An abstraction layer that sits between the sources of identity data and its consumers makes it possible to discover and understand identity data without disrupting existing operations.
Almost every element of our lives is now digitized. Modernizing the infrastructure has enabled organizations to work more efficiently and drive down costs, but it has also provided bad actors with larger attack surfaces and vastly more access points from which to exploit IT systems. This is particularly problematic for government agencies—long desired targets for both criminal and nation state advanced threat actors.
The Biden administration’s wide-reaching cybersecurity executive order issued last year was a critical first step toward removing barriers to threat information sharing between public and private sectors and creating a standardized playbook for responding to cyber vulnerabilities and incidents.
The zero trust architecture specified in the executive order directly defends against credential threats. Implementing a least privilege access approach requiring users to undergo additional risk-based verification brings access decisions into near real-time. It evaluates granular attributes relating to the user and covers endpoint data, risk scoring, environmental factors and rich user profile data.
An operational zero trust architecture also requires organizations to have accurate visibility into the identities of all objects in their system and a robust set of accurate attributes and relationships for these objects in order to make valid authorization decisions.
Unfortunately, there are challenges inherent in modern IT networks that make the path to a viable zero trust architecture difficult. Beyond the sprawl of identities, different systems and sources of truth for these identities are basically incompatible. Most organizations underestimate the complexity of their identity environment and do not account for how that will impact security design and implementation, their deployment timeline and the burden on internal resources.
For government agencies, the challenges of shifting to a zero trust architecture are exponentially greater. The sheer number of siloed systems, applications and departments presents a barrier to generating momentum. Many mission-critical systems still in use were developed over decades by teams long since departed, with little knowledge of the design or operations retained. The lack of a comprehensive understanding of the functions and dependencies of each platform creates additional roadblocks, compounded by the scale of operation—millions of employees, contractors and citizens, each with multiple accounts on disparate systems. Crowning of this mountain of resistance is the distributed nature of management throughout the government. In order to manage effectively, departments and agencies have subdivided control and accountability.
So, how is progress being made?
The “zero trust” concept has jump-started conversations around IT modernization for government agencies. The National Cybersecurity Center of Excellence at the National Institute of Standards and Technology began working diligently to create recommended zero trust architecture models for government and private sectors using commercial-off-the-shelf services. Recognizing that zero trust is a cooperative effort, identity and security software companies are working together. Most importantly, the industry, analysts and pundits have agreed that zero trust is not a single solution, but an evolution.
The key to any journey is first knowing where to start. Remembering that the underlying challenges to implementing zero trust are a lack of understanding of current systems and a distributed and siloed control of assets, what’s needed is an abstraction layer that sits between the sources of identity data and the consumers of that identity data.
By adding this layer, it’s possible to discover and understand the nature of identity data in the environment without disrupting existing operations. This process can start small and gradually incorporate more and more identity data, building a richer and increasingly visible understanding of the identity landscape.
In this escalating war to defend assets and operations, adopting a zero trust architecture is a generational jump forward that builds a foundation of rich flexible and security identity data—an essential early step on the journey to stronger security, higher assurance and less risk.