CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
CIOReview | | 9 JUNE 2022To understand the central importance of identity for ZTA, it is useful to review how conventional wisdom regarding network design changed in response to both the escalating tactics of adversaries as well as the needs of companies to incorporate mobility into how their organizations operate. The traditional "castle and moat" model of corporate network has long been declared inadequate against modern threats, replaced in many cases with a lightly segmented network designed to compartmentalize data according to business unit or sensitivity. The meteoric rise and commoditization of cloud services point to a future where the very concept of a centralized corporate network feels antiquated. Additionally, the global pandemic showed us that not only could many businesses function with a largely remote workforce--it has accelerated the transition to "do anything from anywhere on any device" with each individual user becoming a highly mobile micro perimeter.The user experience on a pre-Zero Trust Architecture network is akin to shopping in a grocery store. If you meet the basic criteria for admittance, once inside you can see all your purchasing options and put anything into your cart. When you go to check out, you *might* have an ID check if you are buying something that requires additional proof of age. In contrast, the Zero Trust Architecture is more like exploring a pitch dark cave, where you can only see what is right in front of your flashlight. To adapt this model to the grocery store analogy, if I need milk, and am authorized to access and buy milk, then ZTA says I should be able to access milk and nothing else. Getting that milk doesn't entitle me to get some eggs or bread; in fact, I shouldn't even see that those things exist! Even if my identity has been compromised, the bad actor is only getting milk, and maybe not even that. Under Zero Trust, every identity claim is a remote claim, and validation is continuous; the model removes location as a sufficient criterion for identity validation, and thus for providing any inherent trust or access based on that data point in the identity claim.Validating remote identity claims effectively is difficult, and as perimeter defenses improved with time, attackers targeted the human element with devastating effect. We've long relied on passwords as a proxy to prove that an individual is who they claim to be. When passwords proved insufficient, we added additional factors like biometrics or tokens for additional proof (and to help guard against password-based attacks). And that made sense in the context of a *remote* identity claim; but as more and more services moved outside the corporate network, we lacked a model that would allow us to centralize access governance while also recognizing that there was no longer a concept of being "on the network." To put it another way, every user became remote, and access needed to be controlled at the application layer rather than the network layer.Organizations must standardize and automate how access is provisioned, including mechanisms that continuously validate access group membership against birthright and role-based access grants. The concept of "always on" administrative accounts is replaced with just-in-time access provisioning. And User and Entity Behavioral Analysis (UEBA) must be integrated with access provisioning so that anomalous activity (such as coming from a new device, or from a new location, or during an unusual time of day) is viewed as additional risk factors that must be met with increasingly rigorous challenges before identity is confirmed. Only then, after positive authentication is completed, can authorization be granted; both must occur before a session is established between user and resource, and validation is continuous so authorization can be rescinded at any time.The benefits of ZTA are numerous--it weakens the threat of ransomware by minimizing the possibility of lateral movement; it reduces the impact of breach by increasing the effort required for large scale data theft; it standardizes user experience in accessing resources and hardens the human element against social attacks; and it enables a model where work from anywhere is possible while also effectively managing risk. But ZTA will also expose weaknesses in network and application design, and most of all identity access governance. While the framework was designed to be deployed on existing infrastructure, it requires a reframing of the importance of identity as central to making decisions about access and authorization. Protecting data is still the goal, but businesses must understand that success depends on getting identity and access governance right first. Organizations must standardize and automate how access is provisioned, including mechanisms that continuously validate access group membership against birthright and role-based access grants
< Page 8 | Page 10 >