InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
The process of digital transformation is continuing apace, presenting companies with ever-new challenges when it comes to cyber security and data protection. Digital transformation often brings about a scenario where company resources can be accessed from everywhere, which in turn increases the number of data access points, roles and user accounts. In such a complex IT ecosystem, effectively managing and controlling identities and their access can be challenging, which is why identities are a key factor in Zero Trust 2.0. We want to take a closer look at this in the second part of our blog series.
Our five-part blog series shows you specific approaches to the practical implementation of Zero Trust 2.0 based on the five pillars of «Identity», «Devices», «Networks» «Applications & Workloads» and «Data». Check out first part for our tips for readying your device security!
Identities are a core aspect of defence in the ever-evolving cyber-security landscape. Controlling which identities have access to which resources in your digital realm is fundamental. In this part of our blog series, we look at identity management – a central pillar of Zero Trust 2.0 that acts as a gatekeeper to guard your «fortress».
Effective identity and access management (IAM) is the basis of a zero-trust architecture. Companies can progress this pillar with the following measures:
We’re well aware that you won’t be starting from scratch, which is why this article will take a detailed look at the critical elements of this pillar and outline specific measures for tailoring your IAM strategy to Zero Trust 2.0 while utilising existing technologies.
At the heart of IAM is the verification of user identities and ensuring that users can only access authorised resources. While passwords previously served as gatekeepers, their vulnerability to breaches and theft has led to the introduction of multi-factor authentication (MFA). MFA for all accounts should therefore be part of any progressive IAM strategy.
MFA is a system for verifying digital identities that requires multiple authentication checks. It is similar to password-free authentication in that it also uses biometric or proprietary factors, among others. User names and passwords are still used, but not exclusively. In today’s context, MFA is therefore an important «good practice» measure – regardless of any zero trust benefits!
Managing numerous passwords across different systems is not only laborious, but also harbours security risks. Identity federation and single sign-on (SSO) are therefore integral components of an extended IAM.
Identity federation allows accounts to access multiple systems with a single set of credentials (centralised identity management). SSO, on the other hand, allows users to log in just once and then access all resources without the need for repeat authentication. This not only improves user-friendliness, but also reduces the attack surface by centralising authentication.
We’re sure you also agree that the days of granting blanket access to resources are over. Your IAM strategy must also take this aspect into account, so it needs to be based on the principles of just-in-time and just-enough access control.
Just-in-time access ensures that users only have access to resources when they actually need them, which significantly reduces the window of opportunity for potential cyber attackers. Just-enough access ensures that accounts only receive those authorisations that are absolutely necessary to perform their specific tasks. This minimises the risk of attacks that seek to expand authorisations.
But that’s not the end of the story. IAM goes much further – and can be a complex matter, as it also includes the management of user identities, roles and authorisations for a large number of resources. This is where identity and access management platforms come into play as they simplify this process considerably. These platforms centralise the provisioning and the (equally important) deprovisioning of users as well as access control.
Our recommendation: integrate IAM platforms into your IAM strategy to optimise identity management and ensure that users always have the right level of access. User authentication, limiting access times and resources and the corresponding management via the IAM platform mean that you’re optimally positioned for zero trust.
Secure configuration and utilisation of the existing functions of the deployed components (ZTNA or on-premise) is an essential part of the more comprehensive zero-trust framework. As operators of such components, we’re required to understand these technologies and integrate them into our networks. This is the only way to ensure that they meet the requirements of today’s constantly changing threat landscape.
A fundamental step within a zero-trust strategy is the continuous analysis of data traffic so that applications can bed identified precisely. The manufacturer-specific designations are irrelevant here because the approach is independent of the platforms used.
This classification groups the products based on their intended use and risk value.
Increased transparency of data traffic also enables precise control and management of these applications at firewall level, significantly reducing the attack surface and allowing access to authorised applications only.
The authentication of users and the use of group memberships additionally ensures that access is only granted to authenticated persons and groups. Identifying this data traffic enables differentiated control of the data traffic.
• The authentication of users and their group membership serves to ensure secure data transfers.
• This enables not only the control of data traffic based on users and groups, but also comprehensive reporting
and forensic analysis.
DNS security is another key aspect. The increasing number of DNS-based threats such as data exfiltration, C2 traffic, phishing and ransomware mean that securing DNS traffic is all the more important. Analysing this traffic enables such threats to be detected and provides mechanisms for blocking them.
«Advanced» and «optimal» maturity-level zero-trust frameworks revolutionise network security by combining persistent traffic analysis, precise application mapping, user authentication and DNS security, allowing networks to be raised to a higher security level.
In summary, IAM is the cornerstone for the defence of your digital realm and as such a central pillar of Zero Trust 2.0. Companies can strengthen their IAM strategy in the long term by implementing MFA, utilising IAM platforms, introducing just-in-time and just-enough access controls and rolling out identity federation and SSO. This creates an optimal basis for zero trust.
The next part of the blog series will look at how you can integrate Zero Trust 2.0 into your network. We’ll also show you key measures and approaches for effectively shoring up your network perimeter.
Our blog series "Zero Trust 2.0 - Implemented in 5 steps" gives you a complete 360° perspective:
Part 1: Device security
Part 2: Identity management
Part 3: Network security
Part 4: Data security
Part 5: Analytics and automation
We wish you an inspiring read.