In a previous identity management blog post on zero trust, Accenture Security Managing Director Gabe Albert described authentication and authorization as a "continuous process" and identity as an essential building block for implementing a zero trust architecture. With this post, I'd like to continue the conversation around identity-driven security by juxtaposing zero trust concepts against our traditional understanding of identity and access management (IAM).

By identifying areas where zero trust improves on legacy IAM solutions, this "compare-and-contrast" exercise can illustrate actionable next steps security organizations can take to uplift their identity management while advancing zero trust agendas in a manner that promotes a cohesive IAM strategy and continues to build on past investments in technology.

Traditional IAM—how did we get here?

Historically, the industry has relied on IAM to achieve some basic security outcomes, including:

  • Establishing trust—Using authentication and other verification methods, the identity of end users can be confirmed to secure transactions and data.
  • Enforcing policies—Admin-time and runtime access controls have been developed to enforce corporate policies governing the appropriate distribution and use of access.

Over time, it became necessary for IAM to adapt to digital transformation and the gigantic shifts taking place in terms of user expectations, including how we access and interact with technology.

Authentication solutions were tuned to support complex B2B, B2C and B2B2C relationships, resulting in the emergence of customer or client identity. Mobile phones became essential for proving possession, and phone-as-a-token became the second factor of choice due to its convenience and the growing ubiquity of mobile devices.

Role and policy-based frameworks were developed as a better way to describe the "appropriateness" of access and to apply the "least privilege" model to business processes, workloads, and user roles and responsibilities. Many organizations also began referring to a software-defined perimeter as a network boundary. However, these perimeters were obscured by the migration to cloud and the accompanying push toward SaaS products and services.

Standardization also plays a part in facilitating change by:

  • Promoting Federated identity—the sharing of identities between trusted partners.
  • Defining assurance levels to measure the "trustworthiness" of identity claims based on authentication technologies and methods used.
  • Introducing a delegated authorization model and enabling omni-channel access using APIs.
  • Eliminating the need to send credentials over the wire and replacing weak or compromised passwords with strong authentication and digital signing.
  • Increasing the use of APIs in security implementations to improve automation and orchestration across security processes and integration with fraud and risk engines.

The history of IAM provides a fitting backdrop for understanding zero trust—and as you shall see, IAM provides the basic ingredients necessary for implementing zero trust security projects.

Next-gen IAM—serving up the ingredients for zero trust security

No doubt, zero trust is garnering a lot of attention—including from boards. But the messaging around it, in terms of capabilities and specific implementation guidance, has been somewhat vague, which has left many of my clients to ask, “What’s novel about zero trust security?” or “How do I get started?”

Over and above the basic security outcomes I stated earlier in this article—by “assuming breach”—zero trust brings new focus to the continuous enforcement of existing protections and emphasizes the need for responsive and intelligent controls that can better detect threats and react to them quickly.

In IAM terms, zero trust builds on traditional security elements by:

  • Extending trust beyond users to devices and workloads. This enables organizations to recognize threats that may not overtly present themselves to end users, but which may be embedded in software supply chains or infrastructure.
  • Collecting as much context as possible. The key here is to implement new technologies that allow for passive data collection. (For example, passive biometric or passive behavioral).
  • Improving the ability to interpret signals. Organizations can achieve this by adopting smarter technologies to detect spoofing (device, location) and other risks (malware, jailbreak detection, impossible travel); and enriching signal detection with analytics. (For example, using identity graph/cluster analysis).
  • Assessing risk continuously and implementing responsive controls. Organizations can elevate trust based on the level of assessed risk, and force re-authentication or step-up authentication by allowing/denying access dynamically based on conditional policies.

<<< Start >>>

<<< End >>>

Getting started

Let’s look at a sampling of IAM projects that represent actionable next steps, connecting the dots between traditional IAM and zero trust:

Zero Trust
Security Objective
Strategic Initiative Description Security and Business Outcomes
Gain foundational readiness1 Real-time identity data Identify and remediate data synchronization issues to help ensure policies are consuming data that is properly sourced and timely. Improved enforcement of dynamic policies, thanks to timely data that can accurately represents the state of identities and access throughout the environment.
Establish explicit trust Device trust Incorporate device-based trust into adaptive authentication and authorization flows. Set device-level policies to restrict access to managed devices or based on device health and/or security. Organizations can better-address risks associated with the use of unmanaged devices, and support bring-your-own-device (BYOD) business initiatives.
Enforce policy Just-in-time (JIT) access Implement workflows and dynamic provisioning models to support temporary access and reduce permanent or standing access. Reduced risk associated with standing access.
Continuously assess risk Conditional or dynamic access Implement a policy engine capable of evaluating multiple risk signals, combining business rules and policy evaluation with risk analytics to make improved authorization decisions. Enhanced user experience through the adoption of passive controls.
Improved ability to detect threats via multiple, layered controls using deterministic and probabilistic methods.

1A note about readiness: It is important to recognize policy evaluation is only as reliable as the data or inputs consumed by the policy engine. As with any major technology undertaking, some foundational pre-work should be expected to ensure the success of the rest of the journey.

So, great news for security organizations!

Many of the key ingredients needed to implement zero trust security are already at your disposal. They include identity and access governance, authentication, authorization, privileged access management and more.

In addition, sampled projects can drive out even greater business benefits from your existing IAM investments—all couched in the context of zero trust security. By acknowledging these links between traditional identity work and zero trust, security organizations can begin to look forward to the myriad of benefits to be experienced with identity-driven security.

About Accenture

Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Technology and Operations services and Accenture Song—all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 699,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at accenture.com.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.

Copyright © 2022 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.

Joshua Lee

Senior Manager – Accenture Security, Digital Identity Strategist

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog