The Role of Identity and Access Management (IAM) in a Zero Trust World
By John J. Masserini
Senior Research Analyst, TAG Cyber
This is the second of a series of five blog posts by analysts from TAG Cyber, a trusted cybersecurity research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises.
Integrated IAM practices should be considered a key element of any strategic risk mitigation practice.
Without question, one of the most frequently referenced terms being used in the industry lately is zero trust. Whether it’s part of a sales pitch or a strategic part of a CISO’s plan, it seems that everyone is hopping on the ZT bandwagon, including identity and access management (IAM) solution providers.
Unfortunately, while many believe ZT will solve all our collective security problems, the reality is that it is only as good as the foundation it’s built upon. A significant part of that foundation is identity management, an oft-overlooked practice that addresses many of the risks faced by most enterprises today. Similarly, access management is often relegated to what Active Directory group a user is part of.
Sadly, account management, user access and provisioning are all practices that are typically relegated to a first-tier help desk technician, whose job is strictly measured by ticket resolution time. That approach can be short-sighted—not to mention dangerous—when it comes to securing your applications and resources across the enterprise. Instead, integrated IAM practices should be considered a key element of any strategic risk mitigation program. This becomes especially true when implementing a ZT architecture, where both continual and contextual authentication are needed.
When you begin looking at how a ZT architecture will fundamentally change your approach to risk mitigation, you quickly realize how crucial a solid, well-planned IAM program is to the success of your ZT initiative. By having a very high level of trust in your IAM environment, you can develop your ZT architecture knowing you have a strong base to build upon. A key factor in developing a strategic IAM solution is recognizing that it is about far more than just user access. A modern IAM solution supports full integration of all platforms, as well as assigned roles—birthright, departmental, and job function, for example—along with user risk modeling and certification practices with full contextual evaluation and automation across all on-premise and cloud infrastructures.
Conceptually, the idea behind a ZT architecture is that every operation—whether it be a financial transaction, running a report, or just accessing a website—is authenticated and authorized every time. Unlike the typical legacy infrastructure where you are authorized at the time of authentication and remain authorized until you log out, in a ZT world, every click of the mouse is re-authorized. If you imagine a modern web application trying to reauthorize millions of transactions daily, you can understand the benefits of having a single source of truth for authenticating access to your resources and applications, wherever they reside, be it local or cloud.
Another key aspect of ZT access management is not just who is performing the operation, but contextually, should they be. Many contributing factors should be evaluated when determining when access should be granted and at what level; factors such as location, time and device are just a few indicators that can be used.
For example, the company CFO is on vacation and has an urgent transaction to approve on the financial platform. Are they using their corporate laptop or the shared device in the hotel’s business center? Did they previously sign on from a location that would be impossible to travel from since the last login? Has someone been trying to use the account surreptitiously between the last valid login and this one?
While the benefits of having an integrated, mature IAM process are obvious on many levels, getting there is not an effort to be taken lightly. In many cases, core infrastructure components such as Active Directory and the human resource information system (HRIS), as well as the corporate and enterprise resource planning (ERP) systems can easily be integrated into an IAM platform. Ensuring, however, that business applications, network devices, Linux/Windows servers and cloud infrastructures are as tightly connected will be no small task. Layering on the complexity of determining which access indicators are crucial will take time and effort—but will have a significant upside in the long run.
While there continues to be significant hype around AI-based solutions, it is more important to get the basics right first. This will have a more significant impact on your security than complicated technologies. AI technologies have substantial promise in evaluating contextual indicators and, in this light, are remarkably well-suited for machine learning. However, without first managing the fundamentals properly, you are still building on a poor foundation.
Make no mistake, deploying a sound IAM solution is as “business transformational” as you can get, especially to the business of IT. However, if your enterprise is serious about moving towards a ZT architecture, the effort to build a true IAM infrastructure is well worth it. Even if there are no plans for ZT, the benefits to your compliance, audit and regulatory reporting efforts—not to mention your overall risk mitigation practices—will benefit significantly.
John J. Masserini
Senior Research Analyst,
TAG Cyber