Identity: The Cornerstone of Zero Trust Architecture

Introduction

Imagine giving a stranger your house keys just because they're standing in your neighborhood. Sounds risky, right? Yet many organizations do something similar with their digital assets every day by trusting connections simply because they come from within their network. This is why zero trust architecture has become the gold standard in cybersecurity. But what exactly is zero trust, and why is identity its cornerstone? 

At its core, zero trust means that we don’t assume any connection between a person or device is secure. Every user or system must be authenticated before being given access to a system. We essentially never trust, and we always verify connections. 

There is no single zero trust solution. It is more of a philosophy than a silver bullet technology. So when an organization has a zero trust initiative, it will comprise multiple tools. When considering zero trust tools, one of the core components of a zero trust philosophy is identity. 

When running security programs or advising customers, it's important to reference common frameworks like NIST. NIST provides standards that are well researched and carries weight when talking to executives or board members. NIST 800-207 has a zero trust architecture framework that lists 7 tenants of zero trust. Identity is such an important part of the framework, it can be tied back to each of the 7 tenants. 

Resource Management and Access Control 

Understanding Your Assets 

All data sources and computing services are considered resources 

When we talk about identity in cybersecurity, we're not just talking about usernames and passwords. Identity is the cornerstone that determines what can access what in your environment. 

Think about the digital identities that are commonly used: a work login, social media accounts, or banking credentials. These are what we call human identities, and they're pretty straightforward. But there's another fascinating category that often flies under the radar: non-human identities. 

Non-human identities power most modern IT environments. They're the virtual entities that authenticate and operate behind the scenes. Picture a cloud server that needs specific permissions to do its job, or an API key that acts as a digital passport for different services to communicate with each other. 

Here's what makes this really interesting: whether we're talking about a person logging into their email or a cloud instance accessing a database, identity is the critical first step in implementing zero trust security. You simply can't build a solid security foundation without first knowing who – or what – is trying to access your resources. 

Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes. 

One characteristic of identities are the attributes that define them. These could be items like location, last logon location, business unit, or MFA enabled status. Identity attributes like these are key elements in dynamic policy decisions, influencing access rights based on current conditions. Zero trust depends on identity attributes to make intelligent decisions around access. With this information, conditional access can be granted that would help prevent security incidents with compromised identities. 

Continuous Monitoring and Assessment 

The enterprise monitors and measures the integrity and security posture of all owned and associated assets. 

Zero trust programs need a way to monitor the security of the resources and assets that are connected. A modern identity management program under zero trust principles includes monitoring identity-related metrics to ensure devices and users comply with security standards. Access reviews and compliance dashboards are methods that can be used to monitor the posture of identities. With so many security breaches being traced back to identity-related causes, monitoring access is essential to ensure the zero-trust connection stays secure 

The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture 

Many times security practitioners focus on prevention and not as much on runtime. True security requires a continuous approach that analyzes runtime data and provides that back to build time. This feedback helps ensure we can adapt to new threats and react to environments that are constantly changing. Identity data is part of the broader set of data collected in the feedback loop. It helps us ensure that our identities are being used as expected (not compromised) and that our identities have the permissions they need (not over-permissioned) 

Secure Communication and Session Management 

Network-Independent Security 

All communication is secured regardless of network location. 

Proper access control is at the center of securing communication. It doesn’t matter if the connection is made from an office, home, or a hotel, the communication between the systems should be secured. The access granted through that communication is determined based on proper identity management and access control. 

Access to individual enterprise resources is granted on a per-session basis. 

Each session’s access is tied to the verification of the user’s identity at the time of access. Once the session is secured, identity permissions are determined to ensure the resource only has access to the resources and systems it needs. This access check is performed every time a session is established. The verification of permissions applied to both human and non-human identities. When trusts are established between machines or platforms, the same principle applies. Understanding the identities and the roles they should have are key parts of session-level authentication. 

Dynamic Authentication and Authorization 

All resource authentication and authorization are dynamic and strictly enforced before access is allowed 

Many years ago when VPNs were popular, always-on VPNs connected resources. The problem with this was that it wasn’t dynamic and updating permission and roles took time or needed to re-establish a connection. In a modern day zero trust architecture, Identity must be continuously verified and authorized for access to any resource. This allows permissions to be updated dynamically and monitored for misuse. 

Conclusion

Identity serves as the foundation that connects these themes. Without strong identity management, none of the other zero trust components can function effectively. NIST 800-207 does a great job of laying the architectural groundwork for rolling out a zero trust security framework. Identity Security isn’t the only security you need to make zero trust work as a security philosophy, but it's an important part. When you look at the other parts of zero trust like Policy engines and Next-Gen firewalls, none of it can work without a modern Identity Security strategy including identity stores, dynamic access control, access reviews, and identity security monitoring.