The rapid rise of cyberattacks of all kinds, particularly ransomware, is pushing companies to expand their defense perimeter by applying a zero-trust approach. But how does it work? And more importantly, how can its effectiveness be calibrated?
Often, an organization’s first instinct is to implement zero trust at the network level by reinforcing access to company resources, particularly via VPN for remote workers. However, in the event of an intrusion on the company network, access to information depends entirely on user access rights. It is therefore necessary to manage these access rights to ensure minimal user privileges.
This is where the role of identity and access management (IAM) takes center stage.
IAM: The cornerstone of zero trust
This translates into the at many more access doors for hackers. All these identities, regardless of their location, must follow the same security policy and the same constraints as the main identity of the user in the company. Here again, IAM plays a key role in the zero trust policy being implemented — helping maintain control over user identities and guaranteeing the minimum access rights for each resource accessed, whether internal or external.
Managing identity as the new benchmark in zero trust
Identity federation forms an integral part of IAM, making it possible to limit the proliferation of user identities, especially in SaaS applications. In doing so, the company retains sovereignty over user authentications, as well as control of access rights to applications. It is an application of the zero-trust approach by limiting the trust given to applications and the functionalities they provide, without entrusting them with the primary functions of authentication and authorization.
User lifecycle management, enforcement of a comprehensive security policy, approval of rights by key individuals, and automatic provisioning of accounts and access rights ensure that only authorized individuals have access to applications and data with minimal rights. This shows how central IAM is to a zero trust approach. Adding identity federation and multi-factor authentication (MFA) greatly reduces attack surfaces while providing a better user experience.
For applications outside of identity federation, adding a single sign-on (SSO) brick (either desktop or web-based) strengthens security by increasing the complexity of passwords that are no longer known to users. Of course, it is necessary to use MFA for the primary authentication. This is another way to decrease the attack surface and extend the zero trust approach while making life easier for users.
Numbers matter: The role of governance and analytics
Just like in any security strategy, governance is an integral element in the zero trust approach, as is IAM. Dashboards and alerts from both identity management and authentication and access control bricks enable proper execution of the policy and the detection of deviant behavior — like multiple requests for specific application rights not allocated by the role-based access control (RBAC) model. Processes such as the re-certification of rights, roles and accounts also contribute to governance, thereby reinforcing the zero trust approach by regularly questioning and verifying the rights acquired by users.
All IAM components generate audit information that can be processed for risk analysis purposes or to identify the cause of an intrusion — such as a fraudulent assignment of a right to a user.
Going further, IAM can participate in the dynamic side of the zero-trust approach by using artificial intelligence to analyze events coming from IAM, and taking decisions such as deactivating an account, disconnecting a user, or increasing the level of user authentication required in response to an anomaly. This is exactly the prescriptive approach employed by our Evidian IAM software suite.
IAM: An integral lever in an enriched zero trust policy
Making information systems accessible to the outside world and the extensive (and necessary) use of cloud can expose organizations to different types of threats. Identities, application accounts and the associated rights are at the heart of hacker attacks, so they must be managed and fiercely protected as key elements of a zero-trust approach.. Complemented by strong authentication and reinforced access control for all types of internal or external users, IAM enriches the zero trust policy by applying it right down to the application level.
About the author
Evidian Product Line & Presales Director, Atos
Yann Morvan has 25+ years of experience in the Identity and Access Management domain and in other cybersecurity technologies.
Holding many different positions in consulting and presales in major software editors including Sun and Oracle, he is now leading the product management and presales teams at Evidian.
He is a member of the Atos expert community.