Zero Trust is being invoked frequently by security professionals, almost as a cure-all for all those things that keep them up at night. In fact, the number of organizations using Zero Trust initiatives has more than tripled, from 16% three years ago to 60% today.
But Zero Trust security can be a headache for the staff in charge of your network infrastructure, and even create vulnerabilities, as your users try to finesse their own ways around those pain points in their workday.
A better form for security would apply the same concept of Zero Trust — never assuming the user is who they say they are — to user identity, instead of to system resources. Let’s explore this further.
The Zero Trust Model
Zero Trust security is typically implemented at the network level, to prevent a hacker from using a compromised account to move laterally within the environment or spread malware. It works by breaking down the network into smaller segments and authenticating users by checking their identity and access privileges before they enter each one.
The security benefits of this network approach are clear, however it requires a lot of work on the network infrastructure to control access to every segment. Upon initial implementation, the entire network infrastructure has to be rebuilt for this segmentation. Since most enterprises have complex information infrastructures, including on-premise and cloud-based resources, there’s a lot of work involved in deploying Zero Trust network security.
Since network-based Zero Trust is built on the premise of keeping attackers from entering a network segment, if attackers manage to bypass a particular segment’s security controls they are free to move laterally and access any resource within it. An approach that secures each single resource rather than just the segment’s gateway would better align with the concept of defense-in-depth and will be a much better choice.
Identity-Based Zero Trust
Enter identity-based Zero-Trust security, which focuses security on the identity layer, instead of the network layer. This architecture applies authentication to the very identity of the user, instead of the user’s connection, as in network-based Zero Trust. According to the National Institute of Standards and Technology (NIST), which recently published its own Zero Trust bible, identity-based Zero Trust is a good approach for enterprises that use cloud-based apps and services which don’t allow customers to bring their own security tools.
For example, in network-based Zero Trust, an authenticated VPN user is trusted and intrinsically allowed to access resources such as file servers or databases in the environment. In an identity-based approach, an authenticated VPN user is not automatically “trusted” and must authenticate every time they try to access a resource. It’s like the bartender checking your ID every time you order a drink, after you already showed ID to get into the club.
Identity-based Zero Trust continuously monitors all access requests made by all users to any resource in the system, whether on-premise or on the cloud, and builds a thorough audit trail for compliance and policy enforcement. Every time an individual user – human or machine – tries to access a resource, a risk analysis is performed based on the user’s behavior during the session and other contextual parameters.
Based on this assessment, an identity-based Zero Trust architecture enforces the organization’s access policy in real time, either requiring some form of additional multi-factor authentication before allowing access, or simply denying user access.
For example, if a user attempts to access a SaaS app, they are normally vetted by the cloud provider’s identity and access management (IAM) system, and allowed access to all the company’s SaaS apps. Identity-based Zero Trust validates users every time they attempt to access a new app on that cloud, continuing the audit trail.
Identity-based Zero Trust provides several advantages that ease implementation and management, and increase security. There is no need to rebuild and replace anything in your system’s infrastructure. This means no downtime and lower costs.
Once deployed, identity-based Zero Trust provides greater visibility into risk, by performing risk analysis at every resource access attempt, rather than at the network segment level. And most importantly, by carrying out security checks at every resource access, it improves the detection of anomalies and threats, improving the organization’s security posture.
Partial Zero Trust is not Zero Trust. To provide effective protection, a Zero Trust architecture needs to span all resources both on-premises and in the cloud, as well as all access requests by machine and human accounts. Applying Zero Trust to identities makes this possible.