Seems Zero Trust Security is having a moment! It took a long time for this important security concept to get people’s attention, however along with this upsurge in attention has been an upsurge in hype and a rush to reposition every product and solution as a key component of Zero Trust. In many cases this is a stretch. In some cases we’re talking Slinky Dog stretchy. In the case of Identity Governance and Administration (IGA) however, it’s actually spot on.
Zero Trust Security is an approach to information security that demands organizations use strict identity verification for all users or devices attempting access from inside or outside of their security perimeter. This is a dramatic shift from previous security models such as defense in depth which focused primarily on preventing attacks from outside the firewall. This approach left organizations vulnerable to insider threats and also provided attackers with free reign if they were able to penetrate the perimeter.
In addition, that security perimeter that was the focus of previous security models no longer exists! Today’s organizations have applications and data deployed on premise and across multiple cloud services, they have user populations that demand access to information from any location and any device, and they face more sophisticated and numerous attacks. This means that the new security perimeter is Identity and IGA has emerged as the key to a successful Zero Trust approach.
A robust IGA program provides the foundation for zero trust and makes it possible to implement a Zero Trust security model without increasing the burden on your already over-worked IT support team. Perhaps even more importantly it can reduce the impact to your business that can be caused by tightened security policies.
One of the key benefits of an IGA program is that it allows you to engage business users in access decisions and governance processes. This is important to zero trust for a few reasons. One is that IGA is able to provide the critical Identity information and business context needed to make accurate and effective decisions in a zero trust model. This includes who users are, what their relationship is to the organization, what access they should be allowed to hold, and what access they actually hold. This provides the ability for zero trust components to verify that users are who they say they are and to identify exceptional or privileged access which demands higher scrutiny or stepped up authentication.
IGA can also reduce the impact of zero trust on your users by balancing stricter security controls with the ability to engage users when their access or their employee’s access is disrupted. A good zero trust implementation is great for detecting and stopping malicious activity. It can detect unusual access patterns and take immediate action to deny access and disable accounts before it’s too late. That’s great! But what if the user’s access is valid but their account was compromised? The user still needs access. How does that user get their access restored? What if the user really was acting maliciously? How do you ensure that their other access rights are terminated or at least disabled? One way is to trigger a remediation action in your IGA solution when an incident occurs. This can include sending a simple notification to the user’s supervisor, triggering de-provisioning actions, or starting a micro-certification. A micro-certification is a targeted review of a user’s access which gives their supervisor or other designated person the ability to review and correct any access discrepancies.
I’ve recorded a couple of videos to demonstrate how Micro Focus IGA engages business users and balances zero trust security as discussed above. The first video shows our Decision Support features:
The second demonstrates our Continuous Compliance capability.
In summary, you could say that IGA provides the “business brain” for zero trust security. So implementing zero trust without IGA might be a real no-brainer. If you are considering a zero trust security model make a smarter choice and also consider the benefits that the industry leading Identity Governance and Administration solution from Micro Focus can provide to your organization.
Identity & Access Mgmt