You Can't Have Zero Trust Without Identity and Access Management

Everyone likes to talk about Zero Trust, but what does it really mean? In a recent Gartner podcast, expert John Watts describes it as a mindset or strategy to secure your environment differently than before to prevent breaches and incidents. At its core, zero trust means not assuming that every user or application should have access to things in your network, and that you should be continually assessing risk and trust levels.

Or, to put it simply: trust no one. Regardless of where they’re located or who they are, everyone needs to be authenticated, authorized, and regularly validated before they can get in.

While the concept has been around since before 2000 and surfaced as an issue during the quick transition to remote work, the May 2021 executive order, “Executive Order 14028: Improving the Nation’s Cybersecurity,” thrust Zero Trust further into the spotlight. The order explicitly calls out Zero Trust and the National Institutes of Standards and Technology (NIST) guidelines for Zero Trust Architecture. Because of that, the private sector is taking even more note of what it means to achieve Zero Trust.

Building Zero Trust on solid ground

The core of zero trust implies what its foundations are: access and identities. Put simply, you can’t do zero trust without managing access to your resources. As Watts said in the Gartner podcast, “A lot of zero trust concepts are built around identity (and) knowing who someone is with some assurance.” The implication is that you can’t achieve Zero Trust without knowing who your users are and what they’re doing in your systems.

That’s where the strategy behind Zero Trust comes into play. Achieving Zero Trust requires several critical steps:

1. Identifying users and roles. Not only do your internal employees and development teams need access to your databases, but so do external partners. The first step in Zero Trust is figuring out who needs access and their associated reason for the access. Talk to HR, IT, and department leads to pinpoint what roles exist in your organization. Find out who outside your organization needs access to your databases, servers, web apps, and clusters, and for what purposes. This where a Role and Access Discovery project can be extremely useful to define users and roles.

2. Defining access rules and requirements. Once you know what roles exist in your organization, start classifying those roles and the access they require to different systems. You may have several development teams working on various projects. Each team only needs access to a particular database, for example. You may want to consider assigning access to specific resources to just a subset of users.

3. Understanding your assets. While all data needs protection from malicious actors, some systems are more sensitive or critical than others. Suppose a hacker gains access to supplier names and purchase orders. In that case, they can cause damage – but not as much damage as if they get hold of customer credit card numbers or other PII. These sensitive systems may require even more stringent controls, such as requiring authentication each time the resource is accessed.

Keep in mind that a key principle of Zero Trust is the Principle of Least Privilege (PoLP), which means giving users the absolute bare minimum of access needed to do their jobs or perform essential functions. These steps are necessary to identify what the bare minimum looks like before you let anyone, even an employee, into your systems.

The bottom line: you can’t achieve Zero Trust without access management. If you’re still using manual processes and creating unique roles for every user, you should learn more about how StrongDM can manage and audit access to your assets – and make it easier to get to Zero Trust. Get a free demo of StrongDM today.