Why Zero Trust Security Requires Group and Identity Management
The latest trend in security – Zero Trust Security – demands a “never trust, always verify” approach. At the heart of this approach is the requirement that the configuration of identity and associated assigned security is 100% correct. Without this in place, Zero Trust is protecting an insecure environment.
If you’re new to Zero Trust, it’s a concept that’s been around for a number of years, originally conceptualized by Forrester back in 2010. After 9 years, it’s finally going mainstream. The concept starts with a simple premise – don’t trust anyone to access anything… ever. But, to make Zero Trust productive, a second part needs to be added to the equation – verify who they are first… every time.
In practical application, it requires a myriad of solutions in place that authenticate the user, measure risk, validate the request for access, and – if everything checks out – provides access to the system, application, or resource needed.
So, where does Group and Identity Management come into play?
There’s an aspect of Zero Trust that, oddly enough, isn’t focused on often enough – the idea that the underlying security must be correct. So much effort goes into protecting authentication and who can use privileged credentials, that organizations forget the need to make sure the access that a privileged account has is actually correct in the first place.
And that’s where Group and Identity Management fits.
Group and Identity Management seeks to ensure the underlying directory on which Zero Trust sits is configured correctly. It should use a formal process of attesting that users, groups, group memberships, and permissions are all accurately configured and/or assigned to ensure the access Zero Trust believes it’s granting is correct.
The process of managing groups and identity is not a one-time thing; much like how least privilege (which is used as part of Zero Trust) need to be implemented as a continual part of operations to be effective, so does Group and Identity Management.
If you apply the “never trust, always verify” mantra to the underlying security that grants access to systems, applications, resources, and data, it means that IT can’t simply assume that permissions and assignments to users and groups are correct. Organizations need to put processes in place to frequently assess the then-current configuration of their users, groups, and permissions, attesting to the configuration’s validity.
By inserting Group and Identity Management into your Zero Trust implementation, the foundation on which Zero Trust resides stands firm, certain that the permissions and the accounts to which they are assigned are correct, reaffirming that user access – from both the request and configuration standpoint – has been verified prior to granting a user request.