Zero Trust Network is a security model that John Kindervag conceptualized in 2010. He based his concept on the outdated traditional security models that assumed everything inside the network is to be trusted. He recognized that trust is a vulnerability, especially with the increasing advance threat actors and malicious insiders. The Zero Trust approach attempts to reduce the risk by eliminating implicit trust. Zero Trust is achieved by implementing it at the network layer and rebuilding the infrastructure by breaking it into multiple micro-perimeters with a segmentation gateway. However, another approach of Zero Trust is focused on the identity later rather than the networking part.
Identity-Based Zero Trust is based on evaluating trust and enforcing secure access controls whenever users attempt to access resources. It monitors each access request, basing it on policies across the entire on-premise and hybrid network— analyzing the risk associated with the access request. The model uses a granular risk analysis of the user’s authentication activities with every access attempt. From there, it will decide to validate or deny the user’s request based on the findings.
Zero Trust prevents malicious access to sensitive data and networks from within the company’s system. It requires a user to authenticate the request to gain access to the resource. Identity-Based Zero Trust uses a granular inspection on the authentication process itself, reducing the risk of a breach. Both models have the same goal: block malicious access attempts. Both are valid methods for keeping a company’s system safe. However, Identity-Based Zero Trusts is more convenient and safer since it delivers higher granularity and risk detection capabilities.
How it works
There are a few criteria that Identity-Based Zero Trust flows:
- Assume that every account is compromised until proven.
- An account is only trusted after it is validated
- A validated user access request is only used for single resource access, meaning if the user attempts to access another resource, it needs to be validated again.
If a remote user connected to the enterprise VPN and requests to gain access to a file server, the Identity-Based Zero Trust would evaluate the access and determine if the user is to be trusted. The system would never assume based on a successful VPN authentication that the user is trusted. For the evaluation process, there are a few steps that Identity-Based Zero Trust does:
- Continuous Monitoring: any type (on-premise or cloud resources) of access requests from users are monitored and recorded, keeping a comprehensive audit trail of the requests.
- Risk Analysis: each individual request is assessed by the system, evaluating the risk and the probability that the user is compromised or not. It is based on the analysis of the user’s behavior, audit trail, and other contextual parameters.
- Enforcement of Real-Time Access Policy: based on the calculated risk, either allow, block, or step up the authentication with MFA.
Benefits of Identity-Based Zero Trust
There are numerous ways that Identity-Based Zero Trust is beneficial to a company. First, it is simple and easy to deploy since there are no infrastructure changes required. It focuses on the user rather than the network segment, ensuring risk analysis is carried out every resource access. Identity-Based Zero Trust improves the ability to detect anomalies and threats by performing security checks for each resource access, increasing the likelihood of detecting hidden malicious activity within the company. Every access attempt from all users is monitored, analyzed, and enforced a real-time access policy to ensure safety within the enterprise.
Unified Identity Protection Platform: Identity-Based Zero Trust in Practice
Our partner Silverfort is a security software company based in Tel Aviv, Isreal. They develop software that protects companies from data breaches, cyberattacks, and insider threats. Silverfort provides the first Unified Identity Protection platform that consolidates security controls across corporate networks and cloud environments to block identity-based attacks. The company uses an agentless and proxyless technology that seamlessly integrates existing IAM solutions and extending its coverage to other assets that could not be protected until today. It monitors all access of users and service accounts across the cloud and on-premise environment, analyzing risk in real-time using an AI-based engine and enforcing adaptive authentication and access policies. Silverfort’s Unified Identity Protection platform is the only solution that can enforce Identity-Based Zero Trust architecture in the modern enterprise environment.
——
References:
Pratt, Mary K. “What Is Zero Trust? A Model for More Effective Security.” CSO Online, 16 Jan. 2018, www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html.
“What Is a Zero Trust Architecture.” Palo Alto Networks, www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture. Accessed 12 July 2021.
Greenwald, Avner. “What Is Identity-Based Zero Trust?” Silverfort, 20 June 2021, www.silverfort.com/blog/what-is-identity-based-zero-trust.