You want to begin implementing zero trust security at your organization, but where do you start?
Fortunately, because zero trust security isn’t provided by a single solution or product but is instead an ongoing methodology, your organization may already have some of the pieces in place to adopt a zero-trust stance. And if not, there are clear stages detailed in this article to build a zero-trust framework that serves as the roadmap for your organization’s journey to better security and greater efficiency.
It all starts with identity.
Stage 0: Fragmented Identity
Most organizations exist in this pre-zero trust stage not because they’ve ignored security concerns but because Microsoft’s Active Directory has been the default enterprise directory service for the past two decades, used by administrators everywhere to manage permissions and access to network resources.
This kind of directory worked exceptionally well in an enterprise that uses a traditional perimeter-based security system, with a wall around a local network where employees are at their desks, log into their workstation, and subsequently have access to all the files, applications and data they need on the network. In that kind of system, the assumption is that you’re trusted if you have the password and are inside the network.
Today, however, we use cloud-based applications and data storage with their own logins. Users access resources from a wide variety of endpoints, whether they’re working remotely or simply using a mobile device as part of their work. Malicious actors have developed sophisticated methods that render traditional password protection ineffective. Password fatigue across applications and a lack of employee security awareness have led to people using easy-to-crack passwords, reusing the same password across multiple accounts, and emailing co-workers the password to access a resource or application.
Today’s environment lends itself to the rise of the zero trust model. It assumes that external and internal threats exist at all times and that simply being local on the network isn’t enough to trust that user or device. So, zero trust relies on identity, and continuous verification of that identity, for permissions and access across all network resources. Identity management and continuous verification require a unified user directory across all applications.
Stage 1: Unified Identity and Access Management
If you have a unified identity and access management (IAM) system in place, then you already have the foundation on which to build a zero-trust environment. When we talk about identity as the foundation for zero trust, we’re talking about three key pieces of knowledge: Who are your users? What do your users access? What are they doing with that access?
IAM reduces potential attack points for malicious actors by consolidating all users into a central directory. Now you know every user who has access to the system, what they have access to and when they’re using it. A unified system with a single sign-on (SSO) also eliminates the issue of users having different logins for Active Directory and applications like SalesForce, Trello, BambooHR, and other cloud-based applications. Signing in once and having all appropriate access available not only makes managing security easier, but it’s a relief for users and makes it easier for them to do their jobs.
Another common occurrence ameliorated by a unified IAM is mergers and acquisitions. When companies merge, the IT department is suddenly faced with two separate directories, which can become an unwieldy organizational barrier to security and general operations alike. Integrating into a single directory takes a lot of time, and managing two domains can become a black hole for your IT team. With a unified IAM, you have multiple options on how to manage this scenario while keeping in place the security needed to protect your assets.
Finally, your IAM system will allow you to deploy multi-factor authentication (MFA). Whether you choose to use push notification, SMS notification, a one-time phone call, or another option, you can add this extra layer of authentication whenever the system flags an access request or action.
Stage 2: Contextual Access and Automated Provisioning
Policies that track behavior and detect changes that call for MFA are the next stage of building a zero-trust environment. For instance, a user based in Chicago logs in from Los Angeles. In a traditional perimeter-based system, this wouldn’t matter, and the login would continue unabated. But with a zero-trust system, the change in context is something that would be covered by a policy created specifically to meet your organizational needs.
If this is a user who regularly travels for work, maybe you have a policy that doesn’t trigger MFA for this scenario. Or you can choose to have that extra authentication, to be doubly sure. Velocity matters, too. If that user logged in from Chicago that morning, but the login from Los Angeles only happens a few hours later, that can be flagged as suspicious and require MFA.
Related to this contextual access is automated provisioning and de-provisioning, made possible through your unified IAM and the policies you create. If a user account is created for a new hire in the sales department, your system can provide the least privileged access needed for their first day on the job — their email account, appropriate files and folders, and applications shared by members of that department.
If the user moves to another department, that change will deprovision their access to the sales folders and applications and add the appropriate access to their new department. Finally, an employee who leaves the organization can have all access revoked without losing the important data and history attached to that account.
Stage 3: Adaptive Workforce
Although considered the final stage of zero trust, it’s important to remember that zero trust is not a goal that, once achieved, exists in perpetuity. Zero trust is an ongoing methodology. New efficiencies, like passwordless authentication, become available often as technology advances. With a solid foundation in place, your zero trust architecture can adapt and evolve to incorporate any new technology. And with your foundation set, risk-based access policies and continuous, adaptive authentication can be implemented.
Say a user logs into their ADP account at 11 o’clock at night. That may be a usual occurrence and something your policy identifies as a low-risk factor. But if that same user is trying to access a financial app late at night from outside the office, your risk-based policies can set up your system to trigger MFA or block access completely.
The adaptive part here is that the system continues to monitor the user’s behavior and context. Based on a set level of risk tolerance, another authentication request can be triggered based on changes in one of those signals — whether accessing a certain folder, application, a change in location, and so forth. Reauthentication can again be required based on changing behaviors and context even if a user logs in and passes an MFA check.
While this sounds limiting, with a smart system and well-defined policies in place, zero trust can actually simplify the user experience. Having the policies and monitoring properly deployed and constantly running behind the scenes means that users will have fewer passwords to manage and gain a more customized security experience built on how they work most effectively.
Stronger and Simpler
Zero trust is quickly becoming the default security stance because of our increasingly interconnected world, where remote work, multiple devices and cloud-based applications and resources are all far more common than before. Yet, in striving to find a better security framework, zero trust has actually created a way to simplify security for your organization, simplify your users’ experience, and ultimately boost efficiency across organizations.
