The process of digital transformation is continuing apace, presenting companies with ever-new challenges when it comes to cyber security and data protection. Digital transformation often brings about a scenario where company resources can be accessed from everywhere, which in turn increases the number of data access points, roles and user accounts. In such a complex IT ecosystem, effectively managing and controlling identities and their access can be challenging, which is why identities are a key factor in Zero Trust 2.0. We want to take a closer look at this in the second part of our blog series.
Our five-part blog series shows you specific approaches to the practical implementation of Zero Trust 2.0 based on the five pillars of «Identity», «Devices», «Networks» «Applications & Workloads» and «Data». Check out first part for our tips for readying your device security!
Identity and access management (IAM) as a key element in Zero Trust 2.0
Identities are a core aspect of defence in the ever-evolving cyber-security landscape. Controlling which identities have access to which resources in your digital realm is fundamental. In this part of our blog series, we look at identity management – a central pillar of Zero Trust 2.0 that acts as a gatekeeper to guard your «fortress».
Effective identity and access management (IAM) is the basis of a zero-trust architecture. Companies can progress this pillar with the following measures:
- Implementing two factor for all user accounts to create an additional layer of security.
- Deploying just-in-time and just-enough access controls to limit unnecessary access to resources.
- Using identity and access management platforms to effectively manage user identities, roles and authorisations.
We’re well aware that you won’t be starting from scratch, which is why this article will take a detailed look at the critical elements of this pillar and outline specific measures for tailoring your IAM strategy to Zero Trust 2.0 while utilising existing technologies.
Multi-factor authentication (MFA) for enhanced security
At the heart of IAM is the verification of user identities and ensuring that users can only access authorised resources. While passwords previously served as gatekeepers, their vulnerability to breaches and theft has led to the introduction of multi-factor authentication (MFA). MFA for all accounts should therefore be part of any progressive IAM strategy.
MFA is a system for verifying digital identities that requires multiple authentication checks. It is similar to password-free authentication in that it also uses biometric or proprietary factors, among others. User names and passwords are still used, but not exclusively. In today’s context, MFA is therefore an important «good practice» measure – regardless of any zero trust benefits!
Identity federation and single sign-on (SSO)
Managing numerous passwords across different systems is not only laborious, but also harbours security risks. Identity federation and single sign-on (SSO) are therefore integral components of an extended IAM.
Identity federation allows accounts to access multiple systems with a single set of credentials (centralised identity management). SSO, on the other hand, allows users to log in just once and then access all resources without the need for repeat authentication. This not only improves user-friendliness, but also reduces the attack surface by centralising authentication.
Just-in-time and just-enough access controls
We’re sure you also agree that the days of granting blanket access to resources are over. Your IAM strategy must also take this aspect into account, so it needs to be based on the principles of just-in-time and just-enough access control.
Just-in-time access ensures that users only have access to resources when they actually need them, which significantly reduces the window of opportunity for potential cyber attackers. Just-enough access ensures that accounts only receive those authorisations that are absolutely necessary to perform their specific tasks. This minimises the risk of attacks that seek to expand authorisations.
The role of identity and access management platforms
But that’s not the end of the story. IAM goes much further – and can be a complex matter, as it also includes the management of user identities, roles and authorisations for a large number of resources. This is where identity and access management platforms come into play as they simplify this process considerably. These platforms centralise the provisioning and the (equally important) deprovisioning of users as well as access control.
Our recommendation: integrate IAM platforms into your IAM strategy to optimise identity management and ensure that users always have the right level of access. User authentication, limiting access times and resources and the corresponding management via the IAM platform mean that you’re optimally positioned for zero trust.
Our specific implementation tip for identities based on zero trust
Secure configuration and utilisation of the existing functions of the deployed components (ZTNA or on-premise) is an essential part of the more comprehensive zero-trust framework. As operators of such components, we’re required to understand these technologies and integrate them into our networks. This is the only way to ensure that they meet the requirements of today’s constantly changing threat landscape.
A fundamental step within a zero-trust strategy is the continuous analysis of data traffic so that applications can bed identified precisely. The manufacturer-specific designations are irrelevant here because the approach is independent of the platforms used.
- Applications can be precisely identified by continuously analysing the data traffic. Regardless of platforms or ports, data streams are permanently assigned to the corresponding applications.
This classification groups the products based on their intended use and risk value.
Increased transparency of data traffic also enables precise control and management of these applications at firewall level, significantly reducing the attack surface and allowing access to authorised applications only.
- Enabling HTTP on port 80 only allows HTTP traffic while blocking other services such as RDP, file sharing etc.
- Precise control and management of applications at firewall level significantly reduce the attack surface.
The authentication of users and the use of group memberships additionally ensures that access is only granted to authenticated persons and groups. Identifying this data traffic enables differentiated control of the data traffic.
• The authentication of users and their group membership serves to ensure secure data transfers.
• This enables not only the control of data traffic based on users and groups, but also comprehensive reporting
and forensic analysis.
DNS security is another key aspect. The increasing number of DNS-based threats such as data exfiltration, C2 traffic, phishing and ransomware mean that securing DNS traffic is all the more important. Analysing this traffic enables such threats to be detected and provides mechanisms for blocking them.
- Potential threats can be blocked and identified by redirecting C2 servers into a sinkhole.
«Advanced» and «optimal» maturity-level zero-trust frameworks revolutionise network security by combining persistent traffic analysis, precise application mapping, user authentication and DNS security, allowing networks to be raised to a higher security level.
Zero trust – the next step
In summary, IAM is the cornerstone for the defence of your digital realm and as such a central pillar of Zero Trust 2.0. Companies can strengthen their IAM strategy in the long term by implementing MFA, utilising IAM platforms, introducing just-in-time and just-enough access controls and rolling out identity federation and SSO. This creates an optimal basis for zero trust.
The next part of the blog series will look at how you can integrate Zero Trust 2.0 into your network. We’ll also show you key measures and approaches for effectively shoring up your network perimeter.
Don't miss the third part of the zero-trust blog series!
Subscribe to our blog updates now and receive the latest articles delivered conveniently to your inbox! Register now!