Zero Trust & IGA – It’s About Trust
Updated: Feb 2, 2021
Zero Trust has gained traction with organizations small and large as they go through digital transformation. There are several views to what it means for Zero Trust and how an organization quickly adapts to. We aim to simplify the concept of Zero Trust from Identity Governance (IGA) and Access viewpoint, as both are key to our digital existence today and serves as a foundation to Zero Trust principles. CredenceIA’s all-encompassing tailored solutions from advisory, implementation, and US based L2/L3 managed services allow CISOs and their teams to focus where the attention is necessary.
Zero Trust – What is it exactly? The distilled understanding of zero trust is following principle of “trust no one”. When security practitioners modernize a security system or implement a new one, we are designing and implementing a set of technology, processes, and tools that achieve the balance between end-user experience, business objectives and security that carries certain level of trust. Zero trust is about eliminating the understanding of the “less trusted” vs “more trusted” concept away and treat everyone with the same guiding principle. So, it’s about having an effective strategy and a security focused understanding that allows an organization to function at their efficiencies regardless of who the user is or from where they are coming. IGA and authentication are key for any organization to achieve the zero trust mindset by knowing who the user is, why they are requesting access, providing right business context to approver, and monitoring the user to ensure optimal security without many intrusive user annoyances (e.g. authenticate often).
Why is Zero Trust Hot Today? Zero trust is not a new concept. As security practitioners, and for organization leadership who wants to use their investment effectively, zero trust based design and approach is well known. Most organizations designed their system based on understanding that users are working from within a physical building and only a subset are to be remote or outside of the so called “trusted network” at a given time, and users will use company device only.
In a non-zero trust approach, the technology, support systems, and processes were designed with an “on premise mindset”. With COVID, this understanding changed overnight. Organizations were suddenly scrambling to have all of their workforce work remotely and that too for an extended period of time. The traditional way of support, user access approvals, removal of users’ access, and monitoring just got stretched to their limits. Before COVID, the non-traditional use case that also was making CISOs to think about zero trust was around increased use of non-human IDs and how to bring them under the umbrella of IGA. Identity governance even in relatively mature organizations revolve around human IDs and all non-human IDs (this include machine IDs, application IDs, bots as a variant of application IDs, digital certificates and more) were mostly an afterthought.
COVID highlighted the fact that our normal assumptions and usual business practice are not always going to be agile and flexible as we imagine. As organizations move closer to practicing zero trust principles, CISOs and business alike will have greater flexibility in ensuring business continuity without compromising or worrying about who is working from where and legitimacy of user identity.
IGA and Zero Trust
Zero trust assumes nothing, and verify user’s access/authorization at every step and/or limit the session. Organizations of all size and complexities use IGA solution that manage user lifecycle. This could be a commercial solution or homegrown tools, or combination and its supporting processes. How IGA fits into zero trust principle is by leveraging IGA capability and use cases effectively. By no means should the IGA program increase the workload of teams supporting the program or increase complexities. Infact, if the strategy, design and implementation is well thought-out, organization can benefit greatly from IGA program, reduce costs, improve efficiencies & end-user experience and still stay true to the principle of zero trust.
Zero Trust makes you think about a user’s access lifecycle, security controls and governance in much more efficient way
A Zero Trust mindset takes away bad practices such as:
“model after” access requests,
incomplete/non-business friendly descriptions,
no access certifications or even worse rubber stamping of access,
lack of ability to do “one click” disable of user or termination,
inability to allow temporary access,
inability to know who has access to what,
data completeness & accuracy challenges
A well-defined IGA program will address all of above (and more) critical use cases, but allow better uses of technology (when supported) to do data analytics, role engineering, better integration with privilege access management solutions, and bring business users in support of IT w/o degrading user experience. Audit teams too benefit by getting reports on user access & its governance.
Furthermore, zero trust implies a continuous monitoring of users’ access, and user access reviews. The forward looking benefit of IGA is its ability to incorporate user behavior analytics and integration with security tools (e.g. UEBA) to monitor malicious activity and take a quick & decisive action in the case of a compromise. In a zero trust scenario, organizations think about “what-ifs”may happen when a bad actor gets access to a user’s ID, and how fast that user’s access can be removed and recreated.
Zero trust principle based IGA program allows organizations to reduce friction, make them more aware about “who has access to what and why”, have better regulatory compliance, are agile with changing user & security needs and oversight and most importantly improve end-user experience w/o diluting security controls.
Want to discuss further?
We offer customized and streamlined options from planning, to building to operations. We help customers with advisory, implementation service, unique Identity Governance (IGA) & Non-employee/Vendor Access Management (VAM) QuickStart, ERP risk analysis and managed services.
About CredenceIA Consulting