Introduction
Identity and Access Management (IAM) is essential to implementing Zero Trust (ZT). After all, verifying user identity is core to ZT. So is ensuring proper authentication and authorization at every level of access to data. This is easier said than done, especially if you’re trying to apply ZT principles to cloud and Software-as-a-Service (SaaS) apps. Keeping track of who is who and who can access what can become a serious challenge-bordering on the impossible. Solutions are emerging, however, that enable the fine-grained and dynamic IAM required for ZT success.
The Role of Identity in Zero Trust
ZT revolves around identity. The fundamental rule of the ZT framework is “never trust, always verify.” Implicit in this rule is a question: Whom are we never trusting and always verifying? The answer includes human users, devices, and software applications, each of which has a unique identity. Any person or thing that can request access to a digital resource has to have an identity that ZT subjects to continuous and dynamic verification.
How IAM Enables Zero Trust
IAM operationalizes the concept of identity in ZT. An IAM solution enables ZT by authenticating users and verifying their rights to access based on the principle of least privilege. With IAM, a ZT architecture becomes viable because IAM ensures that only authorized users can access resources in the right context and at the right time.
Specifically, IAM solutions enable ZT by:
- Continuously verifying user identities so only authorized users (including machines and apps) can access requested resources. This is true even for users who are already on the network.
- Implement least privilege access on a granular basis-granting just the permissions users require to perform their tasks.
- Validating user devices to screen out unauthorized devices and ensure that users are not requesting access on compromised devices.
- Assessing the context of access requests, e.g., device location and behavior, along with other factors that take the verification process beyond basic login and password.
- Utilizing multi-factor authentication (MFA) to confirm user identity.
- Enabling auditing and monitoring of identity authentication processes.
Challenges in Implementing IAM for ZT
Important as IAM is for ZT, it can be challenging to implement. One issue involves difficulty integrating legacy IAM solutions, which are architected for perimeter security, with ZT, which typically spans on-premises, cloud, and SaaS environments. It may also be hard to configure IAM to meet the fine-grained access controls needed for effective ZT,
Other challenges include:
- Managing changing access privileges in large, complex organizations.
- Integrating IAM with SaaS apps, which may be difficult to connect with IAM or maintain their own separate identity stores.
- Implementing continuous monitoring of access requests, which may not be available in all IAM solutions.
- Balancing usability with security, with the potential for stringent security controls to frustrate users.
- Ensuring visibility into IAM data about access requests to different resources.
New IAM Solutions for ZT
A new generation of IAM solutions now offers functionality that aligns better with ZT. For example, some IAM solutions support granular role-based access controls (RBAC). This approach makes it easier for the IAM to control access by matching roles with permissions, e.g., accounting team members can access a subset of functionality on the accounting system, rather than assigning access permissions on a user-by-user basis. The latter process is time-consuming and error prone. It also leads to situations where users’ access permissions are out of date, which undermines the whole purpose of ZT.
Attribute-based access control (ABAC) takes RBAC further as an IAM capability in support of ZT. With ABAC, the IAM solution can base access grants on attributes such as device type, location, time of day, and so forth. ABAC helps ZT by verifying user characteristics during ZT’s authentication and authorization steps.
Conclusion
ZT needs IAM because it’s impossible to authenticate users and grant them “least privilege” if their identity is not clear. IAM is not easy to deploy in ZT, however, with issues related to integration, granular access control, usability, and visibility getting in the way. A new generation of IAM solutions now offers what it takes to make IAM an integral part of ZT. Functionality like RBAC and ABAC, along with context-continuous authentication and authorization, provide the fine-grained and dynamic IAM that ZT needs to succeed.
