Trust, but verify.
One could say that used to be the creed of cybersecurity. Although users and devices within the perimeter were likely safe, it was always better to verify—just to be sure. But what happens if you live in a world where the perimeter has all but ceased to exist?
Suddenly, that trust becomes a liability. This is precisely where zero trust comes in. First defined by the National Institute of Standards and Technology, a security architecture represents a fundamental shift in focus for cybersecurity.
Rather than incorporating perimeter-based defenses, zero trust focuses on users and endpoints. However, adopting it is no mean feat. It requires not just a shift in culture and processes, but also a set of specific technologies—identity & access management (IAM) among them.
What is Zero Trust Network Access?
Zero Trust Network Access (ZTNA) applies the zero trust framework to network security in order to provide users with secure remote access. Under ZTNA, no one is trusted by default. Instead, no matter their privileges or permissions, every user must authenticate and continuously validate their identity before they’re given access.
This access is completely segmented, as well. Users connect to specific applications or resources rather than the network itself, making lateral movement by potential threat actors far more difficult.
What is Identity & Access Management?
As defined by TechTarget, Identity & Access Management (IAM) is “a framework of business processes, policies, and technologies that facilitates the management of electronic or digital identities.”
To put that in simpler terms, IAM helps a business assign a specific, consistent identity to each user. That identity can then be actively monitored as it interacts with system resources and also assigned permissions and roles. Combined with behavioral analytics, IAM can also be leveraged as a sort of ‘early warning sign’ of a potential system compromise.
How do ZTNA and IAM Intersect?
ZTNA and IAM are essentially two sides of the same coin. As mentioned, ZTNA represents a shift from a focus on the perimeter to a focus on individual users. IAM provides a crucial mechanism through which that shift can occur, enabling enforcement of ZTNA policies and providing a means of authentication and validation.
It’s also worth noting that NIST identifies IAM as a functional component in the implementation of zero trust architecture alongside data security, endpoint security, and security analytics.
Takeaway
As attack surfaces grow more sprawling and threat actors more sophisticated, legacy security processes and access controls are insufficient. Zero trust has emerged in response to this, a solution to an ecosystem where endpoints and users are more widely-distributed than ever before. IAM is among the most critical components in embracing ZTNA, which requires a business to effectively track and manage users and their accounts. Interested in hearing more about this topic? Check out our previous post on Cybersecurity Lessons from the Aerospace Industry.