Zero Trust

Improving security posture

NIST’s Zero Trust architecture aligns with CyberRes’ comprehensive IAM platform

0%

Strongly agree Zero Trust is a necessary strategy for securing their business

0%

Zero Trust is more proactive than traditional approaches

0%

Zero Trust is the only way to combat sophisticated attacks

Source: Ericom 2021 Zero Trust Market Dynamics Survey

NIST’s zero trust architecture (ZTA) offers real value to organizations looking for guidance as they identify ways to raise their security posture while minimizing the usability hit for their users.

Today, the cloud paradigm shift is mainstream, making identity the best fit as the new security perimeter, especially in conjunction with BYOD and WFH trends. It’s this shift that brings Identity and Access Management (IAM) front and center into NIST’s ZT practices.

NIST states that the intent of a ZTA is to “ensure that the subject is authentic and the request is valid.” NIST’s 800-207 document" outlines 7 key tenets.

1

Tenet 1 – All data sources and computing services are considered resources.

This perspective speaks to the breadth of resources that fill an organization’s digital environment and ultimately need to be secured. While IAM doesn't secure routers and firewalls, a comprehensive IAM approach starts with an Identity Manager capability that enables organizations to manage the identities of a wide variety (systems, services, applications, databases, ERPs, business suite services, etc.) to secure access to as many as billions of resources. This Identity Manager (IDM) should be event-driven and normalize identity information across disparate resources, even IoT devices. Then Identity Governance (IG) raises IDM's management capabilities to the business level to provide a business view of controlling and reporting who has access to what. Organizations can also improve their security posture by automating the request and approval process.

Tenet 2 – All communication is secured regardless of network location.

The reality of remote access and cloud-based services has moved this tenet to the forefront. Plain federation does not address this tenet. Let that sink in. Federation alone between a service provider and its identity provider does not address this tenet. Rather, after the requester has been authenticated, the communication then transitions purely between the SP and its consumer. A solution has to provide secure communication between the gateway and the IdP (identity provider).

2

3

Tenet 3 – Access to individual enterprise resources is granted on a per-session basis.

Dynamic information can lead to more sophisticated (potentially more secure and/or higher usability) implementation of “per-session” access to resources. This tenant requires that each access request be evaluated before it is granted, and then managed until it is terminated.

Tenet 4 – Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.

This tenet underlines the advantages of taking a platform approach to identity and access management (IAM). It’s an important point because many organizations take a piecemeal approach to IAM, which limits their ZTA.

4

5

Tenet 5 – The enterprise monitors and measures the integrity and security posture of all owned and associated assets.

This tenet can be a little confusing, so here is some additional clarification: “An enterprise implementing a ZTA should establish a continuous diagnostics and mitigation (CDM) or similar system to monitor the state of devices and applications.”

Tenet 6 – All resource authentication and authorization are dynamic and strictly enforced before access is allowed.

Per NIST, “This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust in ongoing communication… Continual monitoring with possible reauthentication and reauthorization occurs throughout user transactions, as defined and enforced by policy (e.g., time-based, new resource requested, resource modification, anomalous subject activity detected) that strives to achieve a balance of security, availability, usability, and cost-efficiency.”

6

7

Tenet 7 – The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

NetIQ Identity and Access Management delivers a comprehensive platform that maps to NIST’s Zero Trust tenets.

“IGA Buyer's Guide: Selecting the Right Identity Governance and Administration Solution”

Up next: