In today’s cybersecurity landscape, where threats are complex and sophisticated, we often hear, “Identity is the new perimeter.” Identity security is crucial in the zero-trust model, replacing perimeter security with zero-trust. The zero-trust model demands robust identity security, which needs continuous verification of individuals and systems.

As per the CISA Zero-Trust Maturity Model Version 2.0, the zero-trust model requires maturity in the following pillars: Identity, devices, networks, applications and workloads, and data. There are also four stages in the zero-trust maturity journey.

1. Traditional
2. Initial
3. Advanced
4. Optimal

This article will explain how to achieve the optimal maturity of identity stack in the zero-trust environment.

What is Zero-Trust?

Zero trust is a security model that challenges traditional perimeter security, which assumes everyone inside the network is trustworthy. In the zero-trust model, every individual or system must verify its identity, whether it connects inside or outside the corporate network. The zero-trust model enhances any organization’s security posture by providing access only to authorized individuals and continuously verifying their identities.

Organizations should concentrate on transforming their identity stack and improving their identity security practices to realize the benefits of the zero-trust model. As per the CISA Zero Trust Maturity Model Version 2.0, there are seven functions. Let’s explore the different practices that can mature each identity function.

1. Authentication

Passwordless

Passwordless authentication eliminates the need for traditional passwords. Passwords are not tied to an identity and can be shared or stolen. Passwordless technologies like FIDO2, biometrics and hardware tokens validate the user and their identity. Using biometrics, MFA provides resistance to phishing and will reduce the risks of unauthorized access through a compromised password or a secret. This will also enhance the user’s productivity by avoiding password managers.

Continuous MFA

Continuous MFA continuously validates identity when a user has to log in to critical resources or perform a significant action. By integrating continuous MFA into the IAM stack, we can constantly verify their access, which is key to implementing zero-trust. Continuous MFA can be challenging for users, but passwordless technologies can remove the complexity.

Here are some situations in which continuous MFA can be leveraged: When someone is accessing your crown jewel resources or when suspicious activity is detected.

2. Identity Stores

Integrate IDPs and resources

Integrating identity providers, PAM platforms, applications and various environments is crucial for managing all the appropriate access for individual identities, avoiding access silos and ensuring that identities have consistent and secure access to resources. Integrating IDPs can avoid the identity management overhead and enable ease of use for the end users. Integrating the identity stores will help us adopt the zero-trust model by enabling identity governance.

3. Risk Assessments

Right-sizing access permissions

Access permissions are typically granted based on the individual’s role and responsibilities within the team. However, to achieve the least privileges, it’s essential to adjust these permissions continuously. Fine-tuning roles and entitlements will ensure individuals have precise access. The ongoing adjustment of permissions reduces the risk of provisioning unnecessary access.

Real-time threat detection

Real-time threat and risk detection capabilities are crucial for protecting IT systems. This involves continuously and dynamically analyzing potential risks, such as missing access log data, unauthorized access, privilege escalations, and misconfiguration in identity access management (IAM) systems. By detecting and responding to threats in real time, organizations can mitigate security risks and maintain integrity throughout the security stack, which is a crucial component of implementing the zero-trust model.

4. Access Management

Just-in-time access

Just-in-time access gives an individual temporary or time-bound access to a particular resource with just enough permissions when required. We require automation and approval workflows to provision and de-provision time-based access to practice just-in-time access. This practice will minimize the risk of misusing privileges and ensure individuals get access only when needed.

Here is an example: If an individual accesses a database only once a week or a resource is a critical asset, that individual may not need access to those resources by default. To handle these use cases, we can implement Just-in-time access.

5. Visibility & Analytics

Access Observability

Maintaining visibility and tracking who accessed what, when and what action they performed on a particular resource or system is essential for robust identity security. To achieve crystal-clear visibility into all users’ activity, access logs must be captured at a very granular level, correlated with various activity logs, and analyzed in real time to detect any suspicious behavior or unauthorized access immediately. This level of observability is important for implementing the zero-trust model and ensuring only legitimate access is provisioned.

User Behaviors Analytics

Beyond analyzing logs in real time, collecting and analyzing user behavior data is essential to get deep insights into potential risk threats. Here are some examples: What systems does a user interact with daily? What actions does he perform on an application, server, or database? All this data is used to find anomalies or deviations from the typical behavior pattern, which can indicate a security threat. This deep and continuous analysis can help detect and respond to threats.

6. Automation & Orchestration Capability

Automate Identity Lifecycle Management

An individual’s identity undergoes a complete lifecycle while working for a company. It starts with provisioning the users, giving them an exact set of permissions or access, changing the access based on the business need, and de-provisioning the access immediately when the individual leaves the company. Manually managing the lifecycle is tedious and prone to error, which can cause security vulnerabilities. Automating the life cycle of an identity based on business needs can avoid the risk of human error, ensure timely changes to access rights, and align with the zero-trust model by maintaining straight and consistent control over identity management.

Leverage GitOps

Today’s IT infrastructure is very dynamic and distributed. Managing identities and entitlements is impossible without automation. Beyond automation, we need a centralized, robust change process to make all the necessary changes. By adopting GitOps, organizations can manage configurations as code, allowing every change to be versioned and reviewed. This approach ensures that all the modifications to IAM are thoroughly vetted and controlled.

7. Governance Capacity

Implement a Policy to control

Managing all the identities and entitlements across the IT infrastructure is a complex challenge for any organization. Implementing fully automated policy control ensures that users have only the access they need, preventing unauthorized and unnecessary entitlements.  This brings governance to the IAM stack by making access permission more precise and aligned with business needs. Any change in the business can be enforced swiftly by applying policies organization-wide and using automated policy enforcement to ensure that identity governance remains consistent and secure, which is crucial for maintaining zero-trust.

Conclusion

Adopting the zero-trust model is no longer an option; it’s necessary in today’s rapidly evolving threat landscape. Transforming your identity stack is a crucial step toward zero-trust. However, achieving zero-trust maturity is a gradual process. It’s essential to align your efforts with the CISA Zero Trust Maturity Model Version 2.0 to stay on track with best practices. As threats evolve, continuous improvement is critical. By following these principles, your organization can reduce risk and ensure that access is tightly controlled, protecting your assets and data in a complex digital environment.