Darran Rolls, CTO, SailPoint focuses on the rise of the zero trust model in cyber security.
Zero trust is a regular topic of conversation for most CISOs today. While the model has been around for a few years, the zero trust approach has gained popularity as the workplace digitalised, making the security perimeter more vulnerable. At its core, zero trust is based on the principle of maintaining diligent access control for all users of network and systems resources.
In itself, that sounds like nothing new, but with it comes a renewed focus, understanding and managing that access at a much finer level of detail. In a world where over ninety per cent of people will click ‘accept’ to all the terms and conditions by default, security and IT teams have to adjust their approach to keep the organisation safe. Being overly trusting may be part of human nature, but it doesn’t mean that it has to be a ‘weak link’ in the company’s DNA.
Think of how often you’ve shared a login with a colleague, or download data for them to use outside the intended app or software. It’s just one example when good intentions to help a colleague or provide a smooth and easy experience for customers, partners and contractors can result in a data leak or pose a cyber security concern.
At the centre of any question relating to access control is the critical concept of trusted identity as it applies to each employee and the need to truly understand the access that is being requested, provisioned and used over time. This therefore means having strong authentication, fine-grained authorisation, good lifecycle administration, and excellent audit and control mechanisms. In short, it means getting identity right.
What does it mean to have to have a zero trust security model?
The first principle of zero trust is removing the assumed protection of the “private network” – you’ll often hear people use the term “assume network compromise”— meaning accept the fact that you no longer have complete control over your network.
This does not mean opening the door to the bad guys, but accepting the fact that the adversary can and likely will get “network access” to your applications and data. Today’s network perimeter has expanded way beyond the local-area network (LAN) and now includes remote people, applications and cloud services that literally spans the globe.
The days are gone where IT managers could simply deploy the best firewall and sleep well. The underlying question today needs to be about access to data and systems across the perimeter – who needs access to what data to do their job well and why? Whether someone is accessing IT from their desk, a coffee shop, or Antarctica nothing should change as far as trust goes.
The role of identity governance in zero trust
Having a robust identity infrastructure gives organisations the ability to build a more dynamic and identity-aware environment, one which understands not just access patterns but how this relates to the way your organisation operates.
Strong administration processes and accurate governance are the bedrock of identity. These can ensure that essential access policies (from separation of duties to GDPR) are followed and can be audited for compliance purposes.
Providing a centralised view over identity to business data, wherever it resides, can also drive business value by letting IT teams focus their time on more strategic tasks. Having a truly trusted source of controls and oversight is required to ensure that stronger authentication and deeper authorisation are delivered in a timely manner.
The process of ensuring that the right accounts, entitlements and attributes are in place is where identity governance and administration come into play. This allows organisations to control the lifecycle of the very policies and data that now drive this on-going process. Automated access provisioning means that users get the access they need when they need it – but nothing that they don’t – while the overall team productivity rises to help fuel business growth.
Zero trust truly is a way of thinking; an approach not a specific product or single solution. It is not a definitive answer to all businesses’ cyber security worries, but a way to anticipate emerging threats, strengthen compliance and propel businesses to new hights.
The entire concept strives to challenge every organisation to think differently about how they build applications, networks, and security controls. It means placing Identity at the centre of the security architecture and truly understanding who should have access to what and how that access is being used.
Identity governance plays a central role in delivering on that vision, providing a security architecture that is more real-time, more contextual, and able to predict, understand and manage appropriate access in the new world of zero trust.