Zero trust means zero without identity management

In zero-trust land, we’re assumed to be an imposter by each and every resource we interact with. A network credential is no longer sufficient.

In the old days, we would prove our identity to the company network when we logged in. Then we would be trusted within the network. But now we can’t be trusted in the network because an adversary can get in basically anywhere, so we’ve got to validate identity all over the place.

I think of it as moving from a trusted corporate network to a model more like the internet. Systems are isolated, data is segmented, the network is segmented, nothing can be accessed or shared without appropriate permissions at every stage.

If we want to perform a relatively complex task online, like doing taxes, we’re going to end up logging into maybe several systems doing that (such as online banking, an accountant portal, HMRC, an authenticator). The internet already operates close to zero trust.

Three challenges with zero trust

The benefits of zero trust in a business seem obvious – in theory it makes it harder for adversaries to gain access, move laterally and do high impact damage. In practice it is proving hard to achieve. The stories we hear from the coalface are that, whilst it can be a useful banner to drive change, it’s proving challenging to make great leaps towards this future vision.

One of the key challenges in achieving the zero trust holy grail is in identity management. At every interaction, a person (or system) must be authenticated to check they should have access to the service or data in question.

This poses three key problems:

1. We need close to perfect understanding of identity for people and machines. That means understanding what every identity has access to, the level of privilege it has, and the people or systems which can use that identity.
2. Account compromise becomes the main threat vector, so we need to minimise the number of accounts and the overall level of privilege across all accounts.
3. If users can’t seamlessly traverse systems, can’t access systems, can’t access data they need to do their work, the system has failed and the business suffers.

Identity management is hard

What I hear most in conversations about identity is that security teams don’t know what people have access to. And that feels like the most important thing to know.

Those in the industry with a specialisation in identity will say it’s an unsolved problem. Even large, sophisticated organisations struggle with PAM and IDAM. They cannot definitively say who has access to what, and whether, at any moment, those permissions are adequately protected, for example by a vault.

It’s really tough to be certain of an entity’s identity at any single point in time. Manual processes, such as active leavers, cause challenges. The same can be said for messy data, legacy systems, changing environments, and people simply being people.

Identity sprawl is rampant. New systems means new access requirements, which means huge overprovisioning. Admin accounts handed out all over without business need. According to Gartner’s Managing Privileged Access in Cloud Infrastructure report, by 2023, 75% of cloud security failures will be attributable to inadequate management of identities, access, and privileges.

To put this into perspective, according to Lastpass the average number of passwords per user is 25 for large enterprises, and 85 for small businesses.

Teams don’t have single point of visibility of identities and permissions. Vaults are great, but, as with many tools, they don’t know what they don’t know. AD is a maze of nested groups, which piles on the difficulty.

Without solving these problems, zero trust will remain out of reach. And while there is investment in this area, there isn’t yet a silver bullet.

The final word

As the founder of Panaseer, I always have ideas about what our platform and Continuous Controls Monitoring tech in general, can achieve. Whether that’s now, in the near future, or years down the line.

I call these future ideas ‘points of view’ — meaning we can have a point of view on something even if we aren’t experts. I’m not an expert in zero trust or identity, so I can only really talk to what I’ve picked up on the mean streets of RSA and FS-ISAC.

That’s where zero trust sits at the moment. CCM has many potential applications, and this could be one for the future.

It’s going to take a lot more effort to bring identity to a level where legacy businesses can operate under a zero trust model. I believe solving identity will become one of the biggest challenges in cybersecurity in the coming years, both in corporate and consumer security.

Fundamentally proving who we are, and what we are able to do, is not only critical to enable security approaches such as zero trust, but will become a major issue in operating our lives.