Chapter 8

Zero Trust Identity and Access Management

June 4, 2023

Zero trust architecture (ZTA) is an overarching business and operational goal that assumes, by default, that no user, device, or system is trusted. Zero trust network access (ZTNA), however, specifically focuses on the practical elements of delivering ZTA within the scope of data networking.

ZTNA consists of a set of technologies and processes that allow organizations to securely access their networks and applications from any device, anywhere. Each request for access to a particular system or resource requires continuous identification and verification of the user and device involved.

Both ZTA and ZTNA are based on the principle “never trust, always verify.”

Zero trust architecture depends upon seven fundamental pillars:

  1. Identity
  2. Device
  3. Network
  4. Application
  5. Data
  6. Observability and Analytics
  7. Automation

Each of these pillars defines a particular aspect of the zero trust architecture; together, they deliver a holistic methodology to network security.

The pillars of zero trust architecture

Identity and access management (IAM) is a critical component of zero trust architecture. IAM encompasses the policies, technologies, and practices used to manage user identities and their access to resources within a network. It provides a framework for controlling access to applications, data, and other resources by verifying user identities, authorizing access, and enforcing security policies.

In fact, the ZTA is pointless without a strong identity and access management framework. Since ZTA is based on the premise that no user or device should be automatically trusted, it’s essential to be able to identify users successfully and accurately, making IAM a vital component of the ZTA framework.

In this article, we’ll examine the role of identity and access management within the zero trust architecture framework and describe some methodologies and best practices for implementing them.

Summary of Zero Trust Identity and Access Management Concepts

The following table contains a summary of the key concepts covered in this article.

Best Practice Description
Identity and access management IAM is a critical component of ZTA. It helps ensure that users and devices are properly authenticated and authorized, access controls are continuously monitored and adjusted, and access management is centralized and consistent across the network.
Incremental deployment strategy An incremental approach can be helpful when deploying IAM in a ZTA because it minimizes disruption, facilitates adoption, reduces risk, and addresses complexity.
Centralized IAM deployment It is beneficial to implement a centralized IAM system that can manage user identities, permissions, and access policies across multiple applications and systems to ensure simplicity, efficiency, and ease of use. The use of single sign-on (SSO) and other related tools helps further enhance user attribute and role customizations.
User authorization and lifecycle management Authorization in IAM relies on policies that grant access based on user attributes and adheres to the principle of least privilege, enhancing security and adapting to business needs. Integrating IAM with HR systems streamlines user lifecycle management, ensuring automatic provisioning and revocation of access while maintaining a secure ZTNA environment that adjusts to workforce changes.
Auditing and reporting IAM within a zero trust framework enhances auditing and reporting, enabling organizations to monitor user activity and detect potential security threats. This visibility helps security teams proactively address vulnerabilities and maintain compliance with industry regulations and internal policies.

Identity and Access Management

IAM is a fundamental aspect of ZTA and zero trust network access (ZTNA), ensuring that only authorized users can access applications and data. By implementing strict access controls and authentication measures, organizations can prevent unauthorized access and maintain a secure environment.

General IAM Operational Parameters

User management is a critical component of IAM within the ZTNA framework. It involves adding, deleting, and defining user roles within the organization. By effectively managing the user lifecycle, organizations can ensure that only current and authorized employees have access to sensitive resources. This process helps maintain a zero trust posture by continuously monitoring and updating user access based on changing needs and employment status.

User attributes are essential in defining the level of access that users have within the zero trust framework. These attributes, such as job title, department, or project assignments, help determine which resources users can access and the actions they can perform. By periodically evaluating and updating these characteristics of the user, organizations can maintain a zero trust environment that dynamically adapts to the evolving needs of the business and its users, ensuring that access to sensitive resources is always granted on a need-to-know basis.

One of the most important attributes leveraged by IAM is that of the user role. Role-based access control (RBAC) is a critical component of the IAM approach. RBAC refers to assigning permissions to users based on their roles within an organization. It offers an elegant approach to access management, reducing the likelihood of errors compared to assigning permissions to users on an individual basis.

