Zero Trust: the next evolution in an organization’s identity journey
Every user, device, and traffic flow is known, authenticated, authorized, and monitored, at all times
By Daan Spitael, Yousef Khasawinah, Joran Frik
Today's pioneering organizations are data-driven, interconnected, and powered by technological innovation. Having benefitted from the increased scalability and agility brought by cloud and mobile workforces, they are now preparing for the next waves of innovation with the help of artificial intelligence (AI), automation and ‘phygital’ assets. Omni-connectivity, through widespread 5G and 6G coverage, acts as another flywheel. But as organizations are increasingly automating, abstracting, and outsourcing their business processes to technology, and boundaries between online or offline, local or cloud, are fading more than ever, the question of how to stay in control is pressing. Combine this with more sophisticated cyberattacks, and we understand the pressure on security teams and business leaders alike to secure their digital transformation. There are solutions. Combining Digital Identity with Zero Trust Architectures allows us to build trust in an untrusted world.
Defining security from the inside out
Organizations and security teams are facing more and more challenges as the center of gravity from on-prem to cloud is moving rapidly. Where once we only had one castle (on-prem) to protect, today is infinitely more challenging as our crown jewels are scattered across different castles (hybrid). We work with employees, partner organizations, customers, and IOT-devices, who need access to an ever-expanding list of applications residing in these castles. The need for Zero Trust is accelerating with a key role for Identity.
The reality is, we can no longer trust anyone or anything. It is best to treat everyone as potential threat. So, we will have to evaluate every user, every device, even every bit of traffic on its own merits. They will all need to authenticate themselves, for every purpose and every visit. This concept of “never trust, always verify”, is the central tenet of ‘Zero Trust’. Zero Trust is a modern and comprehensive approach to securing all access across corporate networks, workloads, and environments, helping secure access from users, end-user devices, and other actors. It defines security from the inside-out, while limiting the friction that comes with additional security. Importantly, Deloitte approaches Zero Trust first and foremost from the business perspective. By eliminating lateral movement, a Zero Trust architecture supports users across a global & mobile workforce in their day-to-day interactions and in realizing the organization’s strategic goals.
Identity as a keystone to Zero Trust
While Zero Trust is not only about Identity, we consider it a cornerstone capability. In today’s data driven organizations, the landscape of users, data, devices, and resources are many and complex. Digital identity offers a well-placed linking pin to (re-)connect the right stakeholders to the right resources. Leveraging digital identity in a well-thought out, efficient, and responsible way helps to create trust. Trust within the organization, its data, and services, but also trust by clients. More and more, clients require organizations to demonstrate their security and control of complex environments, before trusting them with their business. This makes embracing Zero Trust and its identity principles a convincing argument and means to build client reputation.
So, what does Digital Identity really mean in the context of Zero Trust? In a nutshell, every user, device, and traffic flow is known, authenticated, authorized, and monitored – at all times. To make this applicable in security and identity strategies, our Zero Trust approach is based on guiding principles and capabilities, many of which are especially relevant to the identity domain.
One example is to rely on dynamic resource authentication and authorization instead of static rules. This means access to resources is determined by dynamic policy, combining knowledge on client identity, application accessed, and other attributes such as device, location, or time of day. In other words, Zero Trust identity is context-based. A simple case. If I log in from Brussels every day during working hours, but from Singapore tomorrow at midnight, I should have to pass a lot stricter security controls. It also works the other way around; if I need to quickly update a simple ticket, and my device and role are known, I shouldn’t have to authenticate at top secret level.
Another important principle is the ‘least-privilege principle’. Every user is granted the least amount of access in order to do their job successfully; no more, no less. A Zero Trust-based architecture helps control user access based on a comprehensive set of policies, by knowing who should have access and who is currently accessing. Since users often switch between devices, locations, and platforms, this means evaluating each request as well as continuously authenticating users as frictionless as possible.
These examples are especially relevant as raising security standards can only work in practice if it doesn’t frustrate user experience. Zero Trust gives us that opportunity through things we know, such as Single Sign On (SSO) or federation, and new innovations such as passwordless authentication, dynamic authentication, and automation of both user processes and monitoring. This means Zero Trust is not only a powerful means to improve reputation, but also facilitates employees in their daily interactions.
Moving ahead with no-regret moves
When talking about identity, we always spoke of “the right people, having the right level of access, to the right resources, at the right time”. Zero Trust adds “In the right context, assessed continuously”. As such, we see Zero Trust as the next evolution in an organization’s identity journey. Before implementing Zero Trust capabilities, such as adaptive access, realistically a solid foundation is required. That means having a consolidated view on users and data, centralizing identity processes and supported tooling (e.g. for Identity Governance, Privileged Access Management) and implementing base capabilities (e.g. Multi-Factor Authentication/MFA, SSO).
That doesn’t mean you cannot start already on implementing Zero Trust within your organization. There are a number of ‘no-regret moves’ that any business can start today to deliver immediate value, without compromising on the long-term strategy. Some examples from a practical experience include;
- Start with data and asset discovery. After all, you cannot protect what you don’t know exists. What is more, with the increasing use of cloud and SaaS-applications, there in an increasing risk in shadow IT.
- Enable MFA at the application layer with the help of a (centralized) enterprise identity service, rather than through network authentication (e.g. a VPN). From there, incorporate context, such as device-level signals alongside identity information, when managing access to enterprise resources.
- Move towards defining permissions more granularly and dynamically with the help of attribute-based access control (ABAC), rather than relying on static pre-defined roles assigned to users as in RBAC.
- Rely on Privileged Access Management (PAM) to shield highly sensitive resource access (e.g. admin access). PAM solutions can provide single-use credentials combined with MFA to help minimize risks.
How can we help?
On the longer run, a solid roadmap is still the way to go. Starting from business drivers and vision helps guide the identity and Zero Trust journey through different maturity phases. This journey, focus areas and outcome will be different for every organization. It will depend on your drivers and use-cases, culture, and ambition level. Deloitte can help your organization define this roadmap, on Zero Trust in general or for Identity Services specifically, through our Deloitte Zero Trust framework. Our strategic alliances with leading vendors allow us to help select the best possible solutions for your landscape, and guide Zero Trust programmes from idea to implementation.
As a comprehensive approach, Deloitte’s Zero Trust framework covers five core concepts required to transition from traditional perimeter-based security to a model based on trust between individual resources and consumers. These concepts, supported by adequate program governance, monitoring & reporting, and automation, are all key to achieve a successful Zero Trust implementation, but will have a different meaning for each organization.
- Identity: Consolidated user identities, technologies and processes to enable adaptive access
- Device: Real-time assessed device trust based on device health and additional criteria
- Workloads: Context-aware access using defined trust levels to applications
- Data: Trust levels based on enterprise-wide classification of data
- Network: Hybrid-ready architecture and use of micro-perimeters
Read more about Zero Trust in our other publications:
What does it mean to you?
By Anne Bailey (KuppingerCole Analysts), Guus van Es, Jan Jaap van Donselaar and Clarence Chase