How Identity and Context Underpin Zero Trust Security

In the digital age, it’s too easy to impersonate a machine.

Hackers use this tactic to breach corporate network perimeter defenses and gain access to inside-the-firewall systems. Once inside, they move laterally from system to system, masquerading as a trustworthy entity logged on from a trusted device. In a ransomware attack, hackers seize and encrypt data then extort money to decrypt it. Others steal corporate assets to sell to the highest bidder on the dark web. Many do both.

The firewall isn’t the only vulnerability to blame. It’s also the legacy architecture itself. When enterprise network security is inexorably linked to a device, the network simply isn’t secure. All it takes is one guessed password, one employee clicking on a link in a phishing email, one spoofed IP address, and the hacker is in…and everywhere.

A zero trust architecture (ZTA) secures a cloud-first, device-agnostic, work-from-anywhere way of business. Fundamental to a zero trust architecture is identity, which serves as the new basis for conditional access, and is something all organizations’ board of directors should understand and evangelize. Identity underpins zero trust and is the best way to manage secure connectivity to applications, destinations, and resources to protect the modern enterprise workplace.

Managing conditional access with identity and context

In a ZTA, there’s no longer the concept of a corporate network nor the burden of its costly, inefficient, and insecure infrastructure. Connectivity is direct and ephemeral: employees connect to applications or resources they need to conduct their work.

A ZTA relies on business-defined, conditional access to resources. Identity becomes the basis for allowing that access. But identity is only the first facet of zero trust authentication and the business policies associated with access. Identity links a user to context, which contributes new validation layers to accurate identification. In establishing security and access, IT leaders can consider multiple types of context, including user, role, group, department, location, device, device status (e.g., managed or unmanaged, recognized or unrecognized, company-issued or employer-supplied, etc.), and many more.

Context provides the necessary breadth and depth to identity-based access. An employee in a sales department, for instance, might have access to cloud and internal resources specific to fulfilling sales duties like Salesforce or a company quota-tracking application. Similarly, an engineer might have access to development tools like Github or Jira. But neither the salesperson or the engineer would have access to the other’s systems, nor would the separate systems be connected or accessible to or from each other in any way.

A ZTA solution employs context to signal compromise. If an identified employee is acting outside of expected norms, a ZTA solution can flag the unexpected behavior and take corrective action. Such out-of-expected-context behavior might be an employee accessing systems not required for doing their work, or trying to connect on a new device, or attempting to move proprietary digital assets to an external location.

In a ZTA environment, context governs connectivity. Context also limits potential “blast radius.” In the event a hacker compromises an individual ZTA-environment device, they cannot move laterally to adjacent systems, since there are none connected. Any subsequent access requests would be out of context and rejected. Contrast that with traditional security architectures: if hackers breach a legacy network environment, they can adroitly move along a network path from one system to another.

Business policies define security (rather than the other way around)

The U.S. National Institute of Standards and Technology (NIST) ZTA standard notes that identity is “the key component of policy creation,” with resource access based on business privileges assigned to a specific person. Business-defined policies govern access. For instance, this particular sales employee can access resources A, B, and C; that particular engineering employee can access resources D, E, and F, and so on.

Such validation requires Identity Access Management (IAM) services, ideally delivered via a cloud-based solution. IAM solutions—available from vendors like CA, Microsoft, Google, IBM, Okta, and many more—provide a scalable way to authenticate user access to resources outside the periphery of legacy corporate networks.

Why does context-based security matter?

A ZTA provides an access model attuned to the modern method of work: outside the office, beyond the data center, and in the cloud. Security and policy follow the user and the user’s data, wherever that user may be, wherever that data may reside, to whatever destination that user may connect, and on whatever device that user may employ.

ZTA context-based access improves upon a legacy network access model through:

• Identity-based context, multi-factor authentication, and behavioral analysis that offer IT leaders better control of, visibility into, and ultimately governance over corporate resource access.
• Required authorization—users cannot access resources or destinations without permission.
• Context-based access solutions that easily scale to support governed access to cloud, data center-hosted, and on-premises resources.
• The ability to set business policy at a macro or micro level, with resource access rules defined for both a group and an individual employee.
• Access that is specific to the user and not the machine, meaning employees (and administrators) enjoy the same level of security regardless of the device used to access corporate resources.
• Work-from-anywhere capabilities—users get the same access (and administrators ensure the same security) whether they work at headquarters, in a branch office, or from home.

Boards of directors and technology decision makers have the opportunity to lead enterprises forward from legacy device-based security to zero trust context-based access. Understanding the importance of identity is the first step toward that objective.

Read more about Zero Trust and how Zscaler helps organizations institute a ZTA.