Paranoid or pertinent? Why the time is right to take a zero trust approach to security
- 18 November, 2019 14:57
Zero trust is a regular topic of conversation for most CSOs today. At its core, zero trust is based on the principle of maintaining diligent access control for all users of network and systems resources. In itself, that sounds like nothing new, but with it comes a renewed focus on understanding and managing that access at a much finer level of detail.
At the centre of any question relating to access control is the critical concept of trusted identity and the need to truly understand the access that is being requested, provisioned, and used over time. This, therefore, means having strong authentication, fine-grained authorisation, good lifecycle administration, and excellent audit and control mechanisms. In short, it means getting IAM, right!
What does it mean to have a zero trust security model?
The first principle of zero trust is removing the assumed protection of the “private network" – you'll often hear people use the term "assume network compromise”, meaning accept the fact that you no longer have complete control over your network. This does not mean opening the door to the bad guys, but accepting the fact that the adversary can and likely will get “network access” to your applications and data. Today’s network perimeter has expanded way beyond the LAN and now includes remote people, applications, and cloud services that span the globe. This means whether someone is accessing IT from their desk, a coffee shop, or Antarctica, nothing should change as far as trust goes.
The role of identity governance in zero trust
Having a robust identity infrastructure gives organisations the ability to build a more dynamic and identity-aware environment. Robust administration processes and accurate governance are the bedrock of identity and access management. Having a truly trusted source of controls and oversight is required to ensure that stronger authentication and deeper authorisation are delivered promptly. The process of ensuring that the right accounts, entitlements, and attributes are in place is where identity governance and administration come into play. This allows organisations to control the lifecycle of the very policies and data that now drive this ongoing process.
Zero trust truly is a way of thinking, an approach not a specific product or single solution. The entire concept strives to challenge every organisations to think differently about how they build applications, networks, and security controls. It means placing identity at the centre of the security architecture and truly understanding who should have access to what and how that access is being used. Identity governance plays a central role in delivering on that vision, providing a security architecture that is more real-time, more contextual, and able to predict, understand and manage appropriate access in the new world of zero trust.