How Identity and Context Underpin Zero Trust Security

0

In the digital age, it’s all too easy to pass yourself off as a machine.

Hackers use this tactic to breach corporate network perimeter defenses and gain access to internal firewall systems. Once inside, they move sideways from system to system, masquerading as a trusted entity connected from a trusted device. In a ransomware attack, hackers seize and encrypt data, then extort money to decrypt it. Others steal corporate assets to sell them to the highest bidder on the dark web. Many do both.

The firewall isn’t the only vulnerability to blame. It is also the inherited architecture itself. When corporate network security is inexorably tied to a device, the network is simply not secure. All it takes is a guessed password, an employee clicking a link in a phishing email, a spoofed IP address, and the hacker is there… and everywhere.

A zero trust architecture (ZTA) secures a cloud-based, device-independent way of working that works from anywhere. Identity, which serves as the new basis for conditional access, and is something that all organizations Board of directors must understand and evangelize. Identity underpins zero trust and is the best way to manage secure connectivity to applications, destinations, and resources to protect the modern enterprise workplace.

Conditional access management with identity and context

In a ZTA, there is no longer the concept of a corporate network and the burden of its expensive, inefficient and insecure infrastructure. Connectivity is direct and ephemeral: employees connect to the applications or resources they need to do their jobs.

A ZTA is based on elements defined by the company, conditional access to resources. Identity becomes the basis for allowing this access. But identity is only the first facet of zero-trust authentication and the trade policies associated with access. Identity links a user to the context, which contributes to new layers of validation for precise identification. When establishing security and access, IT managers can consider multiple types of context, including user, role, group, department, location, device, state of the device (for example, managed or unmanaged, recognized or unrecognized, company issued or employer provided, etc.), and many more.

Context provides the breadth and depth necessary for identity-based access. An employee in a sales department, for example, may have access to the cloud and internal resources specific to performing business tasks such as Salesforce or an enterprise quota tracking app. Likewise, an engineer can have access to development tools like Github or Jira. But neither the vendor nor the engineer would have access to each other’s systems, and the separate systems would not be connected or accessible to each other in any way.

A ZTA solution uses the context to signal a compromise. If an identified employee acts outside of expected standards, a ZTA solution can report the unexpected behavior and take corrective action. Such out-of-context behavior can be caused by an employee accessing systems not necessary for their job, trying to log in on a new device, or attempting to move proprietary digital assets to an external location.

In a ZTA environment, context governs connectivity. The context also limits the potential “explosion radius”. In the event that a hacker compromises an individual device in the ZTA environment, they cannot move sideways to adjacent systems because none are connected. Any subsequent access request would be out of context and rejected. Compare this with traditional security architectures: if hackers break into a legacy network environment, they can deftly move along a network path from one system to another.

Trade policies define security (rather than the other way around)

The US National Institute of Standards and Technology (NIST) ZTA standard states that the identity is “the key element of policy creation», With access to resources based on the professional privileges assigned to a specific person. Company-defined policies govern access. For example, this particular salesperson can access resources A, B, and C; that particular technical employee can access resources D, E, and F, and so on.

Such validation requires Identity Access Management (IAM) services, ideally delivered through a cloud-based solution. IAM solutions, available from vendors such as CA, Microsoft, Google, IBM, Okta, and more, provide a scalable way to authenticate user access to resources outside the edge of corporate networks. inherited.

Why is context-based security important?

A ZTA provides an access model suited to the modern way of working: out of the office, beyond the data center and into the cloud. Security and policy follow user and user data, wherever that user is, wherever that data may reside, whatever destination the user may go to and on any device. who is using it.

ZTA context-based access enhances a legacy network access model through:

  • Identity-based context, multi-factor authentication, and behavioral analysis that give IT managers greater control, visibility, and ultimately governance over access to corporate resources.
  • Authorization Required: Users cannot access resources or destinations without authorization.
  • Contextual access solutions that easily scale to support governed access to cloud resources, hosted in the data center and on-premises.
  • The possibility of defining a commercial policy at a macro or micro level, with rules of access to resources defined for both a group and an individual employee.
  • User-specific, not machine-specific access, meaning that employees (and administrators) enjoy the same level of security regardless of the device used to access corporate resources.
  • Work From Anywhere Features: Users have the same access (and administrators provide the same security) whether they are working at headquarters, in a branch office, or at home.

Boards of directors and technology decision-makers have the opportunity to move organizations from security based on legacy devices to access based on zero trust context. Understanding the importance of identity is the first step towards this goal.

Learn more about Zero Trust and how Zscaler helps organizations establish a ZTA.

Share.

About Author

Comments are closed.