How to Build on Identity and Access Management with Zero Trust
This year, the business community was forced to adapt to a new era of distributed work—and cyber threats have adapted right along with them. Between unsecured home WiFi networks and the rise in personal devices accessing company resources, the opportunities for data theft have risen as teams have dispersed.
Implementing robust identity and access management (IAM) solutions is proving to be a vital method for reasserting control over who has access to your company’s digital resources. This approach is key for mitigating the security risks associated with distributed work. With effective IAM, you can contextually assess risk, grant permissions on a granular level, and fully integrate third-party services without compromising user experience. But it’s not just a matter of flipping a switch.
Reaching IAM maturity as we embrace remote work requires a staged approach—one that starts with implementing basic identity features to support your remote workforce, and ends with a robust Zero Trust framework in place.
In this post, we’ll take a look at the final stage of our distributed work IAM maturity curve, and how you can begin to implement Zero Trust.
When your distributed business is ready for Zero Trust
Distributed work is safest when organizations operate within the architecture of Zero Trust, essentially, treating every user, device, and IP address as a threat—until proven otherwise.
To begin your journey towards never trusting, and always verifying, it can be helpful to identify how far your company has already come along the path to Zero Trust. Before they begin actively implementing Zero Trust, many companies have already deployed some of the framework’s foundational elements, including single sign-on (SSO) and multi-factor authentication (MFA) solutions that protect access and minimize vulnerability.
At this stage, companies have often enhanced the productivity of their workforce by automating security processes related to onboarding and offboarding, extended access controls to on-prem apps or IaaS, and implemented the right authentication policies and factors for their business. From there, they can take various steps to ensure that they have achieved Zero Trust access across applications, servers, and APIs, rooting policies and decisions in each user’s identity.
The stages of Zero Trust
A Zero Trust security architecture, supported at its core by IAM, involves the following stages and considerations:
- Stage 0: Fragmented Identity. Organizations at the beginning of their Zero Trust journey often find themselves operating a mix of on-premises and cloud applications that are not integrated together, forcing IT to manage disparate identities across a number of systems.
- Stage 1: Unified Identity and Access Management. To resolve the security gaps caused by fragmented identities, companies in Stage 1 of Zero Trust consolidate identities under one IAM system. Alongside modern SSO and MFA, unified access policies across applications and servers brings IAM together into one secure, manageable place for IT across on-prem and cloud environments.
- Stage 2: Contextual access. Companies in Stage 2 of the maturity curve add context-based access policies to their IAM system. This means gathering rich signals about the user’s context, application context, device context, location, and network, and applying access policies based on that information. These contextual policies are also supplemented by multiple MFA factors, and automated processes, across the user lifecycle.
- Stage 3: Adaptive workforce. In the final stage of Zero Trust, organizations extend their focus on authenticating and authorizing access. Authentication no longer occurs just at the front gate, but continuously through an adaptive, risk-based assessment to identify potential threats.
By moving your organization from awareness into context-based policies and processes, you ensure that your distributed workforce is protected and you’ve closed the door to dangerous and costly breaches.
Supporting a truly adaptive workforce with Zero Trust
Distributed teams are working hard to get things done, without the convenience of having their colleagues in an adjacent office or down the hall. Their new work environment should feel as seamless as possible, while still being secured.
To better equip their distributed teams, businesses should consider key pieces of the Zero Trust puzzle, including:
- Risk-based access policies
- Continuous and adaptive authentication and authorization
- Frictionless access
The goal isn’t to authenticate workers once and then step back. Instead, each user’s digital activities need to be continuously evaluated for risks based on the contextual signals they’re sharing. If the signals change, they may be re-prompted for one or more authentication factors.
Building out Zero Trust with Okta
Today, IT administrators have choices when setting policies and prompting for authentication factors. If the risk level is low, they can prompt users for non-password factors and use Okta FastPass. And they can reduce their reliance on VPNs by connecting to a Zero Trust Network Access (ZTNA) tool like Zscaler.
Okta is continually rolling out features that increase the strength and simplicity of access management. With powerful technologies such as the Risk Engine, comprised of Okta
ThreatInsight and risk-based authentication, it’s also possible to go beyond the discrete contextual access policies and achieve an even higher standard of security. An organization can specify its level of risk tolerance and let modern technologies weigh data-based considerations in a way that humans just can’t.
- ThreatInsight leverages data from the Okta customer network, admins, and end users to protect customers from identity attacks, such as brute force or password spraying.
- Risk-based authentication generates a risk score that can be evaluated against policy based on signals from IP, user, and device state.
Zero Trust is no longer an abstract goal. It’s an achievable security standard for a newly distributed, adaptive workforce—and we’re here to help.
Learn more in our whitepaper on Getting Started with Zero Trust Access Management.