You’ve probably heard it said that zero trust is not a product or solution; in fact, experts ranging from the analyst team at Forrester, where the term originated, to our own RSA strategists have made that point. Rather, it’s a security strategy. And while the concept is fairly simple—don’t trust anyone until you check to be sure you can—the implementation is often overwhelming. Once you commit to a zero-trust approach, the real work begins. But where do you start?
The answer: identity.
As the first line of defense against cybersecurity threats, identity is key to making zero trust a real and practical tool organizations can use to improve their security posture. The thinking behind zero trust is that trust can never be assumed, but instead must be established anew with every interaction—which is precisely what identity does.
Every time a user authenticates, trust is verified before access is granted. That’s foundational to taking the concept of zero trust and making it a day-to-day reality.
Let’s explore what that means, starting with what exactly zero trust is.
Zero trust is a way of thinking about security in an increasingly digital world, where the traditional network perimeter we relied on for years has been all but erased. Today, people can (and do) work from anywhere. The resources they access may be in the cloud, on-premises, or a combination of both, and they access them from locations far beyond any protective perimeter. The issue then becomes how to secure those resources.
Adopting zero trust is one way to solve the problem. The guiding principle for zero trust is simply that trust can never be assumed. Every interaction related to accessing resources must be presumed to be potentially risky. As Jim Taylor, Chief Product Officer of RSA, put it, “Zero trust is a way of approaching a situation when you no longer have those mechanisms you used to have to feel secure.” Rather than assuming an individual or device can be trusted, trust must be verified with every interaction.
With the erosion of the traditional perimeter, identity becomes the primary means of establishing trust. “Identity is the new perimeter—it’s the one thing you can control and secure,” said Taylor. “If I can determine with a high degree of confidence that you are who you say you are, I can authenticate you and authorize you. The ability to trust the identity of someone or something makes it possible to base security policy on identity.”
Of course, the idea of using identity to establish trust is not new. But the context for establishing trust has changed in ways that make identity more critical than ever. Increasingly, the workforce includes not just on-site, full-time employees, but also contractors, gig workers, and many others who need access to resources—and not just onsite. Interaction today happens digitally and online to such a great extent that someone’s physical location is no longer foundational to establishing trust. These changes are why zero trust is so relevant now and why identity is critical.
Identity paves the path to zero trust in three specific ways.
- Grants access to the right people. The ability to establish the right level of trust before granting access is essential to operating from a zero-trust mindset. To support zero trust, you need identity and access capabilities that include a range of multi-factor authentication (MFA) methods, along with strong identity governance and administration (IGA) to enable governance-based and visibility-driven access authorization.
- Supports dynamic decision making. To successfully pursue a zero-trust approach to access, you have to be able to use context to assess the risk associated with a particular interaction and then make access decisions based on the level of risk. A zero-trust approach requires context-based dynamic decision-making, so it’s important to have the ability to apply risk-based authentication.
- Aligns with the NIST zero trust architecture framework. The National Institute of Standards and Technology (NIST) has developed a framework for a zero-trust architecture. Identity and access components that include NIST-required risk-based analytics and role- and attribute-based access are essential to working within the NIST framework.
Any approach to secure access, including zero trust, is two-fold: to keep the bad guys out and let the good guys in. If you focus exclusively on defense and let no one in, you have little risk but also little business. The term zero trust doesn’t mean never trust anyone ever. It means don’t trust anyone without first checking to be sure they can be trusted. And identity is central to making sure a someone or something can be trusted. With the right identity tools, you can successfully bring a zero-trust mindset to managing access and thrive in the digital world.
Learn about RSA’s exclusive focus on identity today, and find out more about zero trust from RSA: