You don’t want to move ahead with your Zero Trust Security implementation before you learn what’s best (new) on the market. It could be costly in more ways than one. You might think you’ve got it all covered, but you could be buying something imperfect when something much better has just rolled out… The future is here and reassessing your options might be the right move.
Converged IAM Will Be the New Zero Trust Standard
Converged IAM is the next big thing, and it is here now. It’s smart, it is savvy, and will be the choice of over 45% of new customers by 2023. And best of all, it oozes Zero Trust.
Converged IAM is an all-in-one suite that includes two key IAM technologies under one umbrella. It offers both Access Management (AM) and Identity Governance and Administration (IGA), both from a single source code and dashboard.
IAM is the technology around which all Zero Trust initiatives should be built. Here’s why:
What is Zero Trust?
You’ve probably heard the term being thrown around in the last couple of years. Maybe you don’t fully know what it means, or maybe don’t know at all. And even if you’ve studied it thoroughly, there’s information in here that’s new and that you can benefit from.
Zero Trust is a security framework that requires all users, whether inside or outside an organization’s network, to be authenticated, authorized, and continuously validated before being granted or keeping access to applications and data. Traditional security architecture is needed only to protect on-premises resources. It therefore logically followed that securing the network was of prime importance and was the only thing necessary to preventing resource theft or sabotage. But now, with resources being moved to the cloud, this no longer applies. Resources need to be protected in and of themselves, not just as part of a network.
Identity is the New Perimeter
Organizations can no longer count on employees accessing resources from behind corporate firewalls, or from devices administrated by the business. The advent of BYOD (bring your device), remote working (made an everyday occurrence due to the COVID-19 pandemic), and the shift of resources from on-premises to the cloud, all have rendered traditional network security obsolete.
A line of more realistic thinking has evolved that assumes attackers to be present and active on the network regardless if it is on-site or in the cloud. This helps focus attention on the authentication of identities, authorization of access rights, and continual evaluation of posture – all of which will help an organization make better decisions concerning granting and monitoring access to the data, resources, or services.
Identity is the one constant that remains when you take networks out of the equation. It is a person who utilizes a device to gain access through a network or over the internet to a corporate resource. If we can authenticate this person’s identity and provide access to only the resources he or she is authorized for, we can reliably secure corporate resources.
To do this we need a secure authentication methodology, such as multi-factor or adaptive authentication. We also need granular access provisioning and access rights policy enforcement. The first one increases the security of authentication, and the second ensures that people who are authenticated only have access to what they need and nothing more (principle of least privilege).
In Zero Trust, the adage of ‘Trust but Verify’ is replaced with a new one: ‘Never trust, Always Verify’.
This has become a necessity for business IT security today because Identity, not a network, is the new perimeter.
Key Components of Zero Trust
Now that we know what Zero Trust hopes to achieve, let’s look at how it hopes to achieve it.
As discussed, instead of only securing the network perimeter and implicitly trusting any traffic within it, a Zero Trust security architecture would follow this process:
- Authenticate the user (utilizing MFA or Adaptive Authentication for increased security)
- Establish access rights (previously defined within the IGA system)
- Evaluate the appropriateness of the access rights (through a continual process of access review and recertification)
- Act upon the evaluation in 3) (notify overseers of potentially risky access, and possibly block access if defined in the policy engine)
- Provide access
The 1st and 2nd steps are relatively straightforward. The 3rd utilizes a risk policy or engine to establish whether all of a user’s access rights are appropriate. It can check, for instance, if other users with the same role possess the same rights or when last an access right was provided to another employee. And it does this not once but continually.
The 4th step works towards acting on the results of the 3rd step. If an employee possesses dubious access rights, the system will either notify an overseer (admin, manager, or others) or if defined in the risk policy, deny access altogether.
Converged IAM Addresses All This
How Access Management Contributes
In an ideal Zero Trust environment, authentication is secured through MFA or Adaptive Authentication. It should also leverage the power of Single Sign-on (SSO) to increase security by preventing password fatigue and improving user experience. A good SSO solution also forces users to sign on only through the SSO portal, instead of allowing sign-on through application URLs. This enforces Security Assertion Markup Language (SAML), OpenID, or OAuth authentication, which are more secure mechanisms in which credentials are never submitted through a network. Instead, authorization happens with tokens being sent from the Identity Provider (SSO provider) to the Service Provider (SP). SSO is an Access Management technology.
The Need for a Universal Directory
Gone are the days in which Microsoft AD or Lightweight Directory Access Protocol (LDAP) were the two possible choices as the best Single Sources of Truth (SSOT).