IAM as a discipline is extremely important in and of itself, especially considering the more significant role that public cloud services are playing in enterprise networks. For this reason, cloud providers have introduced innovative approaches for organizing access management policies hierarchically, as exemplified by solutions such as AWS Organizations. These strategies aim to mitigate the risk of errors in large-scale environments with multiple accounts. By incorporating these advanced techniques into the IAM narrative, organizations can better understand and leverage the benefits of cloud-based solutions in their ZTNA implementations, ensuring a secure and efficient access management framework.

Finally, zero trust network access not only authenticates individuals’ access to devices and applications but also verifies devices’ access to other devices. It is essential to emphasize that asset discovery and inventory play a more critical role in ZTA than traditional environments. This increased importance stems from the need to identify and authenticate devices, ensuring a comprehensive security posture that encompasses all communications endpoints within the network.

Identity-Based Network Security
Learn More
Enable secure point-to-point encryption and authentication across your organization
Easily configure, deploy, and manage your zero trust mesh security from a single portal
100% cloud-hosted, fault tolerant, and highly scalable - no need to purchase hardware
Learn More
Identity-Based Network Security
Designed on an SDP framework
Learn More
Delivers zero trust network access for today's hybrid networks & workforce
Allows organizations to dynamically create and enforce granular, context aware access policies
Scales seamlessly as businesses expand their network infrastructure, adopt new technologies, and/or experience fluctuations in user demand
Learn More

Incremental Deployment Strategy

Incorporating IAM within a ZTNA environment on an operating production network requires a careful and well-planned approach to minimize disruption and maintain uptime. One effective way to achieve this is by adopting an incremental deployment strategy, which allows organizations to implement IAM solutions gradually without compromising network stability and performance.

An incremental deployment strategy involves introducing IAM components in a phased manner and integrating them with the existing conventional security implementation. This approach enables businesses to test and refine IAM solutions in smaller, controlled stages, ensuring that they are optimized and functional before being rolled out across the entire organization. By gradually incorporating IAM into the ZTNA environment, organizations can identify and address potential issues before they become critical, maintaining network uptime, and minimizing the impact on daily operations.

During the initial stages of the incremental deployment, organizations can focus on implementing foundational IAM features, such as user management and basic authentication processes. Once these core components are successfully integrated and functional, more advanced IAM features, such as multi-factor authentication, SSO, and granular access controls, can be gradually introduced. This progressive approach allows organizations to build a robust and comprehensive IAM solution within the ZTA framework while closely monitoring its impact on the network and making necessary adjustments along the way.

Furthermore, an incremental deployment strategy provides the opportunity to train staff and develop best practices over time. As new IAM features are introduced, employees can become familiar with the updated processes and tools, ensuring a smooth transition to the ZTA environment. By adopting this phased approach, organizations can effectively implement IAM within a ZTNA deployment, safeguarding their networks and assets with minimal disruption and maximum efficiency.

Incremental Deployment Example

An incremental deployment of IAM in a ZTNA environment can begin by utilizing a solution that allows administrators to define access policies through a web portal. Initially, this solution can be used in a VPN-like capacity, where users require secure access to specific corporate resources such as remote desktops or databases. In this phase, users can establish direct, end-to-end authenticated and encrypted sessions with the required servers without accessing the entire network. Administrators benefit from this approach because they do not need to modify firewall rules or Network Address Translation (NAT) configurations during this process. Access rules are based on user identities obtained from an organization’s Identity Provider and SSO service.

As the deployment progresses, the same model can be expanded to define a comprehensive set of rules specifying which services on servers are allowed to communicate with each other. This expansion leads to a full ZTNA environment, where every session is authenticated, authorized, encrypted, and audited. By deploying IAM incrementally within the ZTNA framework, organizations can gradually build a secure and robust access management system, minimizing disruptions and ensuring seamless integration with the existing infrastructure.

