This post is the fifth in a series examining how Zscaler supports the move to zero trust as defined by CISA.
Identity is core to the implementation of zero trust. The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust maturity model defines “identity” as “an attribute or set of attributes that uniquely describe an agency user or entity.” Being able to do this means being able to ensure and enforce that the right users and entities have the right access to the right resources at the right time.
Identity through context
Many people say that identity is the new perimeter, but that is an oversimplification. In fact, identity is a nexus for context - and context is the new perimeter. More than just tying credentials to a person, zero trust means verifying that the right person is using those credentials. A user can have all the right identity attributes, but still not be authorized for a requested action based on the entire circumstance. The identity pillar of the zero trust framework is about applying context to the credentials trying to access an application or system. With zero trust a number of factors are applied before access is granted. This may include
- Role – What does this person need to see based on their title and position?
- Device – Are they using a device that is associated with them? Managed? Compliant?
- Location – Is this person logging on from a plausible location? Are they logging on from DC one minute and China the next?
This deep look at the user moves zero trust beyond the traditional implementation of least-privileged access based solely on authentication. Additionally, a zero trust approach to identity addresses the complexities that are introduced as agencies migrate services to the cloud. Users now have identities among a variety of providers. For ease of access, these identities need to be integrated with on-premise identities in a way that does not increase the attack surface.
Identity management as a team sport
Zscaler supports zero trust identity management by consuming identity and context from existing Identity Credential Access Management (ICAM) solutions via Security Assertion Markup Language (SAML) and auto-provisioning via System for Cross-domain Identity Management (SCIM).
This approach meets the goals set forth in the Federal Zero Trust Strategy, asking agencies to centralize identity management systems, use strong multifactor authentication (MFA), and combine device and user data in authorizing user access.
Zscaler works seamlessly with identity systems, keeping authorization in those systems. Because Zscaler does not authenticate the users directly, it is not a viable attack surface for attackers seeking to acquire user credentials. Users are able to sign in once but be continually authorized as they access private applications in various locations.
Beyond protecting internal applications from unauthorized access, Zscaler also protects users from potentially malicious content. In-session monitoring allows for outbound traffic to be inspected and any threats intercepted. And identity-based zero trust policies around data protection can ensure that users with access to sensitive data have guardrails around what they can do with that information.
All of these protections are rooted in user identity and context. For IT teams, Zscaler’s rich policy framework enables agencies to get as granular as needed to manage access.