Identity projects for zero trust roadmaps
May 26, 2022
May 26, 2022
In a previous identity management blog post on zero trust, Accenture Security Managing Director Gabe Albert described authentication and authorization as a "continuous process" and identity as an essential building block for implementing a zero trust architecture. With this post, I'd like to continue the conversation around identity-driven security by juxtaposing zero trust concepts against our traditional understanding of identity and access management (IAM).
By identifying areas where zero trust improves on legacy IAM solutions, this "compare-and-contrast" exercise can illustrate actionable next steps security organizations can take to uplift their identity management while advancing zero trust agendas in a manner that promotes a cohesive IAM strategy and continues to build on past investments in technology.
Historically, the industry has relied on IAM to achieve some basic security outcomes, including:
Over time, it became necessary for IAM to adapt to digital transformation and the gigantic shifts taking place in terms of user expectations, including how we access and interact with technology.
Authentication solutions were tuned to support complex B2B, B2C and B2B2C relationships, resulting in the emergence of customer or client identity. Mobile phones became essential for proving possession, and phone-as-a-token became the second factor of choice due to its convenience and the growing ubiquity of mobile devices.
Role and policy-based frameworks were developed as a better way to describe the "appropriateness" of access and to apply the "least privilege" model to business processes, workloads, and user roles and responsibilities. Many organizations also began referring to a software-defined perimeter as a network boundary. However, these perimeters were obscured by the migration to cloud and the accompanying push toward SaaS products and services.
Standardization also plays a part in facilitating change by:
The history of IAM provides a fitting backdrop for understanding zero trust—and as you shall see, IAM provides the basic ingredients necessary for implementing zero trust security projects.
No doubt, zero trust is garnering a lot of attention—including from boards. But the messaging around it, in terms of capabilities and specific implementation guidance, has been somewhat vague, which has left many of my clients to ask, “What’s novel about zero trust security?” or “How do I get started?”
Over and above the basic security outcomes I stated earlier in this article—by “assuming breach”—zero trust brings new focus to the continuous enforcement of existing protections and emphasizes the need for responsive and intelligent controls that can better detect threats and react to them quickly.
In IAM terms, zero trust builds on traditional security elements by:
<<< Start >>>
<<< End >>>
Let’s look at a sampling of IAM projects that represent actionable next steps, connecting the dots between traditional IAM and zero trust:
Zero Trust Security Objective |
Strategic Initiative | Description | Security and Business Outcomes |
Gain foundational readiness1 | Real-time identity data | Identify and remediate data synchronization issues to help ensure policies are consuming data that is properly sourced and timely. | Improved enforcement of dynamic policies, thanks to timely data that can accurately represents the state of identities and access throughout the environment. |
Establish explicit trust | Device trust | Incorporate device-based trust into adaptive authentication and authorization flows. Set device-level policies to restrict access to managed devices or based on device health and/or security. | Organizations can better-address risks associated with the use of unmanaged devices, and support bring-your-own-device (BYOD) business initiatives. |
Enforce policy | Just-in-time (JIT) access | Implement workflows and dynamic provisioning models to support temporary access and reduce permanent or standing access. | Reduced risk associated with standing access. |
Continuously assess risk | Conditional or dynamic access | Implement a policy engine capable of evaluating multiple risk signals, combining business rules and policy evaluation with risk analytics to make improved authorization decisions. | Enhanced user experience through the adoption of passive controls. Improved ability to detect threats via multiple, layered controls using deterministic and probabilistic methods. |
1A note about readiness: It is important to recognize policy evaluation is only as reliable as the data or inputs consumed by the policy engine. As with any major technology undertaking, some foundational pre-work should be expected to ensure the success of the rest of the journey.
Many of the key ingredients needed to implement zero trust security are already at your disposal. They include identity and access governance, authentication, authorization, privileged access management and more.
In addition, sampled projects can drive out even greater business benefits from your existing IAM investments—all couched in the context of zero trust security. By acknowledging these links between traditional identity work and zero trust, security organizations can begin to look forward to the myriad of benefits to be experienced with identity-driven security.
Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Technology and Operations services and Accenture Song—all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 699,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at accenture.com.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.
Copyright © 2022 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.