The industry has come a long way from asking what is Zero Trust? Most in the cyber community, thanks to efforts like NIST 800–207, cyber directives from the White House and the industry in general have educated the public on the concept of zero trust. That is, enterprises must be implementing the concept that users, sessions and processes must be re-authorized each step of the cyber process – especially when concerning ‘sensitive data”.
To implement Zero Trust – means we must elevate our identity technology and, just as important, how we are using identity in in the zero trust delivery process. To understand Zero Trust Identity Management – we should we look at the US’s Cybersecurity and Infrastructure Agency (CISA) Zero Trust Maturity Model (ZTMM) 2.0, published in April 2023
The ZTMM list Identity as the first pillar of five domains in the ZTMM, These include: Identity, devices, neworks, applications & workloads and data. Each pillar is equal in importance but identity is seen as the cornerstone to enable the others to function.
The Zero Trust Maturity Journey
To understand Zero Trust Identity Management – we must understand the “Zero Trust Maturity Journey”. The “maturity journey” acknowledges that enterprises are conducting security and operations in a manner today via a process with the ultimate state of a zero trust architecture with identity and access management as its core principles.
Image 1: CISA has quantified the journey to Zero Trust in (4) Stages
The four states are traditional, initial, advanced and optimal.
Let’s map Zero Trust, and specifically Zero Trust Identity Management, to these 4 stages:
Traditional Identity Management:
“Traditional” is what CISA denotes as the current state of identity management and identity security. It denotes that most processes are manual and static. That is, the tools used are manually operated to create users and to provision rights.
A key concept in all of these states is the principle of least privilege, (NIST CSF 1.1 PR.AC-4). Users should (and must under data guidances like GDPR and CCPR/CCPA) be granted only the minimum amount of privileges to conduct their necessary activities.
In the world of traditional identity management – users are granted least privileged only at the time of provisioning. There generally is no process, manual or automated for “reviewing” the privileges of the users – to ensure the principle of least privilege is enacted.
In addition in the traditional identity management model, policy enforcement is siloed – and not unified across resources: applications, device, data, etc.
Initial Zero Trust Identity Management:
The first stage in the Zero Trust Maturity Model is Initial – and the key word is “automation”. For Zero Trust Identity Management this means:
- Starting Automation of attribute/role assignment
- Starting Automation of policy decisions
- Starting Automation of enforcement
- And Starting Automation of the principle of least privilege
All of the activities require tools to be utilized. These tools fall into the category of IAM (identity and access management) and IGA (identity governance). The modern IAM tools are very good and utilize roles/groups to enforce policy across multiple systems: these tools include Entra ID (was Microsoft Azure AD), Okta, JumpCloud, Ping and others. The IGA tools that are supposed to help enforce the principle of least privilege through automated access reviews fall between the traditional (and expensive) IGA tools like Sayvnt and SailPoint and the more rapidly deployed cloud systems like YouAttest and others.
Advanced Zero Trust Identity Management:
The “Advanced” state of zero trust identity management – means the enterprise has committed to full automation on the identity controls – for provisioning, assignment enforcement and governance.
Key to this level is that the tools mentioned in the initial phase are used to their maximum ability to automate all identity processes. In this way users are quickly provisioning. Role changes are enforced across resources and governance is automated for both static and real time attestation of rights.
The tools in the advanced state should be “building toward an enterprise-wide awareness of risk”. Per CISA. The tools used should feed back into the enterprise identity systems, especially around the concept of the principle of least privilege. For example the user access reviews should be able to revoke privileges to enforce governance on the identity systems
Optimal Zero Trust Identity Management:
At this stage, the enterprise is fully automated on all levels of identity management, provisioning, lifecycle management and governance. In addition automated and observed triggers, dynamic and real-time in nature, enforce key identity security concepts, like the principle of least privilege. That is a change in permissions that is anomalous (and probably malicious) should trigger identity session action such as a step-up authentication or logoff. This requires that the identity tools have technologies such as machine learning that can create a trust score that would be enforced by collaborative identity enforcement tools.
The objective of zero trust is to reduce risk and raise security in our Enterprise architectures. To do this requires both raised awareness of the different components in the identity system and the zero trust maturity state of each component. It also requires a knowledge of new advanced tools, and a rise of expectations on current tools to be more automated and more dynamic in understanding of identity risk and enforcement of dynamic identity policies.
Peter Gailey – CEO of Gailey Solutions LLC
Garret Grajek – CEO of YouAttest