Getting Started with Zero Trust Access Management Trust Begins with Secure Identity
Executive Summary
There is no denying that the perimeter has shifted with the adoption of mobile and cloud and we can no longer rely solely on a network perimeter-centric view of security. This transformation has accelerated more recently to a fully distributed and hybrid working environment requiring a new model for security. Zero Trust is a security strategy that challenges the notion that there is a “trusted” internal network and an “untrusted” external network, trust can no longer be implied. Organisations need to be able to establish trust relationships in order to securely enable access for various people (employees, partners, contractors, supply-chain, etc.) regardless of their location, device, or network. There is a new modern perimeter that needs to be protected, and that perimeter begins with Secure Identity.
There is no silver bullet solution when it comes to achieving a zero trust security architecture: this is not something that happens overnight, or is in fact ever actually ‘complete’. Adopting a zero trust security strategy provides the ability for organisations to transform and innovate, adopt new technologies and practices, optimise productivity and reduce their risk surface. This paper explores why identity and access management (IAM) solutions offer the core technology that organisations should start with on their zero trust journeys. Here, we’ll explore the shifts in the security landscape that led to the creation of zero trust, what a zero trust strategy looks like today, and how organisations can utilise Okta as the foundation for a successful zero trust program now, and into the future.
Zero Trust is not a novel concept or idea. The industry has been discussing the reality of the shifting perimeter for nearly two decades, with origins back to the Jericho forum. It has really only been within the last 5-10 years that we have finally reached a point where organisations are prioritising security strategy and technology has seen enough innovation to support the implementation of these new strategies.
This was brought into sharp focus in 2020. The worldwide pandemic forced many organisations to shift operations to support remote work overnight, effectively dismantling traditional security models, accelerating the adoption of cloud technologies, and forcing the shift to support remote work outside the safety of a corporate network. As the world emerged from the pandemic, many organisations made the decision to continue to support a dynamic work model, meaning they must maintain flexibility while securing fully distributed workforces and hybrid working models. The modern workforce—comprised of employees, contractors, partners, and suppliers—are all accessing more resources and data (stored in the cloud and on-premises), from more devices and locations than ever before.
Challenge: When the Wall Protecting Your Data Vanishes
Whitepaper
Getting Started with Zero Trust 3
This isn’t to say that traditional security architectures (castle and moat) suddenly become irrelevant, they still serve a purpose. Security and IT teams who have invested in defensive systems focused heavily on securing the network perimeter, using firewalls and VPNs to enforce access policies, are faced with new challenges in securing a more hybrid work model. This requires innovative thinking and agnostic solutions that can augment and compliment existing infrastructures while supporting digital transformation and modernisation initiatives.
As the infrastructure has evolved, the risk surface has expanded with an increasing number of access points and these are being exploited at an alarming rate. Reported incidents of cyberattacks have exponentially increased. While methods of attack have elevated in sophistication, they still primarily target identity. Credential abuse and highly targeted phishing attacks remain the leading cause of breaches today. Gaps in identity protection introduce risks like account takeover, supply-chain, and ransomware attacks. As a result, organisations should no longer automatically assume trust across any part of the IT stack. Regardless of industry or geography, secure trusted users have become more important than ever—and identity is the modern perimeter.
Whitepaper
Getting Started with Zero Trust 4
The Next Frontier:
The Evolution of Zero Trust
To understand where we are, it’s helpful to understand where we came from and how this has evolved. The notion of the shifting perimeter has its origin story as far back as 2004, when the Jericho Forum was founded with the mission to define the problem and solution for deperimeterisation. In 2009, John Kindervag introduced the term “Zero Trust” during his tenure with Forrester—at the time, this was based on the idea that all network traffic should not be trusted and that any request to access any resource must be done securely. This original concept of Zero Trust based on a network-centric design focused on leveraging micro-segmentation to enforce more granular rules and limit lateral movement by attackers. As the concept of Zero Trust continued to evolve, a more identity-centric approach started to gain prominence.
Google’s BeyondCorp research was published in 2014, and this model shifts access controls from the perimeter to individual devices and users. In 2017, Gartner published the Continuous Adaptive Risk and Trust Assessment (CARTA framework) which faintly echoed Kindervag’s zero trust framework with an added focus on not just authenticating and authorising access at the front gate, but continuously throughout the user’s experience through an adaptive, risk-based assessment to identify potential threats. Forrester has even updated their framework and in 2019 published the Zero Trust Extended Ecosystem (ZTX) Forrester’s team calls out capabilities such as single sign-on (SSO) as a critical feature, and notes that multi-factor authentication (MFA) “reduces access threats exponentially.”
Frameworks provide a solid foundation for understanding how technologies can support new security models but there has been a lack of direction or guidance around how organisations can realise and adopt Zero Trust. In 2019, NIST released its first draft of Special Publication 800-2073. This publication combines elements of the above Zero Trust frameworks and discusses the components NIST sees as making up a zero trust architecture.
Over the past two decades the industry, analysts and practitioners, have collectively evolved the understanding of a zero trust security strategic approach to match advances in technology and the way we work. In all cases, the approach has become increasingly more risk-based and identity-centric—this is where Okta can support organisations. Okta is able to help address the business challenges being faced and accelerate adoption of a zero trus