What is Zero Trust
Zero Trust is a security principle based upon identity and data as opposed to conventional network and host-based access controls. Historically, models of securing access worked for applications that resided on-premises with either direct or VPN-based access. This model no longer applies. Resources are no longer just on-premises but are a complex hybrid of on-premises and cloud-based applications. Zero Trust is based upon the concept that you must have a way of enforcing security without relying on a perimeter. Instead, you must rely on what you know combined with other factors like risk. This is not a new concept. In fact, in 2005 Dan Hitchcock from Microsoft predicted that information security would move from network and host-based security to security based upon data.
Access to resources is now determined by what you know about the request—who the user is, what devices they are using, what other risk factors can be determined—even if the user is already verified. Identity and risk are now what is most important. This risk should be assessed on every request to access resources and not just at initial access time. Once the user is securely identified, authorization policies must be defined based upon the principle of least access. This is not just granting access to applications, but also dynamically authorizing access to what you can do within the application itself.
Context is Core to Zero Trust
With identity being core to Zero Trust, what you know about the user is key to determining access. The context of a request requires understanding attributes of the identity in relation to what a user is trying to do. Authorization of access and assessment of risk is based upon what you know about a user. This assessment could be attribute based, group based or even based upon relationships between the user and other identities in the environment. Contextual information can be used to classify access requests for use by applications and security systems. Attempts to access information can now be secured based upon the relationship between the user and other factors – like a user's role in the organization – sourced from a user's global profile.
Radiant Logic RadiantOne FID is an identity integration layer that allows you to deploy scalable solutions that solve the complex challenges associated with user data. FID integrates identity data to build a unified view of heterogenous data sources. These data sources can be LDAP directories, databases, web services, and even applications. These profiles can then be delivered to applications to make authorization decisions around user access and to security systems for contextual decisions around user intent.
This integration layer is the source of truth for identities and their related profile attributes. Instead of building connections to identity data on an application-by-application basis, this centralized source of truth can be leveraged– externalizing and eliminating the complexity of identity profile consolidation. As new sources of identity information are incorporated into a user's global profile, those sources can be added without changes to the applications and other consumers of the identity data.
Applications and security systems not only rely on user attributes for authorization and risk determination, but also on roles. Roles are often represented by groups in an environment. Groups may not exist for systems that need access to that role definition. FID allows you to dynamically build groups from the underlying sources without requiring the creation of static groups or building repositories or manually synchronized group data.
In this example, there are three sources of identity data. The HR, Sales and Marketing groups are built dynamically based upon the data in the underlying repositories instead of manually creating the groups and synchronizing the data from those sources.
One of the other principles of Zero Trust is the concept of least access. Instead of generically granting access to all resources you should only be granted access to the minimum number of resources necessary to do your job. One of the challenges with access control is understanding the relationship between users and those who can approve access to systems. FID allows you to dynamically restructure a hierarchy based upon user attributes without having to create new static representation of user data.
In this example, a model has been created based upon the schema extracted from the LDAP-based enterprise directory. One of the attributes of the user is his or her manager. Identifying a user's manager is needed for access approvals. FID restructures the hierarchy of the enterprise directory to one based upon manager for consumption by access approval systems.
Security is Core to Zero Trust
Security is at the heart of Zero Trust architectures. By centralizing identity data into a solution like FID, you gain the benefit of several key factors. In addition to a unified profile, a common abstraction layer provides one point of access to all identity data. Instead of applications accessing multiple sources and having to track activity across all the sources, access is through a common location with centralized logging. This ability to abstract access to identity data provides a common access location for consumption of profile data. Now one log can be monitored by Security Orchestration, Automation, and Response (SOAR) systems.
Authentication for applications can also be improved by leveraging FID. By abstracting the backends applications, authentication can be centralized into FID instead of an application having to authenticate users against multiple backends. These authentication requests are then logged centrally instead of on a backend basis. Additionally, FID can serve as a backbone for MFA architectures. Authentication (bind) requests to FID can be protected by MFA so that a user is prompted by an authenticator application even when the application itself does not support MFA.
Session is also a key factor in Zero Trust architectures. Understanding application access based upon a user's profile can be used to kill sessions if needed for those application. Additionally, access can be added and removed dynamically based upon a user's profile at access time.
Real-time Access
Zero Trust relies on access to data in real-time. Identity data is not static and may be based upon computed logic or joined attributes. You cannot rely on data imports and additional repositories of static information to store this profile data. However, access to profile data can come from sources that are not easily accessible. Data can be cached for performance, but this also suffers from the same challenge as data imports.
FID allows you to not only cache data for performance with minimal response times, but to also update that data in real-time. This allows applications and security systems to make decisions at the time of user access.
Conclusion
Zero Trust is the core of the architectures of the future. Radiant Logic RadiantOne FID allows you to improve your security posture and simplifies implementations for Zero Trust. Identity and context are necessary for authorization and risk assessment. FID centralizes access and provides a unified profile of user data for your single source of truth. Additionally, centralization of access delivers common logging and a point of aggregation for authentication. Let us know when we can help you with your Zero Trust journey.