Zero Trust – The Importance of an Identity-centered Security Program

This is the first follow-up to my blog post from December 11th, The CSO’s 4 Key Takeaways from Gartner IAM 2017. In this post I drill into my perspectives on why an effective security program must be identity-centered. Let’s start with a little bit of background on my perspectives about security so readers have a sense of where I’m coming from. One key thing that underpins my thinking is a belief that the zero trust model is the only real valid way to approach security for a modern enterprise.

First introduced by John Kindervag with Forrester in 2009, the zero trust model is closely tied to the work introduced by Google in their work on the BeyondCorp model for enterprise security. At the core of this model is the idea that there is no such thing as a trusted network or a trusted device. This means that every single action taken must be properly authenticated and authorized. As authors Evan Gilman and Doug Barth state in the introduction to their 2017 book titled Zero Trust Networks: Building Secure Systems in Untrusted Networks:

“…in this model, nothing is taken for granted, and every single access request–whether it be made by a client in a coffee shop or a server in a datacenter–is rigorously checked and proven to be authorized.” 

The Model for a Cloud-centric Mobile Workforce

I find the zero trust model to be especially compelling with the shift to cloud computing in all its forms (SaaS, PaaS, IaaS) and the continuing “mobilization” of the workforce. Security systems and programs must evolve to embrace these new models and adopting the zero trust model is a key part of making the transition. Once you make the switch to this model, identity becomes the critical component in your security program. Not only the identity of people, but identity of the devices they use and the identity of the systems and applications they access. The other interesting transition that happens is that authentication and authorization for internal people starts to look a lot more like what is needed for customers, which means the capabilities of your internal and external identity platforms start to merge.

The zero trust security model is more relevant than ever in today’s mobile, cloud-centric business ecosystem.

In a zero trust model, authentication and authorization decisions need to happen much more frequently, leverage more information about the context of the event, and can no longer be limited to simple username/password authentication. Authentication and authorization decisions need to become risk-based rather than binary, and take into consideration a rich set of information including:

  • The sensitivity of the data being accessed or the transaction being requested (viewing an account balance may need a lower level of authentication assurance than requesting a wire transfer).
  • The Authenticator Assurance Level (AAL) or the strength of the authenticator used (a password is a much weaker authenticator than a cryptographically strong hardware-based token).
  • The level of assurance that can be attributed to the identity of the device being used.
  • The association between the device and the entity requesting the action (and for some use cases, is the device known to be an officially authorized device)?
  • The context of the request (location, time, device type, browser/application, installed software, etc) and the typical patterns for this entity.
  • Other data sets that can be used to increase the assurance level including biometric data, behavioral pattern data, etc.

Ultimately, the decision to allow an action to proceed will come down to determining whether the entity requesting the action is authorized to do so, and if they have proven they are the entity they claim to be with a sufficient level of assurance based on the risk of the specific action. All of this hinges on a well-designed identity platform that allows these decisions to be made quickly while reducing friction.

The ForgeRock identity platform is well-suited to meet the needs of an identity-based security program. With features like an adaptive risk enginecontextual continuous authorization and highly versatile authentication built on a platform designed to deliver high performance in high-volume environments. Security leaders looking to evolve their security program using a zero trust model should take a close look at how their identity platform measures up and make sure they’re on a platform that will help them achieve their core mission.

Who Is Steve White ?

Who’s Steve? They say variety is the spice of life, and we think Steve would have to agree, having had the opportunity to work at companies such as Sonos, CenturyLink, Amazon, Microsoft, and the US Air Force. Bringing his talents to ForgeRock, he now serves as our Chief Security Officer with the mission to protect ForgeRock and our customers with a dynamic, identity-centered security program. Before his 17 years in the identity industry, you could find Steve singing on-stage at The Met in NYC (when he was still a soprano).

Recent Posts:

How to Compare Digital Identity Providers for CIAM

Comparing and selecting digital identity providers for CIAM (customer identity and access management) is a daunting task. With the fast-paced nature of business and technology today, you need to ensure that you’re not only able to meet all your current requirements, but those to come.

Disrupt or Be Disrupted: The Power of the Disruptive Economy

As one of the leading and most comprehensive digital identity providers on the market, we keep a finger on the pulse of trends necessitating better identity.  As part of this ongoing practice, we have identified

Four Key Customer Journeys for Virtual Banks

Virtual Banking is here. The recent issue of new Virtual Banking licenses in Hong Kong and the upcoming licenses in Singapore have spurred the need for building new age banking systems that leverage the latest technology stack.