Zero Trust security throws away the idea that we should have a “trusted” internal network and an “untrusted” external network. The adoption of mobile and cloud means that we can no longer have a network perimeter-centric view of security; instead, we need to securely enable access for the various users (employees, partners, contractors, etc.) regardless of their location, device or network.
There is no silver bullet when it comes to achieving a Zero Trust security architecture, but identity and access management is the core technology that organizations should start with on their Zero Trust journeys.
Here, we’ll explore the shifts in the security landscape that led to the creation of Zero Trust, what the Zero Trust Extended Ecosystem (ZTX) framework looks like today, and how organizations can utilize Okta as the foundation for a successful Zero Trust program now, and in the future.
Challenge: When the Wall Protecting Your Data Vanishes
Traditional security architectures were built with two groups in mind: trusted individuals, able to access everything inside the organization, and untrusted individuals, kept on the outside. Security and IT teams invested in defensive systems that protected the barrier between them, focusing heavily on securing the network perimeter, often with firewalls. While they were successful in building a wall between potential threats and the safety of the corporate ecosystem, this full-trust model is problematic, because when that perimeter is breached, an attacker has relatively easy access to everything on a company’s privileged intranet—not to mention the havoc a rogue insider could wreak without even breaching the perimeter.
With today’s increased adoption of mobile and cloud technologies, where work is increasingly done outside the safety of a corporate network, the network perimeter becomes increasingly difficult to enforce. In this world, there is no longer a wall around a business’ sensitive assets: employees, contractors, partners and suppliers all access data from across the traditional perimeter.
The Next Frontier: The Evolution of Zero Trust
This shift in the security landscape is what led to the birth of Zero Trust. Zero Trust is a security framework, developed by Forrester Research analyst Jon Kindervag in 2009, that throws away the idea of a trusted internal network and versus an untrusted external network; instead, he argued we should consider all network traffic untrusted. In this initial framework, Kindervag focused on revamping the network perimeter and recommended organizations inspect all network traffic in real time, which requires a network segmentation gateway. Specifically, the three principles that made up his Zero Trust include:
- All resources must be accessed in a secure manner, regardless of location
- Access control is on a need-to-know basis and is strictly enforced
- Organizations must inspect and log all traffic to verify users are doing the right thing.
Making Identity the Foundation for Zero Trust
Put simply, the core principle of Zero Trust is to “never trust, always verify.” This ensures the right people have the right level of access, to the right resources, in the right context, and that access is assessed continuously—all without adding friction for the user. That Zero Trust nirvana doesn’t happen overnight, and as organizations implement Zero Trust architectures, we’ve seen several stages of infrastructure maturity:
Stage 0: Fragmented Identity
Many organizations begin their Zero Trust journeys with a variety of on-premises and cloud applications that are not integrated together or with on-premises directories such as Active Directory. As a result, IT is forced to manage disparate identities across a number of systems as well as the many applications and services used without IT awareness. For the user, this also means numerous (and, most likely, insecure) passwords. Without visibility and ownership over these fragmented identities, IT and security teams are left with potentially large windows for attackers to exploit access into individual systems.
Stage 1: Unified Identity and Access Management (IAM)
The first step to resolving the security gaps left open by many fragmented identities is consolidating under one IAM system, across on-premises and cloud. This Stage 1 consolidation, via single sign-on (SSO), is critical to managing access and shouldn’t be limited to solely customers but instead any user that needs access to a service, including the full extended enterprise of employees, contractors and partners. Layering a second factor of authentication to that centralized, identity access point further helps to mitigate attacks targeting credentials. Additionally, unifying access policies across applications as well as servers, a critical part of IT infrastructure, is key to bringing IAM together into one secure, manageable place for IT.
Stage 2: Contextual Access
Once IT has unified IAM, the next stage in Zero Trust security is layering in context-based access policies. This means gathering rich signals about the user’s context (i.e. Who are they? Are they in a risky user group?), application context (i.e., which application the user is trying to access), device context, location and network, and applying access policies based on that information. For example, a policy could be set to allow seamless access to managed devices from the corporate network, but unmanaged devices logging in from new locations would be prompted for MFA. Organizations can also employ multiple factors across user groups to step up authentication based on an understanding of those authentication attempts.
Stage 3: Adaptive Workforce
The final stage of Zero Trust implementation extends organizations’ focus on authenticating and authorizing access. This means authentication no longer occurs just at the front gate, but continuously throughout the user’s experience through an adaptive, risk-based assessment to identify potential threats. This first looks like adding an intelligent, risk-based engine to the contextual responses from Stage 2, going beyond the discrete policies set in the prior stage. IT can now set risk tolerance and allow the risk scoring based on those contextual signals to determine the riskiness of a particular authentication event, and prompt for a second factor based on that insight. That trust is also no longer absolute: this adaptive authentication is continuously monitored for a change in one of those signals, re-prompting for authentication and authorization verification should an aspect of that user’s context change.
What’s Next with Okta and Zero Trust
There’s no silver bullet for Zero Trust. Some technology vendors will claim otherwise, but organizations want to embrace best-of-breed technologies that allow for greater flexibility and productivity. That’s why organizations today look to identity and Okta as the start of their Zero Trust journeys, using the Okta Identity Cloud as the core of their next-generation access strategy—and ensuring that only the right people have access to the right information, at the right time. Never trust, always verify.