The concept of zero trust has been around for nearly two decades, but it is only recently that the security model has caught on and is now one of the hottest trends in cybersecurity. A Microsoft report found that 90% of security decision-makers are now familiar with the concept, up from 20% just one year ago. But adoption is still a challenge as organizations rethink how they handle identity management.
This surge in popularity is no doubt related to both growth in enterprise cloud computing and the rise of remote working. It’s now expected that employees can access their organization’s data from a range of devices, locations, and geographies.
Zero Trust Is Just One Piece of the Pie
Building zero-trust architecture requires organizations to identify a so-called “protect surface,” made up of their most important data, assets, applications, and services. A microperimeter is then deployed around the protect surface, requiring users to authenticate themselves whenever they cross it.
Identity and access management (IAM) is in many ways the cornerstone of zero-trust architecture. However, thanks to a combination of legacy systems, many organizations have complex digital identity structures, with one tool for provisioning and deprovisioning, another for multifactor authentication (MFA), another for single sign-on, and a fourth for fast smart-card-enabled access.
Forward-thinking organizations should be working toward reducing their overall attack surface by consolidating these structures. Their ultimate aim should be a decentralized identity infrastructure that will enable different organizational systems to accurately map back to a single user identity.
Such a system would instantly and automatically provision, deprovision, modify access rights, and accurately report on all users across an organization’s digital continuum. It would be backed by robust policies and access rules – as well as modern MFA methods.
Fragmented Digital Identities Pose a Security Risk
Digital identity – originally a set of technologies designed for industries that handle highly sensitive data, such as financial services, government, and the military – is now crucial to how we interact with devices in both our personal and professional lives. Nowadays, you might log into your online banking using biometrics, access your email with SMS verification, and enter your workplace by swiping an RFID key card. And that’s all before 9 a.m.
Within organizations, the sheer number of digital identities associated with employees has now in itself become a threat. Having numerous digital identities for each individual multiplies organizations’ attack surface, putting them at greater risk of financial damage and data loss should a breach occur. This turn of events is somewhat ironic given that the initial intended purpose of these technologies was to enhance security.
Consider the Colonial Pipeline attack earlier this year. Attackers reportedly gained entry into the organization’s systems via an employee’s VPN account that was no longer in use but still active. The employee in question had used the same password multiple times, and thanks to a totally unrelated leak, the password in question was part of a batch for sale on the Dark Web.
With the benefit of hindsight – which is admittedly always 20/20 – had automatic account deprovisioning been in place or an enterprise single sign-on solution deployed, it seems that one of the most dangerous attacks in US history could have been avoided. If that’s not a reason to prioritize strong digital identity management, then I don’t know what is!
Amid a growing number of cyberattacks, it’s hard to overstate the scale of digital identity challenges currently facing organizations. Of course, IT executives’ immediate priority should be securing systems, data, and users in the immediate term. At the same time, however, the case for establishing a more effective digital identity paradigm is clear. This would include a holistic solution for managing and governing digital identities, the ability to manage identity governance, proofing, and authentication assurance, as well as simple, passwordless user access and authentication. This setup should be the end goal for most enterprises.