Digital identities, at different levels of privilege, underpin all digital transactions. In the enterprise, identities are used to log in to the network, access data and applications, and enforce organizational policies.
A repository of trustable identities is a foundational element of Zero Trust security. These identities inform other security measures including access control, logging and monitoring, threat detection, and other security operations. Digital identity is used to secure privileged access, ensure application security, data protection, network security, and cloud security. In a Zero Trust Organization, where assets must be protected like they were exposed to a full range of cyber threats, security is achieved by tracing processes and transactions back to a trustable identity and its approved entitlements.
A Zero Trust Organization must support:
Building trust in identities through identity governance
The following identity governance processes are critical for creating and maintaining identities that can eventually be trusted under certain parameters:
1. Identity lifecycle
Zero Trust Organizations maintain digital identities and their attributes throughout the life of their association with the organization. That includes onboarding, transfers, and offboarding.
2. Access requests
A business-friendly process and user interface (UI) through which parties can request access to applications and data is characteristic of efficient, productive, and secure organizations. In a Zero Trust Organization, users are helped to make well-informed requests for privileges.
3. Access certification
Periodic review and certification of access ensure compliance with organizational policies. A Zero Trust Organization’s robust access certification process cleans out stale and unused access periodically and helps enforce the principle of least privilege, in which users are granted access to what they need to perform their jobs and no more. (See “How to Be a Zero Trust Organization”)
4. Policy and role management
In a Zero Trust Organization, the rules that define and control identity security include policies that govern segregation-of-duties, passwords, and access. Automating those policies helps improve security while enforcing the principle of least privilege.
The critical role of risk-based adaptive authentication
A dynamic work environment and constantly evolving threat landscape means that authentication requirements must be adjusted in real time. Zero Trust Organizations apply multi-factor and risk-based adaptive authentication to their sensitive and business-critical applications using location, time, and other contextual information to modify authentication requirements as appropriate. For example, an account that can access a critical data repository from corporate headquarters should not be able to access that same repository from another place at an unusual time of the day—or from an untrusted device—without additional challenges. These can include security questions, a token, one-time password, or biometric validation. Adaptive authentication is particularly relevant when access is requested from untrusted mobile devices or to cloud applications.
Learn more about IGA and authentication in a Zero Trust Organization.