Putting Identity at the Center of Zero Trust

The modern enterprise is under attack. This begs the question of when, not if, your business will be breached. Gone are the days when cybersecurity revolved around on-premises applications that needed protection from external threats. The times when employees and contractors accessed everything they needed while on your network or in your building are done.

The Current State of Cybersecurity

With evolving digital transformation efforts, remote and hybrid working environments, and growing cloud-first infrastructure, organizations are changing how they do business; simply relying on a network perimeter is no longer sufficient. Organizations—public and private—need to provide access from anywhere, at any time, from any device, service, or application to support business. 

As a response, the federal government has set forth a strategy for federal agencies that provides actionable guidance to private sector companies. This commitment sets forth a Zero Trust Architecture (ZTA) that requires government agencies to meet specific cybersecurity standards and objectives to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns. The Biden Administration’s Executive Order and Executive Memorandum on improving the nation’s cybersecurity are further attempts to improve best practices for addressing cyber threats. 

Clearly, leaders need to be more vigilant than ever about their defenses, and implementing a Zero Trust strategy is a great place to start. However, with its buzzworthy allure and silver bullet positioning, the promise and practice of Zero Trust are often misconstrued. So, how can we cut through the noise and start realizing its value? We can start by setting expectations. 

Zero Trust Explained 

As defined by the National Institute of Standards and Technology (NIST), “Zero Trust is a security paradigm that replaces implicit trust with continuously assessed explicit risk and trust levels based on identity and context supported by security infrastructure that adapts to risk-optimize the organization’s security posture.” Trust is essentially not given—it must be earned through a given vetting process.  

But Zero Trust isn’t just about changing security paradigms—it’s about challenging business culture. Always-on access must now be tempered with just enough and just-in-time access to help reduce both insider threats and hackers searching for privileged accounts. An architecture that “never trusts, always verify” is far better suited to delay or even prevent a full-scale data breach. This is not possible without a strong identity governance program. 

Gartner states that “having a robust identity access foundation is a key prerequisite for success.” In fact, The National Cybersecurity Center of Excellence takes it a step further and states that “Enhanced Identity Governance is seen as the foundational component of a Zero Trust Architecture.” Experts and analysts agree that identity is a foundational building block of a successful Zero Trust rollout. Here’s why: 

Why Identity Is Critical  

Identity acts as the connective tissue between optimal workflow and security by ensuring the right employees and contractors have access to the right applications and systems to perform their jobs. A weak identity strategy can result in compromised data, labor-intensive practices, and manual audits that can take upward of months to perform. This creates major security gaps that organizations can’t afford to leave unattended. 

Identity governance allows knowing what access employees and contractors should have inside your organization. When done right, this can automate security access quickly, efficiently, consistently, and accurately at scale. Further, a cloud-based identity governance solution can be even more beneficial, bringing faster time-to-value via seamless integrations and a slighter learning curve for employees. 

One of the most effective ways to implement a successful identity governance program is through an existing IT Service Management (ITSM) system. The good news is that 47% of knowledge workers already turn to ITSM to power part of their identity programs. Unfortunately, manual, insecure, and error-prone methods like email (50%) and spreadsheets (32%) are the biggest competitors here (Gradient Flow). Ultimately, more organizations than not are leaving money on the table and increasing risk. 

There is an excellent opportunity for businesses to take stock of their current tech stack and see where identity fits in, giving way to a more cohesive Zero Trust initiative. Identity plays an essential role in enforcing trust beyond the network down to the user, device, service, and application levels. Instead of viewing identity governance and security as a box to check, it should be used as both a critical business function and a vehicle to achieve Zero Trust. 

While many challenges stand in the way of a Zero Trust implementation—lack of understanding, shifting business priorities, and IT resources, to name a few—it's important to remember it’s a marathon, not a sprint. A complete tech overhaul is not necessary or recommended to get your Zero Trust program off the ground. 

Understand what functionality is available within your ITSM platform, start taking agency over who has access to what within your organization and how it’s managed, and go from there. Change is hard, but a grounded identity program can get you well on your way on your Zero Trust journey.