Mobile and cloud have rendered the ‘castle and moat’ security model obsolete. Rather than trusting everything that happens on the inside of the perimeter, we should now adopt a policy of ‘never trust, always verify’. And as the author of this long read, Carlo Schupp, argues, ‘Zero Implicit Trust’ would be a better name. Implementing Zero Trust is no walk in the park and requires a certain level of digital maturity of an organization. In fact, the different steps in the zero trust journey can be closely linked to the Digital Maturity Model that TrustBuilder developed.
Read on to learn:
Historically, enterprises depended on a ‘castle and moat’ security model, with the enterprise network and datacenter on the inside, and firewalls guarding the perimeter. Anything located on the outside was considered untrusted. Conversely, anything on the inside was considered trusted. However, trust based on network location breaks down when users are mobile, when using cloud and when external partners require access. It creates excessive implicit trust. It is this implicit trust that attackers abuse: once the perimeter is breached, they have access to everything on the privileged intranet. For example, if VPNs are used to extend the enterprise network to remote workers, an attacker only need steal the user’s credentials to gain access to the enterprise network.
The adoption of mobile and cloud means that we can no longer have a network perimeter-centric view of security; instead, we need to securely enable access for the various users (employees, partners, contractors, etc.) regardless of their location, device or network. A Zero Implicit Trust security model responds to this trend and removes the split between a ‘trusted’ internal network and an ‘untrusted’ external network. Identity and access management (IAM) is core technology for achieving Zero Implicit Trust security.
Implementing the Zero Implicit Trust security model is not a trivial exercise. As customers implemented Zero Implicit Trust architectures, we’ve seen several stages of maturity emerge, alongside our Digital Maturity model. Our maturity model classifies organizations as either Digital Developers, Experience Experts, Connected Companies, Ecosystem Extenders or Monetizing Masters.
Many organizations begin their Zero Implicit Trust journey with on-premise directories like Active Directory and with cloud applications that are not integrated with on-premise applications. As a result, IT is forced to manage disparate identities across a number of systems as well as the many applications and services used outside IT’s control. For the user, this also means numerous passwords and other credentials. Without visibility and ownership over these fragmented identities, IT and security teams are left with potentially large windows for attackers to exploit access into individual systems.
The first step to resolving the security gaps left open by many fragmented identities is consolidating under one IAM system, across on-premises and cloud. This consolidation, via single sign-on (SSO), is critical to managing access and shouldn’t be limited to solely employees. It should also apply to any user that needs access to a service, including the full extended enterprise of contractors and partners. Layering a second factor of authentication to that centralized identity access point further helps to mitigate attacks targeting credentials. Additionally, unifying identities across servers is key to bringing access policies together into one secure, manageable place for IT.
Many enterprises already use TrustBuilder to unify their user identities. TrustBuilder ID Hub and TrustBuilder.io can serve as a single source of truth for IT organizations. They also serve as an integration point to multiple directory services. TrustBuilder ID Hub and TrustBuilder.io make managing and securing the extended enterprise simpler for IT departments and eliminate the password proliferation that currently plagues users.
Once IT has unified IAM, the next stage in Zero Implicit Trust security is layering, in context-based access policies. This means gathering rich signals about the user’s context (i.e. Who are they? Are they in a risky user group?), application context (i.e. which application the user is trying to access), device context, location and network, and applying access policies based on that information.
For example, a policy could be set to allow seamless access to managed devices from the corporate network, but an unmanaged BYOD logging in from a new location would be prompted for multi-factor authentication (MFA). Or privileged access to critical systems would require authentication using hard tokens and a cryptographic handshake. Furthermore, if users leave or change roles within an organization, automated provisioning can ensure that they have access only to the tools they are authorized for.
Many organizations today are already using TrustBuilder’s Adaptive Authentication. By processing a variety of contextual insights about a user, device, location, network and the application or browser a resource is accessed from, the TrustBuilder policy engine serves up a contextual response. This response is based on an organization’s risk tolerance, which acts as the first line of defense in keeping an organization secure.
The Connected Company of Stage 3 also opens up its applications to customers and third parties via APIs. TrustBuilder Adaptive Authentication enables secure access to APIs whereby a user’s identity may come from a partner’s identity system or a public source.
This stage refers to Forrester’s Zero Trust eXtended Ecosystem model. It extends an enterprise’s focus on authenticating and authorizing access to its ecosystem of partners and third-party platforms. This means that authentication and authorization occur not just at the front gate of the ecosystem (the first party in the journey) but occurs continually throughout the user’s journey within the ecosystem.
A party in the ecosystem can now set risk tolerance and allow the risk scoring based on contextual signals to determine the riskiness of a particular access attempt. Trust is no longer absolute: Adaptive Authentication and Dynamic Authorization are constantly re-evaluated. Any change in one of the risk signals may lead to different authorization decisions and may prompt re-authentication of the end-user.
Conversely, when a user has an account with Verified Assertions, the risk level is low, and they can automatically be granted access to APIs of a partner in the ecosystem without bothering them with re-authentication or reregistration.
TrustBuilder allows administrators to use policies to transform the authentication experience, and to completely remove passwords from the authentication flow. Replacing passwords with an alternate parameter as the primary factor for authentication enhances the user experience. So, while security is increased with smart, risk-based access control, the experience for the end-user is ultimately simplified. The experience is frictionless and, in cases where IT has set a policy to allow for it, passwordless.
The stages of digital ecosystem maturity in combination with implementing Zero Implicit Trust security using TrustBuilder can be depicted as follows:
Organizations that embark on this Zero Trust journey, will benefit from undertaking the journey step by step, while evaluating their strategy and the related security risks at every step. This is not a journey that you should necessarily walk alone. Why not benefit from the experience of a trusted guide. Before setting out, we would also recommend you make an assessment of where you stand, for instance by taking a Maturity Assessment.
Are you ready to implement Zero Trust? Contact us to ensure you make this journey safely.
Subscribe
Register for our newsletter and stay updated on IAM and TrustBuilder.
Engage in a chat with our product people to discuss IAM trends and challenges, and our solutions.
Take our Maturity Assessment to find out how you can accelerate your digital transformation.
Experience the power of TrustBuilder.io Suite through a demo, personalized to your challenges.
Visit our offices, send us a mail, call us, or simply fill out a contact form.