Centralized IAM Deployment

Implementing centralized IAM within a ZTNA environment is crucial for maintaining simplicity, efficiency, and ease of use across an organization’s entire network. By centralizing the management of user identities, permissions, and access policies, businesses can streamline the process of controlling access to applications and systems, reducing complexity and improving overall security.

Example of a centralized authentication dashboard provided by Cyberight's ZTMesh

A centralized IAM approach allows organizations to leverage existing identity providers, such as Active Directory or Okta, for identification and authentication. This integration enables businesses to maintain a single source of truth for user identities and access permissions, eliminating the need for multiple disconnected systems. By consolidating identity management in this manner, organizations can reduce the risk of inconsistencies and security gaps, ensuring a more cohesive and effective ZTNA implementation. The identity provider can often be configured to sync with the organization’s HR system, so that changes in the organization can automatically propagate to the IT infrastructure.

Furthermore, a centralized IAM system within a ZTA environment simplifies the administration and management of access policies. With a single, unified platform, administrators can easily define and modify access rules using RBAC and contextual factors. This streamlined process not only reduces the time and effort required to manage access policies but also allows for more granular control, enabling organizations to adhere to the zero trust principle of granting access on a need-to-know basis.

Centralized IAM also enhances the user experience when incorporating the use of features such as SSO. With SSO, users can access multiple applications and services using a single set of credentials, reducing the need to remember multiple passwords and streamlining the authentication process. SSO enhances security by giving the administrator real-time control over what resources users are allowed to access while simplifying the user experience, thus contributing to increased productivity and overall satisfaction.

User Authorization and Lifecycle

Authorization within a ZTA environment involves defining policies that grant users access to resources based on their attributes, including attributes inherited from identity providers, SSO systems, or other related sources. The principle of least privilege plays a significant role in authorization because it emphasizes granting users the minimum level of access required to perform their tasks. This approach reduces the risk of unauthorized access, data leaks, or malicious activity by limiting users’ access to only the information and resources they need.

By adhering to the principle of least privilege, an organization can enhance its security posture and ensure that its access policies are closely aligned with the zero trust model. Changes in user employment status, such as a promotion, demotion, or even termination, can trigger immediate revocation or modification of a user’s privileges, further safeguarding the organization’s resources. This dynamic approach to access management enables organizations to maintain a robust and secure ZTNA environment that adapts to the ever-evolving needs of the business.

Multi-factor authentication (MFA) is an additional method of strengthening user authentication. MFA requires users to provide multiple forms of verification, making it more challenging for attackers to compromise accounts: a single stolen credential will not allow access. This added layer of security enhances the zero trust approach by validating users’ identities with greater certainty before granting access to resources. Risk-based authentication mechanisms can provide a balance between security and convenience by requesting additional credentials only in certain cases, such as an access attempt from an unfamiliar location, unknown machine, or an unexpected time.

Additional practices to further enhance security in an IAM implementation include the following:

  • Use guest accounts: This facilitates secure collaboration with external users by limiting their access to the network, ensuring that they cannot discover or communicate with resources outside their assigned limits.
  • Implement proper password policies: This includes requirements for password strength and expiration and reset procedures.
  • Use time-limited one-time passwords: These are codes that are sent to users via text message or email that can be used only once and typically expire within a few minutes.
  • Use risk-based access control: This evaluates the risk level of a user’s session based on the originating device, its address, time of access, and service being accessed to determine whether the access is non-suspicious or whether additional credentials should be requested or the request should be blocked.
  • Employ biometric data: Fingerprints, facial recognition, and voice recognition are just some of the biometric data types that can be used to authenticate users. Biometric authentication is a powerful client-side facility that can be used to protect and access locally-stored authentication credentials. It’s rarely ever used to authenticate network traffic, it’s used instead to unlock user credentials at a computer or mobile device. Apple’s TouchID is a good example.
  • Use certificate-based systems: While they are not typically used to verify an individual’s identity, digital certificates can be used to authenticate devices that don’t necessarily correspond to a particular user.
  • Train users: An often overlooked best practice is providing comprehensive instruction on how to ensure safe and secure behavior on the network in accordance with an enterprise security policy.