These were used in conjunction with an on-premises data center and were protected by company firewalls. These directories were the only ones an organization needed in times when resources and applications were stored on-premises. And users came primarily from Windows domains and devices were all Windows clients or servers. But now, with cloud computing, BYOD, and remote working, the landscape has changed. Active Directory was built to operate in environments with Windows-based PCs on desktops and Windows servers, all connected through a private corporate network. But today’s enterprise consists of laptops moving between networks with ease and smartphones that are rarely connected to corporate WiFi.
This shift demands a new kind of SSOT, one that can integrate with anything and anywhere. Thus, we have proprietary Universal Directories which come part and parcel with good AM products. The advantage is that the SSO solution can be developed, managed, and updated easily when it is built around a predesignated SSOT. We will also see the advantage of an integrated SSOT for IGA.
How IGA Contributes
IGA handles access provisioning and recertification. The continual process of assessing the risk of access and taking appropriate actions also happens through this technology. Thus, IGA is the only technology that can fulfill the Zero Trust mandate of securing access not just to an account or a network, but to the subsequent access of applications and resources.
But wait! Remember when we said that an integrated SSOT benefits IGA? Since the SSOT is the repository of all user attributes, security and functionality are improved if both the SSOT (part of the AM technology) and the IGA deployment are part of the same product. This way the frequent and essential interaction between the SSOT and the IGA component can happen smoothly, and management and update of either module can happen in an integrated manner. It is simply superior technology with less friction and more possibilities than if the SSOT (AM) and IGA were part of different products. The latter setup would be fraught with complications, not the least that continual integration after updates would be slow and cumbersome, and features that integrate the two would be limited.
Other Reasons Why Converged IAM is Superior to Traditional IAM
You can forget about the hassle of buying multiple solutions from different vendors to fulfill your IAM requirements – Access Management and Identity Governance and Administration. It costs a whole lot more and is the unintelligent way of going about it. You need each solution to talk with the other, which is in itself a problem, and then you need to train your staff to manage each different one. You will then be pulling your hair out when updates in one solution render others unable to integrate with it. Besides, when buying full-suite products in each category, AM, and IGA, your ROI will be low because you won’t use all the full-suite features, and your employees must deal with unnecessarily complex technology where a simple one would do.
The future is Converged IAM: an all-in-one IAM solution, from a common source code and in a single dashboard. It fulfills Zero Trust architecture better than anything else out there because it integrates SSO, MFA, access provisioning, access rights evaluation and continual recertification, and a proprietary universal directory as an SSOT into a common source code and dashboard. This enhances function and reduces friction associated with integrating multiple products that update on their schedule.
It also costs much less, and you only pay for what you need. It is also intuitive, and your staff won’t need specialized training.
So, now that you know that Converged IAM is the go-to technology for fulfilling your Zero Trust security architecture, you can reconsider your choices. And if you are just starting, you have a better lay of the land. We hope your increased knowledge will guide you to more informed decisions.
- What is zero trust?
- Identity is the new perimeter
- Why is it important?
- What is converged IAM? What do analysts say, why is it important?
- How converged IAM supports zero trust
Never trust, always verify. Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.
All the security controls in the world won’t do you any good if you don’t know who your user is.
You can no longer count on employees accessing proprietary applications from behind the corporate firewall over computers issued by your organization, or an environment where consumers access your website from a single place. The digital enterprise continues to give employees, partners, and customers unprecedented access to applications and data outside the firewall, and you must move to dynamic and continuous authentication so that you can be sure the user is exactly who you think they are, at all times.
Strong, continuously adaptive authentication is based on a centrally managed system that manages authentication for all resources. It serves up the appropriate level of authentication assurance based on the risk of the transaction. It also embraces continuous authentication, which keeps an eye on changes in behavior or context that would let you know if someone other than the original user assumes control of the session.
Also, just because you know who a user is doesn’t mean the user should have free rein over all your resources. Strong authorization based on a single control layer that determines access policy for each application and application page ensures that not only do you know who your user is, you know the user is accessing only the information and data that you want that particular user to access.
Security and technology experts say the castle-and-moat approach isn’t working. They point to the fact that some of the most egregious data breaches happened because hackers, once they gained access to corporate firewalls, were able to move through internal systems without much resistance.
As a result, organizations must ensure that all access requests are continuously vetted before allowing connection to any of their enterprise or cloud assets. That’s why enforcement of Zero Trust policies relies on real-time visibility into user credentials and attributes such as:
- user identity and type of credential (human, programmatic)
- number and privileges of each credential on each device
- normal connections for the credential and device (behavior patterns)
- endpoint hardware type and function
- firmware versions
- authentication protocol and risk
- operating system versions and patch levels
- applications installed on an endpoint
- security or incident detections including suspicious activity and attack recognition