Identity at the center of Zero Trust – so what?

Three critical elements that must be addressed

Jim Wilhelm

Jim Wilhelm

Principal, Cyber Security, KPMG US

+1 267-256-7271

Much has been made about the need to embrace a Zero Trust mindset when protecting the digital footprint. For the seasoned cyber professional, the Zero Trust mindset is not new in concept—but perhaps the enabling security technologies are taking shape. The velocity at which security incidents are occurring and the pace of digital transformation and change have created the opportunity to begin to enable this long-aspired vision of Zero Trust approach to security.

As part of this blog series, we’ll focus on identity, and why it is so important to achieving a Zero Trust experience to digital interactions with the ever-expanding definition of your workforce. In four parts we’ll explore the fundamentals of identity that must be in place: identity governance, privileged access management, authentication and conditional access – and why of these play an important role in security transformation going forward.

Identity governance

For more than 10 years, the traditional identity and access management market, focused on lifecycle, provisioning, access certification and user self-service has evolved into what we know today as Identity Governance and Administration (IGA). Organizations have spent significantly in this domain to modernize approaches to IGA, reduce access risk, comply with regulations and attempt to provision the right access to the right individuals at the right time. While this may be viewed as a basic premise and table stakes for any modern security program, there continues to be a wave of transformation and uplift in this domain and several laggards, slow to address this basic hygiene element of cyber security. Identity governance, and more specifically, a sound set of business processes and data methodology for establishing workforce digital identity is critical to implementation of a zero trust approach to security.

Here are four critical identity governance elements that must be modernized and addressed as part of a zero trust initiative:

  • Lifecycle for everyone and every-thing – Organizations must focus on establishing well defined processes and minimum attributes for a digital identity within their organization. Moreover, this definition, and the processes around joining, moving, and leaving must include the entirety of the workforce; employees, contractors, suppliers, bots, and service accounts. Zero trust is underpinned by the assumption that I know ‘who’ someone is so that I may evaluate policy and allow, deny, or adapt access in real-time. Simply put, a well-defined identity data model and supporting processes to manage identity attributes are fundamental to achieving a zero trust mindset.
  • Getting it ‘right’ is critical – Many organizations aspire to implement a model of least privilege with respect to access. To say this has been difficult across applications, infrastructure, cloud providers, etc. would be an understatement. The discretionary access models built around assignment of entitlements and roles and re-certification MUST evolve. We must leverage intelligence to accomplish effective access modeling by performing peer review, outlier analysis and stripping either excessive or unused access from accounts. The time is now to embrace the use of intelligence in modernizing your approach to IGA.
  • From static to dynamic IGA – As intimated above legacy approaches to IGA have overlooked what happens between joining, moving, leaving, and re-certifying access. This point-in-time or process triggered reality must also evolve such that we are reviewing access based on signals of risk or change. We need to imagine and move forward to a new reality where changes in privilege or security events that necessitate a change in access are either orchestrated through automation in real-time and/or routed to security incident personnel for remediation. We must do this to shorten the time between the time access is assigned, used, and when it must change based on signals of risk or change. The modern IGA program must have much tighter integration to security operations personnel, processes, and signals for purposes of getting it right.

Effective identity governance that is inclusive of all identity types is a critical first step in the zero trust journey. What has long been viewed as merely an operations and compliance activity is now front and center to establishing effective identity-centric security capability and improving user experience. Lastly, organizations that have the basics in place must continue to enhance and modernize their approaches to identity governance. In my next blog we’ll explore the importance of authentication, our next identity building block of the zero trust journey.