​Zero Trust Approach: Elevating Secure Identity and Access Management

In a digital landscape where the term “Zero Trust” (ZT) seems both everywhere and elusive, it can be difficult to separate the wheat from the chaff. CSA’s Zero Trust Training (ZTT) series provides clarity and gives you the knowledge and skills necessary to implement and execute a strategy for ZT. Here, we'll cover the intersection of two important concepts in cloud security: Zero Trust and Identity and Access Management (IAM).

What is Zero Trust?

ZT is a strategic mindset that is highly useful for organizations to adopt as part of digital transformation and other efforts to increase their security and resilience. ZT is easily misunderstood and over-complicated because of the conflicting messaging within the security industry, and from the lack of established standards. In fact, ZT is based on long-standing principles that have become more critical because of changes in the way we work and live; remote workers, increased reliance on third parties, and the adoption of the cloud to name a few.

ZT principles and practices are designed to reduce cyber risk in today’s dynamic IT environments. As a security model, ZT requires strict authentication and verification for each person, device, or service trying to access an IT resource, regardless of whether it is inside or outside the physical network perimeter.

A key thing to understand about ZT is that it is not a prescriptive architecture or a single product. It is a strategy and a series of guiding principles that inform architectural and procurement decisions. This enables organizations to design from the inside-out, based on their specific business requirements, assets, risks, and priorities.

How Does Zero Trust Apply to IAM?

Authentication and authorization are pivotal to understanding IAM within the context of ZT. These two steps are sequential and dependent on each other, along with other factors. Authentication is when an entity (human, animal, object, device, network, application, database, process, service, etc.,) proves that it is who it claims to be. You can think of this as a security guard checking your ID. If two forms of identification were needed, the security guard would then prompt you to produce your passport or birth certificate. This is roughly the same concept as multi-factor authentication (MFA). By using MFA, authentication is strengthened by introducing additional security barriers and is, therefore, harder to compromise.

The next step after an entity passes authentication is authorization. This is the step where access to the requested resources will either be granted or denied, and it’s exactly where ZT comes in. ZT is based on the concept of “never trust, always verify”. Just like MFA strengthens authentication, ZT strengthens authorization by adding context awareness to the attributes that enable authorization to take place. In ZT, an access request is not assumed to be trustworthy based on its location, network, or asset ownership. Instead, it’s explicitly verified using multiple factors (the entity making the request, behavior, biometrics, cryptographic signature verification, location, device health, and operating system health), with each factor (ideally) understood to a known level of confidence.

ZT is a technology-agnostic guidance framework to bring controls (policy enforcement points) closer to the asset being protected (the protect surface). From an IAM perspective, it offers the increased capability of risk-based decisions to grant access, instead of granting access based purely on the binary trust of a single access control method.

Use Case Examples

Remote Access

Remote access is the new normal way of working. Remote access users include (but are not limited to) employees, contractors, temporary staff, suppliers, etc. Remote access also opens the possibilities for lateral movement via compromised access controls. Using ZT, administrators can define policies such that remote workers only access the applications and resources they are authorized for. This reduces the attack surface that is available to remote workers.

The attack surface can also be reduced with device authentication before granting access to users. Device authentication relates to ZT’s “verification before granting access.” Administrators may also integrate opportunistic MFA with their ZT controls for behavior analysis and geofencing.

Third-Party Service Providers with Remote Access

Administrators can leverage ZT policies to authenticate third-party users and their devices to determine the required access privileges for resources while hiding all other assets to prevent any lateral movement. This helps reduce the attack surface for any supply chain risk materialization.

Staff Access to Assets in Hybrid Environments

Staff access to root accounts for cloud services such as AWS and Azure should be tightly controlled. Lack of awareness or speed to market may make staff miss out on controls like configuring MFA for such resources. Administrators can configure ZT policies for these accounts and subscriptions, thus ensuring that the same policies are applied to all accounts. In addition, these accounts and subscriptions remain hidden behind the policies, reducing visibility in the public domain and reducing the attack surface.

Conclusion

The traditional strong perimeter model is no longer sufficient to effectively secure resources or manage access. With Zero Trust, the paradigm shifts from a binary trust to an adaptive authentication and authorization model. ZT principles, when applied, can provide a robust protection plan that is dynamic and agile. Furthermore, by utilizing these principles, organizations can reduce their attack surface, minimize the risk of breaches, and enable a more productive and flexible workforce.

Thoroughly explore all Zero Trust principles by taking CSA’s self-paced Zero Trust Training (ZTT) and earning your Certificate of Competence in Zero Trust (CCZT).