, it leverages access control capabilities built into network segmentation and resource endpoints. This means that IT needs to think in terms of a new paradigm of security layers placed as close as possible to the protected resources. The big shift is that historically, those inside the firewall were subject to a lower level of identity verification compared to those on the outside. Meaning, that to a certain extent, inside users are treated as privileged users or endpoints. Using a building analogy, Zero Trust is like putting a security guard at every door, hallway, and elevator. And even at each office entry. It’s under this archetype that static authentication falls down.
Making Zero Trust Livable
Once IT decides to adopt a Zero Trust model, the next to-do item is to develop an authentication strategy and shape how it’s implemented. If done without balance, Zero Trust will serve as either a fast track to raising corporate risk, end-user dissatisfaction with repeated authentication requests, or both. But a well-planned approach will not only increase security but also maintains or even improve their user’s experience. To achieve this experience, IT needs to create a map of authentication levels to their network segments and service endpoints, defining where a simple authentication good enough, where multi-factor authentication needs to be brought in and especially important what authentication type to invoke. In this webinar on Advanced Authentication with Andras Cser, a principal analyst at Forrester, he points out that Zero Trust places new authentication requirements on organizations where imposed friction needs to be as low as possible. In short, to be successful Zero Trust requires single sign-on across the board with low friction multi-factor authentication inserted at the higher risk points within their environment.
When looking at the variety of methods, of course, I’m going to recommend taking a standards-based perspective. FIDO2 is a great way to move away from passwords into a passive or low touch model, and NetIQ Advanced Authentication is a great a standards-based framework to plug them in to. Beyond its extensive list of integrations, its robust framework has proven itself in a wide range of environments. Using a corporate-wide authentication framework provides compelling advantages over the typically siloed architectures that are so commonplace:
- It allows a ubiquitous set of policies for all their authentication. This does more than just drive down administration overhead, it increases security by eliminating uneven policies rampant in siloed implementations.
- Its standards-based open architecture gives organizations the freedom to implement authentication methods that best fit their environment and user requirements.
- Avoid vendor lock-in. Unlike proprietary implementations, Advanced Authentication’s framework helps organizations avoid dead-end solutions and sunk costs held hostage by vendor lock-in solutions.
The foundation of Zero Trust – Identity and Access Management
With today’s sophisticated threats, thoughtful implementation of Zero Trust has the potential to make life much more complicated for criminals and other outsiders. In that identities is a core foundation to security, Identity and access management plays a massive role in that endeavor.
Identity & Access Mgmt