Identity Is the Only Perimeter for Zero Trust

By 2023, 75 percent of security failures will result from inadequate management of identities and access, and excessive privileges, according to a recent industry report.^Footnote1

A recent study indicates that the average total cost of a data breach has increased by 10 percent in the past two years to $4.24 million—the highest ever recorded.^Footnote2 The use of hybrid and cloud IT environments has become increasingly accepted and more common. Ransomware attacks are also rising steadily. No company or vertical is safe from nefarious hackers. Identity-based attacks skyrocketed last year, meaning that developing a Zero Trust security strategy that governs the right people's access to the right resources at the right time is critical. Discovering all of an organization's human and machine identities and privileges—especially those that are overprivileged—is critical when performing internal identity audits.

The major factors fueling the Identity and Access Management (IAM) market include a rising number of security breaches and escalating cases of identity-related fraud. These two challenges have increased awareness about compliance management and the need for IAM governance.

The spotlight on Zero Trust has resulted in significant traction across all verticals and companies of all sizes, with the identity process playing the most important role. No Zero Trust model can exist without a rock-solid identity process and a security model that assumes a threat can just as easily come from inside the network as from outside the network. The perimeter no longer matters; no user or device is ever fully trusted.

A recent white paper about Zero Trust architecture from the National Institute of Standards and Technology (NIST) states that network administrators must first identify all human and machine identities.^Footnote3 Zero Trust security is based on the notions of "never trust, always verify, assume the breach, and ensure there are means for continuous compliance monitoring." Every user and machine identity is regarded with suspicion until proven safe and must be authenticated.

A successful Identity Zero Trust environment relies on the principle of least privilege, ensuring that all users have the least amount of access to do their jobs successfully. Creating this kind of environment requires security teams to know not only who has access to what but, more importantly, who should have access and under what circumstances. Identity security plays a critical role in the success of any Zero Trust program.

Regulatory compliance drives the Identity Zero Trust model and the business need for it. With many various regulations, such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Personally Identifiable Information (PII), General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA), global organizations are under increased pressure to implement identity governance and administration (IGA) solutions and controls to reduce the expensive consequences of failed audits.

All global organizations, public and private, are audited. Whether an organization has an external or internal auditor, or both, it must demonstrate regulatory compliance and repeatable results—an expensive, resource-intensive, and time-consuming endeavor.

Least-Privileged Access and Zero Trust

Zero Trust is based on three fundamental principles.

1. Trust nothing/verify everything.
2. Control access based on the principle of least privilege.
3. Secure all transactions.

The trust nothing/verify everything principle ensures that identities are continuously analyzed and challenged based on their risk levels. The least-privileged access of Zero Trust, identities, roles, and entitlements are managed through a "least-privileged" access model, an approach that provides a user the minimal privileges needed to complete a task and nothing more. Managing and enforcing least-privileged access has challenges. Information security has widely embraced the Zero Trust mindset; however, there are no universal standards for implementation, but IAM is step one of an effective Zero Trust roadmap.

Moving to a Zero-Trust Model

Thousands of organizations now have employees working remotely from places near and far. Organizations cannot rely on the perimeter security model. Many organizations had to switch to an identity-driven security model, which lets a properly authenticated and verified user or device access the network from anywhere. But if the perimeter is eliminated entirely, then what each user and device can do on the network needs to be tightly monitored and often sharply restricted, which leads to the Zero Trust model. However, required access to perform specific job functions is mandatory.

Without a robust IAM policy and program, organizations cannot have a functional Zero Trust architecture. Once intruders are in the network, they move laterally through it, penetrating new areas and access levels. This is precisely the kind of movement that strong IAM policies and Zero Trust architectures are designed to prevent.

Zero Trust in the Cloud

Cloud computing environments present new challenges for implementing access management policies. Access solutions must be flexible enough to handle the following three things:

• The introduction and adoption of new technology
• The ephemeral nature of cloud infrastructure
• The rapid scaling of enterprises and organizations

Today's workforce can be remote, and employees often use their own devices. Third-party vendors, contractors, and bots also cause data breaches. Cloud security from a cloud service provider (CSP) is something to be aware of. The cloud provider maintains the security of the cloud while the customer maintains security in the cloud. Knowing what to look out for is an important first step in avoiding and correcting cloud errors. Here are some of the most common issues:

Underutilized tools: Utilize tools that are native to the cloud provider. All major cloud providers include settings to implement Privileged Access Management (PAM) and IAM policies. These may include role-based access controls (RBAC), multi-factor authentication (MFA), or specific PAM solutions. Use built-in tools to ensure that the provider follows the access policies organizations require.

Misconfigured identities: Admins may set access controls to the most permissive settings to ease access. Too much access also opens the door to problems, as an over-provisioned user can do a lot of damage. So, implementing cloud-based identities following the principle of least privilege is a critical component of IAM policies.

Excessive access to storage: Ensure that cloud storage is not publicly accessible. Keep track of where data is and who needs access to it and restrict access to what is needed only.

Conclusion

Correcting cloud and multi-cloud configuration shortcomings will help ensure that user data, organizational data, and infrastructure elements are protected. Transitioning to an IAM framework involves looking at information technology, governance, and compliance in a new way. Identity authentication and a Zero Trust security approach should be at the center of organizational security initiatives instead of network security and the security perimeter.

Higher education deals with security, operational, and compliance challenges every day. Cybercriminals are constantly lurking and attempting to target organizations and their assets. When a data breach occurs in higher education, the entire operation is impacted. This leads to reputational damage. In addition, higher education institutions are required to comply with breach notification laws—an expensive proposition.

It is recommended that higher education start the process of instituting a Zero Trust identity platform to help maintain compliance. Mission-critical assets such as student records, education systems, employee identity information, research, intellectual property, and IT systems—the "crown jewels" of a higher education organization—are of great value. Compromising these assets would cause a major disruption to business operations, damage the reputation of the institution, and lead to regulatory fines.

Notes

1. Managing Privileged Access in Cloud Infrastructure, research report, (Stamford, CT: Garner, June 2020). Jump back to footnote 1 in the text.↩
2. Cost of a Data Breach Report, research report, (Armonk, NY: IBM, August 2022) Jump back to footnote 2 in the text.↩
3. Scott Rose, Planning for a Zero Trust Architecture: A Planning Guide for Federal Administrators, white paper (Gaithersburg, MD: National Institute of Standards and Technology, May 6, 2022). Jump back to footnote 3 in the text.↩

Chuck Donnelly is Vice President of Field Operations at Fischer Identity.