Traditionally, enterprises have relied on security models termed “castle and moat”, a type of architecture which controls access from outside the network, using security protocols such as firewalls, virtual private networks, access controls, email security, and web security to name a few.

However, as more enterprises are migrating from on-premises to hybrid and cloud environments, and as more organisations go remote and use their own devices, it becomes harder to secure the perimeters and control who moves laterally within the network.

Today, cybercriminals are becoming more inventive in their attack methods and continue to gain entry into organisation systems by hacking user accounts. To tackle this, enterprises are shifting their focus to protect identities such as employees, partners, vendors, and non-human bots in their company by providing only the required access to the right identities.

Therefore, identity security has to be at the core of a zero-trust security architecture. Zero trust is essentially a cybersecurity model that runs on the belief of trusting no one inside or outside an organisation’s network until their identity has been verified.

Why move to a zero-trust model?

By implementing a zero-trust framework, identities are continuously validated through authentication and authorisation methods. Moreover, security doesn’t stop once an identity enters the network; they are continuously validated as they move laterally from within.

Zero trust’s approach to security builds a defence through an organisation’s identity infrastructure, rather than the network perimeters. One can no longer trust a user simply by whether they are part of an organisation or the password they provide. It is essential to look at user attributes and behaviour patterns to understand who’s trying to gain access, how they are gaining access, and what they will do with that access.

Zero-trust adoption

In an October 2021 study, we found that anywhere operations, increased cloud use, and growing security attacks are leading 92% of companies to incorporate a zero-trust security model, as it is expected to deliver improved visibility, earlier threat detection, fewer incidents, and improved remediation.

Of those surveyed, nearly all (97%) agree identity is a foundational component of a zero-trust security model, but a lack of expertise is the key reason preventing enterprises from adopting zero trust.

Why is it important for an organisation’s security strategy to be built on identity?

A strong identity security programme will enable organisations to manage and govern access for all types of digital identities, to establish a zero-trust framework that is able to systematically adapt and respond to ongoing changes across the organisation and threat landscape.

A comprehensive identity security solution will also empower enterprises to automate the identity lifecycle, manage the integrity of identity attributes, enforce privilege based on roles in the organisation, and leverage advanced technologies such as artificial intelligence and machine learning to govern and respond to access risks.

How can organisations align their zero-trust strategy with an identity security approach?

• Create a centralised repository of identity data that provides full access visibility and understanding of the identities of each user, including non-human entities, devices, data sources, and shadow IT.

• Use roles and access policy management to assign access to data and applications resources only where it is needed, and set policies for separation of duties to avoid potentially toxic access combinations.
  
• Continuously review and adjust users’ identity entitlements and roles to ensure they have exactly the right amount of access to the right resources, at exactly the right time.
  
• Monitor what users are doing with their access to resources and flag suspicious access activity or changes to entitlements, and alert the appropriate administrators.
  
• Automatically deprovision access that is no longer needed.
  
• Automatically modify or terminate access based on changes to a user’s attributes or location, and automatically perform remediation actions when risky activity is detected.

Today, as most organisations are operating in a multi-cloud environment and have distributed and remote workforces, adopting a zero-trust architecture is more important than ever. An identity-centric approach to a zero-trust model should be at the centre of an organisation’s security infrastructure.