Implementing Zero Trust may seem daunting, but the good news is that you are probably farther along than you think. In this blog series, we’ll look at the key factors to consider when implementing a Zero Trust framework.
Zero Trust is not a new concept. When the first mainframes were developed 60-70 years ago, they had the structure for Zero Trust (“never trust, always verify”) built into them. They came to you completely shut down and you granted access to open them up. Today, if you buy Microsoft Windows, it comes to you wide open, and it is up to you to shut down access.
Over the years, access has evolved. In the ‘80s, access was all about “single sign-on”: I bring you in and you can access everything seamlessly. Today, security teams need to protect fast-growing endpoints as companies embrace cloud & edge computing. Zero Trust enables organizations to meet rapidly changing business needs while maintaining secure control over critical assets.
In the Zero Trust industry discussions, we see so much focus on the authentication piece but very little on the authorization. Access is authorization. At every step, as the user touches something different, you need to ask, “Who are you?” Also, “what’s your role? Why are you asking for this data? Do you really need this data? Should I give it to you? Or can I give you access to a managed device during an annual operational planning event?”
Identify verification should be both authentication and authorization.
Close Gaps in Your Identity Fabric
At the recent Gartner Identity & Access Management Conference, we often were asked, “What can I do to implement Zero Trust?” The good news is that you probably have already completed most of your implementation. You just need to figure out where there are gaps in your identity fabric and fill them in.
Identify fabric is a comprehensive set of identity services. Modern applications and modern environments have stretched the systems in this fabric so there are now gaps. When gaps exist, you lose Zero Trust. Hybrid and multi-cloud architectures, combined with distributed workforce operations, create a perfect storm of identity verification challenges that put sensitive data at risk. Federated identity fabric platforms, with MFA in place, can help control authentication. The next piece of the puzzle is adding granular authorization. You need to enhance or modernize current systems to handle the pieces that they’re not doing today.
A comprehensive identity, credential, and access management (ICAM) policy emphasizes the value of a cohesive Identity Fabric and a single, unified identity for every user that spans across on-premises and cloud applications.
Manage Cloud Challenges
Most organizations began their Zero Trust journey with their on-prem assets, but now have rapidly integrated resources to cloud and multi-cloud environments. While federated identity structures have helped ease this expansion to the cloud, this change is not without its challenges. When you’re spinning up new environments, it’s hard to get those federations built rapidly. Hybrid and multi-cloud ecosystems add a new layer of complexity to identity and access management.
When expanding to the cloud, consider, “How can we manage these cloud assets and apply controls to gain visibility and governance over them? This challenge is even more difficult in a hybrid environment because organizations are trying to maintain old control frameworks. It’s a good time to evaluate these controls and ask, “Is this control still relevant? And if it’s still relevant, is it designed correctly, or do we need to redesign it?” Redesigning controls is necessary to unlock the benefits of the cloud. The paradigm of enterprise computing is undergoing a sea change and you need to be agile and able to adjust to it.
Monitor Roles in Verification
Take a step back and think about Zero Trust as a journey. If you have a unified identity across all services, you are far along even if you are not yet doing continuous monitoring. Continuous monitoring is critical for identify verification and access control. It helps verify user identity not just by asking the user to keep authenticating, but by watching user behavior to see if it is normal or anomalous.
Organizations should take a unified approach to identity management to support Zero Trust and enable continuous identity verification. They can do this by investing in solutions that verify users’ true identities rather than simply verifying their credentials for an individual point of entry into the network.
When it comes to identity verification and authorization for Zero Trust implementation, there is no finish line. There will always be a new platform or new environment that creates another challenge. Zero Trust is not about relying on a list of capabilities on a piece of marketing literature. Instead, it always comes down to investing in the right policy and solutions for your evolving environment.
Let Broadcom Software be a trusted software partner to help you navigate throughout the Zero Trust process.
We encourage you to share your thoughts on your favorite social platform.