(Source – Shutterstock)

The path to zero trust starts with Identity — here’s why

  • SailPoint Asia Pacific’s senior VP Chern-Yue Boey discussed with Tech Wire Asia on the tenets of zero trust and insights on the security & operational challenges associated with non-human identities in the workforce.

Identities, representing people, services, or IoT devices, are the common denominator across today’s many networks, endpoints, and applications. In a network that has no perimeter — typically among organizations — knowing exactly who and what is on the network and why they are there is essential to maintaining organizational security. In fact, for a zero trust security model to work effectively, the right identity and access management is a necessary foundation to begin with.

To put it simply, zero trust architecture depends upon identity in some novel ways. For SailPoint, a leader in identity security for the modern enterprise, a strong identity security program will enable organizations to manage and govern access for all types of digital identities, to establish a zero trust framework that is able to systematically adapt and respond to ongoing changes across the organization and threat landscape.

Tech Wire Asia had the opportunity to discuss with SailPoint Asia Pacific’s senior VP Chern-Yue Boey on the tenets of zero trust and insights on the security as well as operational challenges associated with non-human identities in the workforce.

SailPoint emphasizes the importance of the zero trust principle when it comes to security. Can you tell us more about this approach?

Zero Trust security is based on the notion of “never trust, always verify”, which means that no user, device, resources, or application should be trusted until their identity has been verified even if it is connected to a managed corporate network. When all network traffic by default is untrusted, the only viable security strategy is one built on identity.

The key principles include; never trust, always verify, Deliver just enough, timely access; and continuously monitor, analyze and adapt.

Identity security is becoming a serious concern for companies. What should organizations know?

It is important for enterprises to have complete visibility of all user types and their related access, including all permissions, entitlements, attributes, and roles so they can ensure employees receive the right access to the right resources to do their job when they need it.

SailPoint Asia Pacific’s senior VP Chern-Yue Boey

SailPoint Asia Pacific’s senior VP Chern-Yue Boey

AI-driven identity security is the need of the hour as it enables organizations to get deep visibility and understanding of all user access, including trends, roles, outliers, and relationships. They can also automatically modify or terminate access based on changes to a user’s attributes or location, and automatically perform remediation actions when risky activity is detected.

An automated identity process will also enable enterprises to easily and securely remove or reinstate access when an employee joins, changes roles or leaves the company, all without any human interaction, which greatly simplifies the onboarding and offboarding process for joiners, movers, and leavers. Automation also makes it simple to enforce access controls and fine-grained entitlements that prevent conflicts of interest, information theft and compliance violations, enabling an effective, and compliant cyber security posture.

With more organizations moving their workloads to the cloud, and the workforce being increasingly augmented by non-human identities such as robotic process automation (RPA) and IoT systems, enterprises must look towards a modern, robust identity security solution which leverages AI and ML, to automate the discovery, management, and control of all user access, across both on-premises and in cloud environments.

As the adoption of the zero trust model skyrockets, what steps can enterprises take to effectively implement them in their present cybersecurity infrastructure?

Zero Trust is predicated on the Principle of Least Privilege (PoLP) — a security protocol that runs on the assumption that everyone is a potential threat and because of that, they should only be granted the permissions they need to complete their job function. The principle of least privilege extends beyond human users, and can be applied to programs, applications, systems, and devices. 

Least privilege access helps protect and secure privileged credentials, data, and assets by limiting user access from within the network. Hence, if an attacker accesses an organization’s IT environment, PoLP reduces their risk of gaining access to a privileged account, therefore reducing the risk of data breach.

Organizations can use a micro-segmentation approach where they divide a data center or cloud environment into different segments, and limit user access to those segments based on their role within an organization. This in turn secures and isolates the user and their workload to a specific segment of the network unless they have authorisation to move elsewhere. 

Finally, to audit the network for the zero trust implementation to work — and it must be applied to all users and systems within the IT environment. Enterprises can start by running an audit of their network, which includes identities, access controls, and access policies. Enterprises should also adopt an identity security solution that can verify these user identities before they access the network and applications, while provisioning access based on user roles, and using policy management to automate, control and monitor how their access is utilized within the network. 

How has the security threat landscape changed over the past couple of years and what is the role of zero trust in enabling the future workspace?

With the pandemic, we saw the rapid shift to a virtual workforce, which placed more emphasis on cybersecurity practices as companies in the region continue to face cyber threats like hacking, phishing and data breaches caused by information security loopholes.To a cyber attacker, the right identity is extremely valuable. It can be used to break into a network, move laterally once inside, and facilitate all manner of fraud and identity theft. 

Whether it is by phishing or some other means, obtaining stolen credentials is often a critical part of a threat actor’s agenda. Plus, with more connected devices and more identities than ever before, identity and access management have become incrementally critical, and organizations must ensure all identities are managed with a modern identity security solution that incorporates artificial AI and ML especially as the volume of identity data and complexities have increased beyond human capacity.

What are the vulnerabilities and challenges organizations encounter with zero trust in general? How can they effectively deal with them?

A key challenge is knowing where to begin. It’s important for organizations to start with a current-state assessment to gauge the capabilities of their existing security technologies and their zero trust readiness so they can develop the right strategy to meet their business and organizational goals.

Another challenge is that organizations often turn to access management or authentication such as single sign-on (SSO) or multi-factor authentication (MFA) to help address zero trust. Although these are critical security components, SSO and MFA are not enough. Enterprises must recognise that identity security is an essential piece of an effective zero trust strategy. 

Identity security means having technologies in place that automate the identity lifecycle, manage the integrity of identity attributes, enforce least privilege through dynamic access controls, role-based policies, and Separation of Duties (SoD), and continuously govern and respond to access risks using advanced technologies such as AI and ML. Enterprises can overcome challenges by integrating identity and security technologies to provide a complete zero trust security solution.