Zero Trust Security is not a buzzword anymore
Okta, an identity management company, has published its report titled "The State of Zero Trust Security 2002". Based on 700 respondents, mostly C-level executives from global companies, the report clearly indicates that Zero Trust is now universally accepted as the way forward to secure organizations: nearly all organizations surveyed (97%) have either already started a Zero Trust initiative or have definitive plans to start one in the coming months. Back in 2019, only 16% of surveyed IT executives gave the same feedback.
In a cloud world, there is no perimeter and no specific network to defend. This has become more apparent as employees moved massively outside the on-prem network perimeter during the pandemics. Suddenly, most of the security events were not happening on the corporate network, but rather on employees' devices - the new network edge. And so the Zero Trust concept suddenly became the architecture of choice to address the new reality. CIOs and IT administrators all over the world are now embracing the security framework of Zero Trust, which has quickly evolved from buzzword to strategic differentiator to business imperative. Governments are also playing the ZTNA card: for example, in 2021 the U.S. federal government mandated, by executive order, the development of Zero Trust architecture across governmental agencies.
Zero Trust is typically explained by citing its "never trust; always verify" tagline, or defined as an information security model that denies access to applications and data by default. These are often little more than tautologies. But what does ZTNA imply in practice?
First, assets such as laptops or servers are those that become the focus of continuous verifications of identity, device health, and access policy. This means the focus is no more on network devices such as firewalls providing VPN access, but rather on an always-on software agents installed on each asset. Only on this agent level, which performs real-time deep inspection of user activities can ZTNA access truly be enforced. This is why ZTNA is more closely related to EDR/XDR or SASE technologies, making it an ideal technology for security stack consolidation.
The second implication of ZTNA is identity. In fact, identity management is foundational to every Zero Trust strategy, especially if you consider that compromising identity is the No. 1 tactic used in modern attacks.
In a world where the perimeter has disappeared, organizations need to simultaneously make their assets available to authorized users while safeguarding them from threat actors. These authorized users are not only office and remote employees, but also business partners - from outsourced contractual workers to customers accessing, say, an application for ordering goods. Too often are these identities relegated to isolated siloes within applications and not protected from the latest credentials abuse tactics.
What are the key initiatives in terms of aligning identity management with ZTNA? Okta's report details many of them, including:
Connect employee directories to business-critical cloud apps for visibility into who’s accessing what no matter where they are.
Implement multi-factor authentication (MFA) for employees to provide key protection from credential theft.
Add MFA for external users, such as business partners and contractors.
Implement single sign-on (SSO) for employees for supported applications.
Enable self-service factor resets and reduce help desk costs.
Automate provisioning and deprovisioning for applications. Automate provisioning and deprovisioning for employees and external users on a role-based model.
Enable privileged access management to cloud infrastructure.
Utilize different authentication factors across user groups based on risk and to reduce licensing costs. Implement context-based access policies.
Add secure access to application programming interfaces (APIs)
Deploy secure passwordless access across the board.
Make access decisions at the data layer based on user and device posture position.
The report finds that many of those initiatives are at least started with many organizations. However, managing secure access for external users (MFA, automated deprovisioning, etc) is still quite rare. Also, the same can be said for context-based access policies and passwordless access.
Apparently, the way to an identity management aligned with modern access scenarios is still long, and hence also the way to full Zero Trust maturity.