Identity is the lynchpin of zero trust and the center of the new software-defined security perimeter in zero trust network access (ZTNA). It allows for successful authentication, validation to prove that a user is who they say they are, and authorization to dictate the resources a user or service sees in a zero trust environment. But without a modernized and automated identity management environment, your shiny, new ZTNA tools may not be much better than your old VPN.
I've met with many IT admins over the years and they've always struggled with getting the business on board for technology initiatives coming from IT. A zero trust transformation is no different. It is inherently IT-initiated, but the importance of getting it right lies in the business’ appetite for investment in their identity capabilities.
Many enterprises today rely on manually controlled directory groups (e.g, AD, Azure AD, etc.) to provide users with access to company resources, with a very small amount of "birthright" access used to automatically give day-one company-wide or department-wide access. User type (employee, contractor, etc.) and sometimes department (HR, Finance, IT, etc.) are the common attributes used to provide birthright access.
Anything outside of that initial access is typically requested and provisioned manually, which reduces productivity at the start of an employee’s tenure and increases data management risks as they change roles or simply no longer require access to the data.
Manually managing application and data authorization limits advances like Bring Your Own Identity (BYOI) programs for third parties and increases risk with business-enabling technologies like data catalogs and enterprise search.
Overcoming the challenges of manual identity access management (IAM) starts with the source of truth: the Enterprise Resource Planning (ERP) platform. The ERP will maintain (among other things) a database of users, roles, and their attributes and synchronize that with the enterprise's IAM platform. The company’s HR department is typically charged with managing the “people” content within the ERP and part of HR’s performance should be measured against a correct, complete, and normalized data set across the company. Ideally, the ERP is a single system with no additional instances or systems overlapping with data or responsibility.
From here, the business determines the extent of how the IAM system governs access, typically through role-based access (RBAC), attribute-based access (ABAC), or a combination of the two. Advanced IAM implementations may integrate with the enterprise MDM (master data management) platform to help define access policies. If done successfully, the employee information and associated role gathered with the job application will be used to dictate resource access without any manual intervention upon employment.
One of my large customers was going to the extreme to provide automated, secure data access by documenting every action and task performed by each role (person or machine) in the enterprise. Those were then mapped to "personas" while defining access to perform those actions by roles and user attributes. A broad inventory of user information was being gathered, going as far as education and industry certifications to be able to define granular, auditable access policies. Each application and data owner had the responsibility to ensure that all resources were protected by the appropriate personas and allowed actions by each. This massive undertaking could only have been driven by the business, not by IT alone.
The IAM platform consumes the roles and user attributes fed down from the ERP. As the user authenticates to an application, IAM functions determine if the user matches the required persona. The Zero Trust platform comes into the picture via the presentation of the application using the same roles and attributes rules. It establishes trust based upon the user identity and context—such as the user’s location, the security posture of the device, and the app or service being requested—with policy serving as the gatekeeper every step of the way. If there is a match, the user can access it, otherwise, the application is invisible, hidden by the authentication and authorization perimeter.
It is important to note that there’s still a use case for manual provisioning, but only at the role level to support third-party BYOI type access. That role assignment should be time-based, with an attestation process to ensure that access is not kept past its required purpose.
Having a centralized and automated authorization entitlement platform dramatically reduces risk to the enterprise and simplifies auditing procedures.
- Ensures only the right people and services have access to data
- Removes the risk of stale resource access as employees change roles and responsibilities
- Reduces the risk of conflicts of interest
- Enables advanced governance capabilities such as using machine learning to alert for abnormally wide access or atypical roles and attribute holders
Implementing, let alone retrofitting an enterprise identity and access management, must be a business-sponsored program and it takes significant cross-departmental commitment and cooperation. Leaving this for “IT to fix” is doomed to fail.
Zero trust network access provides secure services for people and services. Your customers, contractors, their devices plus your IOT and OT endpoints will number in the billions. Consider how your current IAM strategy will cope with those numbers and turn to as much automation as possible.
What to read next
Identity-Based Microsegmentation is Foundational to Cloud Security: Don’t Get Spoofed