Zero Trust

What boards need to know: How identity and context underpin zero trust security

Sep 14, 2021
Zero trust and identity management

Editor's note: This article is a third in the series “Understanding Zero Trust Security.”

It’s too easy to impersonate a machine.

Hackers do it to breach corporate network perimeter defenses and gain access to inside-the-firewall systems. Once inside, they move laterally from system to system, masquerading as a trustworthy entity logged on from a trusted device. In ransomware, those hackers seize and then encrypt data and extort money to decrypt it. Others steal corporate assets to sell to the highest bidder on the dark web. And many do both.

The firewall isn’t the only vulnerability to blame. It’s the legacy architecture itself. When enterprise network security is inexorably linked to a device, the network isn’t secure. Period. All it takes is one guessed password, one employee clicking on a link in a phishing email, one spoofed IP address, and the hacker is in...and everywhere.

A zero trust architecture (ZTA) secures a cloud-first, device-agnostic, work-from-anywhere way of work. (See my earlier articles in this series on NACD BoardTalk: “Challenge Everything, Trust Nothing: What Boards Should Know About Zero Trust” and “Navigating the New Cyber-Threat Landscape: Zero Trust Risk Measurement and Mitigation Best Practices.”) Fundamental to a zero trust architecture is identity, which serves as the new basis for conditional access, and is something boards of directors must understand and evangelize. Identity underpins zero trust and is the best way to manage secure connectivity to applications, destinations, and resources to protect the modern enterprise workplace.

Managing conditional access with identity...and context

In a ZTA, there's no longer the conceit of a corporate network nor the burden of its costly, inefficient, and insecure infrastructure. Connectivity is direct and ephemeral: Employees connect to applications or resources they need to conduct their work.

A ZTA relies on business-defined, conditional access to resources. Identity becomes the basis for allowing that access. But identity is only the first facet of Zero Trust authentication and the business policies associated with access. Identity links a user to context, which contributes new validation layers to accurate identification. In establishing security and access, IT leaders can consider multiple types of context, including user, role, group, department, location, device, device status (e.g., managed or unmanaged, recognized or unrecognized, company-issued or employee-supplied, etc.), and many more.

Context provides necessary breadth and depth to identity-based access. An employee in a sales department, for instance, might have access to cloud and internal resources specific to fulfilling sales duties like Salesforce or a company quota-tracking application. Similarly, an engineer might have access to development tools like Github or Jira. But neither would have access to the other’s systems nor would the separate systems be connected or accessible to/from each other in any way.

A ZTA solution employs context to signal compromise. If an identified employee is acting outside of expected norms, a ZTA solution can flag the unexpected behavior and take corrective action. Such out-of-expected-context behavior might be an employee accessing systems not required for doing their work, or trying to connect on a new device, or attempting to move proprietary digital assets to an external location.

In a ZTA environment, context governs connectivity. Context also limits potential “blast radius.” In the event a hacker compromises an individual ZTA-environment device, they cannot move laterally to adjacent systems, since there are none connected. Any subsequent access requests would be out of context and rejected. Contrast that with traditional security architectures: If hackers breach a legacy network environment, they can adroitly move along a network path from one system to another.

Business policies define security (rather than the other way around)

The U.S. National Institute of Standards and Technology (NIST) Zero Trust Architecture standard notes that identity is “the key component of policy creation,” with resource access based on business privileges assigned to a specific person. Business-defined policies govern access. For instance, this particular sales employee can access resources A, B, and C; that particular engineering employee can access resources D, E, and F, and so on.

Such validation requires Identity Access Management (IAM) services, ideally delivered via a cloud-based solution. IAM solutions -- available from vendors like CA, Microsoft, Google, IBM, Okta, and many more -- provide a scalable way to authenticate user access to resources outside the periphery of legacy corporate networks.

Why does context-based security matter?

A ZTA provides an access model attuned to today's way people work: outside the office, beyond the data center, and in the cloud. Security and policy follow the user and the user’s data, wherever that user may be, wherever that data may reside, to whatever destination that user may connect, and on whatever device that user may employ.

ZTA context-based access greatly improves upon a legacy network access model:

  • More secure #1: Identity-based context, multi-factor authentication, and behavioral analysis offer IT leaders better control of, visibility into, and ultimately governance over corporate resource access.
  • More secure #2: Users cannot access resources or destinations without authorization.
  • More flexible #1: Context-based access solutions can easily scale to support governed access to cloud, datacenter-hosted, and on-premise resources. (Legacy hardware solutions cannot.)
  • More flexible #2: Business policy can be set at a macro or micro level, with resource-access rules defined for both a group and an individual employee.
  • Device-agnostic: Since access is specific to user and not machine, employees (and administrators) enjoy the same level of security regardless of the device (laptop, tablet, phone) used to access corporate resources.
  • Enables work-from-anywhere (WFA): Users get the same access (and administrators ensure the same security) whether they work at headquarters, in a branch office, or on the road.

Boards of directors have the opportunity to lead enterprises forward from legacy device-based security to zero trust context-based access. Understanding the importance of identity is the first step toward that objective.

What to read next

NACD BoardTalk: Navigating the New Cyber-Threat Landscape: Zero Trust Risk Measurement and Mitigation Best Practices

NACD BoardTalk: Challenge Everything, Trust Nothing: What Boards Should Know About Zero Trust