.jpg)
Zero Trust is a modern approach to security based on the guiding principle “never trust, always verify”. But how can you implement Zero Trust, and what is the role of Identity Management in your future Zero Trust architecture? Our colleagues Joost Koiter and Richard Voorintholt took a ‘deep dive’ into the subject and wrote an article about it.
What is Zero Trust?
Zero Trust is a strategy rather than a solution or a technology. It means moving away from perimeter-based security, towards knowing exactly what needs protecting within your organization - and protecting that from the inside out. The concept of Zero Trust was introduced back in 2009 by John Kindervag. It was based on the idea that ‘trust’ should never implicitly follow from a particular network traffic zone alone. Any request to access any resource should always be verified.
Implementing a Zero Trust Architecture
Before looking at any technology, solution or architecture to implement Zero Trust, it is essential to first understand what your organization’s assets are that need protection. Once identified, you will need to formulate a policy: who needs access, under what conditions, and with what security requirements. It is important to realize that this is an iterative process. It is not necessary to have every detail of your optimal policy available, before you start your Zero Trust journey. But you will need to have at least a basic idea and starting point regarding your assets and access policies.
The next step is to start looking at how your IT infrastructure can move towards a Zero Trust architecture. To help with this, the US National Institute of Standards and Technology (NIST) drafted a reference architecture that consists of the following logical components:
In the core of this logical architecture the enterprise resource (asset) is protected by a Policy Enforcement Point (PEP). The PEP manages and monitors the connection between the subject requesting access and the resource. It enforces the access decisions made by the Policy Decision Point (PDP) whether to allow or deny the subject access to the resource, and should ideally be placed as close to the resource as possible. To make the access decision, the PDP considers the configured policies and leverages input from a number of other logical components providing additional context. For example identity information, information on the current state of the resource, threat intelligence, endpoint security, or activity logs.
Components of the Zero Trust architecture
Logical components in this architecture do not need to be unique systems. Some may be implemented in one single system while others may be implemented by combining multiple hardware and software components. Identity & Access Management (IAM) in combination with Identity Governance & Administration (IGA) typically implements part of the Policy Decision and Policy Enforcement as well as the ID Management, but can also provide Continuous Diagnostics and Mitigation (CDM), Threat Intelligence and Activity Logs inputs.
Identity is a key success factor for Zero Trust
Getting identity right is essential to any Zero Trust architecture. To enforce policies in Zero Trust, the Policy Engine needs to at least understand the identity of the subject requesting access to the resource, as well as what resources this identity is allowed to access. This is what IAM and IGA provide, which makes them key success factors in any Zero Trust journey. Zero Trust then builds upon on the identity foundation by adding additional context to the access decisions.
For example: the identity of the subject can be known and the resource could be allowed for that subject, but if that subject starts downloading gigabytes of data all of a sudden, you would likely want to deny that access. So Zero Trust is more than just identity, but if you want your organization to be successful in its Zero Trust strategy, you will need to get identity done right!
Learn more
Are you looking to get your identity done right and move towards a modern Zero Trust architecture? Contact us to learn how we can help you!
