Beyond perimeter protection: Identity and access management in the zero trust model
The term “Zero Trust” was founded in 2010 by Forrester Research Analyst John Kindervag. In addition to thorough asset management and established analytical skills, identity and access management (IAM) plays a key role.
Zero trust is not a technology and also not a process that can be achieved. Rather, it is a guide to the overall cybersecurity direction of an organization. True to the motto “Do not trust anyone”, the name says it all at Zero-Trust. The assets worth protecting – especially data – of a company should of course be available to the employees during the creation of value, but at the same time they should be protected against unauthorized access.
Current solutions to this problem are nested protective walls made up of firewalls, intrusion detection & prevention systems, network segmentation and many more. However, there are always sore points in the security architecture. That is why the security of the company, the assets or the data ultimately also depends on human trust. In a perfect zero trust environment, this susceptibility to error and malicious intent should not exist.
In reality, however, this final state can hardly be achieved – the various IT infrastructures of large companies are far too complex for that. However, perimeter protection by securing network access and end devices is no longer up to date, as more and more attacks are also coming from inside companies. The fluctuation in external staff, the use of public clouds, countless machine accounts and IoT devices as well as the partial or full use of private end devices – keyword “bring-your-own-device” – make it more and more difficult to achieve sufficient security through pure perimeter protection to guarantee. That is why the concept is approached with well thought-out technologies and processes, such as an IAM and thorough security incident and event monitoring (SIEM).
In a recent report by Forrester from 2020, zero trust is broken down into five dimensions: users, devices, workloads, networks and data. The main focus is on users and data. The users should be able to access the necessary data in the company. Which device, which application, which network and in which context they do this is of secondary importance. Securing all context points (devices, networks, applications) is, as already described above, pointless. Instead, the focus should be on strong and secure authentication to allow the right users access. On the other hand, on a clear classification of the criticality of the data.
At this point, a well thought-out and consistently implemented IAM plays an important role. In order to ensure that only authorized employees have access to valuable company resources, clear processes are required for the assignment and withdrawal of rights. The “need-to-know” principle known in the IAM provides that every employee should receive the lowest possible number of authorizations that they need to perform their tasks. In addition, regular controls are critical to success, because “Trust is bad, control is better” – this is another guiding principle in the zero trust model.
To improve security in the IAM, companies should also incorporate new authentication technologies. The majority of security incidents in companies result from internal user accounts whose passwords have been exposed. A correctly entered password is therefore no longer sufficient proof of identity. Methods such as multi-factor authentication, biometrics, certificates and the use of single sign-on (SSO) help to significantly increase authentication and thus also security via the IAM.
Clear asset management is required to get an overview of the data worth protecting in the company. A classification of all data in different criticality levels enables an extended, context-based management of accesses. In this way, attributed authorizations can be assigned in the IAM. These restrict, for example, write access to important files if the user does not log in via the company network. The integration of this context information enables an evolution in the IT security architecture. The intensive protection of networks and devices takes a back seat, and strong authentication takes on the role of gatekeeper. This allows users to work from home or on their own devices without creating additional security gaps.
Last but not least, access, login attempts, data access and changes should continue to be controlled. A connection to a SIEM system can help with the evaluation of unusual contexts. As in the case of a user who first logs in via the company network and shortly afterwards from a network on the other side of the globe. Despite close-knit security measures, there are always exceptions that need to be recorded and monitored very carefully.
The topic of IAM remains critical in cybersecurity and makes an extensive contribution to the protection of valuable company resources. With emerging developments in the field of quantum computers and artificial intelligence as well as increased home working, IAM will remain one of the most important levers for cybersecurity in companies in the future.
More on the subject:
Zero trust for the channel
Manage digital identities securely
Digitization in German companies
How companies use IAM to increase their IT security
What you need to know about IAM
Understand and implement Zero Trust