Building Trusted Identities in a Zero Trust World

Zero trust

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Arun Shrestha of BeyondID maps out the long road of Zero Trust architecture, and the journey to fully integrating it at an enterprise level.

Premium ContentNever trust, always verify— not great advice for personal relationships, but essential when securing workforce and customer access to apps across the enterprise. As demand for high-quality customer experiences skyrockets in the market, enabling a secure workforce and giving your customers a better digital experience is more important than ever. A Zero Trust framework is the best option for protecting an organization, a dynamic approach to identity management, and essential to the success of modern businesses. This article will discuss the foundations of Zero Trust, the Zero Trust journey, assessing your Zero Trust maturity, and using best practices for enabling secure connections based on verifying the user’s identity, risk-based context, and business policies.

Foundations and The New Perimeter

As hybrid and remote work takes its place as the new normal and businesses provide improved customer experiences to remain competitive, security is suddenly much more complex than simply checking credentials at the door. Remote access for consumers and workers has shrunk the globe over the past few years, greatly expanding the reach of businesses, but also making them more vulnerable from a security standpoint. It has also created a dilemma: how to protect the organization’s digital assets while delivering an exceptional user experience.

Ideally, companies are giving access to the right information, at the right time, to the right individual, and on any device from any location. In order to protect user access and corporate data, security measures should be adaptive enough to surround users wherever they are and with whatever device they’re using. As they make this shift, organizations must recognize that users become the security perimeter of their company. It’s important that businesses begin thinking of people as the perimeter because the shift in accessibility is here to stay.

Zero Trust is a strategy that protects the perimeter, and is the most relevant solution for remote work, total user experience and digital transformation. Organizations adopting this strategy not only deliver improved security at the perimeter but reduce costs and complexity. And yet, nearly 80 percent of critical infrastructure organizations had failed to adopt a strategy for their operations, according to a study conducted by IBM this year.

Since people are the new security perimeter, identity serves as the foundation of Zero Trust. Identity is more than a username and password; Okta attributes 80 percent of all data breaches and 77 percent of cloud-based data breaches to compromised credentials, monitoring access points is simply not enough. Zero Trust is built on the premise that users are not always who they say they are and assumes that the system is already compromised. Thus, the real defense against hackers is what’s already known about the users who are allowed inside. Zero Trust constantly monitors activity and compares it to what’s known about how a credentialed user is expected to behave within the system. Without identity, there is no reference point for Zero Trust.

The Zero Trust Journey

The more data Zero Trust collects and compares, the more adept it becomes at spotting and stopping unusual behavior within an organization’s system. Describing it as a “journey” is standard practice among experts because it more accurately reflects the continuous nature more than words like “solution” or “implementation”–  though it is all of these things. Companies must embrace this terminology. It’s important to understand that Zero Trust is not quick fix and implementation is just the beginning.

Organizations that have successfully implemented Zero Trust technology report a five to ten-year effort with continuous progress as capabilities continue to evolve. BeyondID’s Digital Front Door effort planned for a major US-based healthcare organization, for example, is expected to span over a ten-year period. Throughout a journey like this, organizations will commit to various levels of Zero Trust maturity because as their framework evolves, so will its requirements. As they say, it’s not about the destination, it’s about the journey.

In order to ensure seamlessness and connectivity within a system, organizations must be ready to implement Zero Trust across the board. The journey doesn’t just involve workforce and customers but vendors and partners too. By uniting an organization’s entire ecosystem under one solution, Zero Trust is able to deliver a total experience for users in any category. Companies choose Zero Trust, not despite its high level of commitment, but because of it. The journey is what ensures the solution is comprehensive, advanced, ever-improving, and capable of delivering the best of both physical and digital (now described as ‘phygital’) experiences for users.

Assessing Zero Trust Maturity

Knowing where to start is always the place to start – that’s why businesses begin their Zero Trust journey with a maturity assessment. There are many different approaches organization can use to help assess their current Zero Trust maturity level and develop a roadmap for their journey.

  • The Zero Trust Maturity Model, developed by the Cybersecurity and Infrastructure Security Agency (CISA), uses the intersection of criteria across five pillars — Identity, Device, Network/Environment, Application Workload, and Data — to determine an organization’s maturity level. Pillars are examined on the bases of Visibility and Analytics, Automation and Orchestration, and Governance. The maturity of each pillar-criterion combination is determined to be either traditional, advanced, or optimal. Since the score of each intersection must be taken into consideration, assessing overall maturity and developing a roadmap is a complex process.
  • Forrester’s Zero Trust Model focuses on Visibility, Automation, Segmentation, and Compliance to form a full picture of an organization’s existing security posture. The research and advisory company’s playbook is designed to help businesses make the most of their assessment using the model
  • The Continuous Adaptive Risk and Trust Assessment (CARTA) model, developed by Gartner, is best described as the next evolution of Zero Trust. CARTA begins with the foundations of Zero Trust framework and continues to monitor and adapt its posture as it collects information. CARTA is evaluated by a checklist of seven imperatives used by organizations to measure their maturity level and build their roadmap. These imperatives include, but are not limited to, deploying specialized security platforms, performing risk and trust assessments, installing instrument infrastructure and integrating security as a programmable system.

The purpose of each of these models is for businesses to gain a better understanding of the maturity of their own models to help define their strategies for the future. Even so, it’s crucial that organizations invest in Zero Trust experts to perform proper maturity assessments. Experts will use a combination of tools and experience to determine the most accurate level of maturity. Embarking on any transformation journey without the help of a third-party expert can be an expensive misstep. Because no two strategies are the same, partnering with seasoned professionals is the best way to ensure correct implementation.

Best Practices

Preparation is key to any journey, and in combination with maturity assessment, best practices are a great tool for setting goals and developing a roadmap. Throughout their journey, businesses will be ready to implement different, or more, best practices with increasing maturity. These are some of what are considered best practices for enabling secure connections based on verifying the user’s identity, risk-based context, and business policies:

  • Prepare and understand current security architecture with a comprehensive maturity assessment
  • Take inventory of all users’ devices and credentials
  • Use a centralized access control model for increased visibility
  • Monitor and review activity across the network
  • Perform data analyses
  • Understand and document behavioral patterns
  • Context based authorization on dynamic factors
  • Implement the Principle of Least Privilege (PoLP)
  • Create guidelines for policy-based access control

To start your journey, reach out to a third party with an expert understanding of the Zero Trust landscape. Experts can help you understand the role of identity in Zero Trust architecture, identify your maturity, and incorporate best practices. When implemented correctly, Zero Trust can help organizations transform digitally, modernize their identities, and deliver a better total experience for workforce, customer, and patient users.

Arun Shrestha
Latest posts by Arun Shrestha (see all)