Zero Trust Identity and Access Management Best Practice Example

One particular best practice that showcases the effectiveness of IAM within an enterprise network involves integrating it with the human resources systems of that enterprise. Interfacing IAM with HR systems is a crucial aspect of centralizing user lifecycle management within a ZTNA environment. Integrating HR systems with identity providers can help streamline the onboarding and offboarding process for employees, ensuring that access is provisioned and revoked automatically based on employment status.

When an employee is hired, the HR system sends information such as job title, department, and responsibilities to the identity provider. Working with features such as RBAC, the identity provider can then map this data into roles it can track, granting the appropriate level of access to the new employee. Similarly, when an employee’s status changes due to promotion, demotion, or termination, the HR system updates the identity provider, which then adjusts the user’s access permissions accordingly.

By interfacing IAM with HR systems, organizations can maintain a centralized approach to user lifecycle management, preventing stray accounts from lingering while minimizing the risk of unauthorized access. This seamless integration helps organizations maintain a secure and efficient ZTNA environment that automatically adapts to changes in the workforce.

Auditing and Reporting

IAM and ZTNA play a vital role in auditing and reporting, providing organizations with the necessary tools and insights to monitor changes in users as well as to detect and respond to potential security threats. By maintaining an audit trail of user activity, access modifications, and role adjustments, businesses can identify unusual patterns or anomalies that could indicate malicious activity or unauthorized access attempts.

With IAM in place, organizations can gain a comprehensive view of the access management landscape, including details about user logins, resource access, and policy changes. This visibility enables security teams to proactively identify vulnerabilities, investigate incidents, and take corrective action when needed.

In addition, IAM auditing and reporting capabilities help organizations maintain compliance with industry regulations and internal policies. By providing detailed logs and reports on user activities and access events, businesses can demonstrate their adherence to security best practices and prove their commitment to maintaining a robust security posture.

Summary of Key Concepts

Identity and access management plays a critical role in implementing a successful zero trust network access framework. By focusing on identity and access management, adopting an incremental deployment strategy, centralizing IAM deployment, efficiently managing user authorization and life cycle, and maintaining robust auditing and reporting processes, organizations can effectively embrace the zero trust model. This allows them to enhance their security posture, streamline access control, and proactively address potential threats in an ever-evolving digital landscape, thereby ensuring the confidentiality, integrity, and availability of their critical resources.

Identity-Based Network Security
Learn More
Attribute
Traditional VPN
ZTMesh
Blameless
Multiple consoles 
Centralized administration 
Encryption
VPN links using outdated algorithms
Multiple consoles 
Breach containment
Attackers free once inside
Every session is authenticated
Total cost of ownership
Individual deployed hardware units
No capital expenditure and scalable
Learn More
Identity-Based Network Security
Designed on an SDP framework
Learn More
Delivers zero trust network access for today's hybrid networks & workforce
Allows organizations to dynamically create and enforce granular, context aware access policies
Scales seamlessly as businesses expand their network infrastructure, adopt new technologies, and/or experience fluctuations in user demand
Learn More
Identity-Based Network Security
Learn More
Enable secure point-to-point encryption and authentication across your organization
Easily configure, deploy, and manage your zero trust mesh security from a single portal
100% cloud-hosted, fault tolerant, and highly scalable – no need to purchase costly hardware
Learn More
Next-Gen Mesh VPN Alternative
Designed on an SDP framework
Learn More
Delivers zero trust network access for today's hybrid networks & workforce
Allows organizations to dynamically create and enforce granular, context aware access policies
Scales seamlessly as businesses expand their network infrastructure, adopt new technologies, and/or experience fluctuations in user demand
Learn More
Subscribe to our LinkedIn Newsletter to receive more educational content
Subscribe now
Subscribe to our Linkedin Newsletter to receive more educational content
Subscribe now