The concept of a zero trust (ZT) architecture has been prevalent since the early 2000s. It has been born out of an industry requirement to define a solution for the fast disappearing security perimeter. With the advent of cloud computing and IOT, the risk of cyber security attacks due to compromised identities, accounts and credentials has increased exponentially. These attacks ultimately lead to a security breach, which often has significant reputational damage and negative financial impact to the organisation.
A traditional “network trust” model assumes that all users logged onto an internal network can be trusted, while a “zero trust” approach builds on the concept of “never trust, always verify”. This is achieved by enforcing risk-based authentication and authorisation policies for all users, regardless of the user identity being within an organisation’s network or from the outside. Many organisations have already realised this and are moving away from the “network trust” (or perimeter-based security model) to a “zero trust” model.
Most IT security vendors are using zero trust to position their technologies, while cyber security specialists are realising that traditional network security is not adequate for the modern-day architecture and are exploring a zero trust architecture. This evolution has propelled identity solutions to the fore and the zero trust architecture has gravitated towards an “Identity Centric Zero Trust” model.
Identity is at the centre
Cyber criminals gain access to enterprise networks and sensitive data by targeting the weakest links that are compromising or stealing credentials that belong to an identity. An identity is defined as an employee, customer or partner who interacts with an organisation’s Web and/or mobile applications. A comprehensive security strategy recognises that identity is at the centre of any zero trust model. If a stolen identity has privileged access to applications, the consequences of the breach will be far reaching. A defence in depth strategy is still required to secure endpoints, firewalls and networks; however, these controls do not provide a comprehensive security solution against identity and credential-based threats. Until organisations start implementing an identity-centric security approach, account compromise attacks will continue to provide a perfect camouflage for data breaches.
Where to start
While implementing zero trust is a journey that may not be achieved overnight, it does not require a complete re-haul of existing network architectures. But where do we start? The use of the Identity Defined Security Alliance (IDSA) methodology is a perfect start to defining this journey.
The initial step in your zero trust strategy should be focused on the identity, by providing:
- Understanding what access each identity has within an organisation.
- Granting access by verifying who is requesting the access and who should approve the respective request.
- Understanding the context of the access request.
- Determining the risk of the access environment.
Separation of duties
- Ensuring that the requested access does not provide an identity a toxic combination of access (for example: an identity can raise a requisition and issue a purchase order for the same request).
This ‘never trust, always verify, enforce least privilege’ approach provides the greatest security for organisations.
How can Puleng Technologies facilitate the zero trust journey?
A zero trust architecture has many merits in this ever-changing landscape and Puleng Technologies is uniquely positioned to assist organisations in demystifying an identity-centric zero trust architecture. Our team is well versed on both the zero trust concepts and the principles of managing an identity that interacts with an organisation. Puleng Technologies has subject matter expertise and years of experience deploying some of the largest identity and access management projects, both locally and internationally.
This hands-on experience and knowledge enable us at Puleng to work closely with our customers to define a strategy that meets their requirements and define an implementation roadmap with achievable milestones to enable an identity-centric zero trust model.