The Identity Blog

Background image

Experts Weigh-In on the U.S. Presidential Executive Order; Zero Trust Architecture and Identity Management

Zero Trust Overview

In 2021, U.S. President Joe Biden signed the Executive Order (EO) on Improving the Nation’s Cybersecurity to “identify, deter, protect against, detect, and respond” to the increasingly sophisticated malicious cyber campaigns that threaten both public and private sectors. A key component of this signed EO is the advancement and implementation of zero trust architecture.

The National Institute of Standards and Technology (NIST) defines zero trust as a “collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

In other words, trust no one with your organization’s assets until they have been verified. The problem is most organizations are unable to accurately identify who has access to their networks and data, which creates vulnerabilities that bad actors across the globe are taking advantage of daily.

“The continuous and consistent messaging coming from the executive branch is most definitely driving progress across the federal landscape when it comes to zero trust,” Richard Bird, chief product officer, SecZetta and board member of the Identity Defined Security Alliance, told Information Security Media Group (ISMG) in a recent GovInfoSecurity article.

“It has taken a series of executive orders to force federal agencies to move into the 21st century from a security standpoint,” says Bird. “As President Biden said, ‘Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes.’ Our government should have been bold about security a long time ago.”

While few would argue against more organizations implementing a zero trust approach, the EO was signed months ago and many questions remain surrounding zero trust and how organizations can adopt it.

Why Does My Organization Need to Adopt Zero Trust Architecture?

Through his leadership roles at the Departments of Defense and Homeland Security, Mike Brown, rear admiral, United States Navy (retired) gained expertise on our nation’s cybersecurity and zero trust strategy. During SecZetta’s recent webinar, Easy Preparation Steps for Adopting Zero Trust, Rear Admiral Brown explained exactly why every organization needs to adopt zero trust as a paradigm shift using an analogy of a house.

“You can’t just lock the front door. If you leave the windows open or the back door open, the bad guys can still get in,” Brown explains, “we have to lock the windows, the back door, access to all of the rooms of the house, and the drawers or any storage area.”

For decades, organizations have only “secured the house,” which is a practice that must now be abandoned for never trust, always verify. According to Egress’ Insider Data Breach Survey 2021, 94% of organizations have been affected by insider data breaches in the last year. We now know securing the perimeter isn’t enough to prevent a breach. Every area of an organization must limit access to only users who are clearly identified and effectively managed.

“It’s understanding what’s on the network, who’s on the network, and what’s happening,” says Frank Briguglio, public sector strategist of cloud identity security company SailPoint, “And until we have a good grasp of that, we can’t progress down the cybersecurity framework.”

How Does Zero Trust Tie into IAM and IGA Tools?

According to the global research and advisory firm, Gartner, “Identity Governance and Administration (IGA) tools help organizations control access risks, achieve, and maintain compliance, and improve efficiency by managing user accounts and entitlements in infrastructure systems and applications.”

David Pignolet, CEO and founder of non-employee identity risk and lifecycle management software company SecZetta, explains that “the identity authorities in an organization need to be what drives that access. The what, the when, and the who of the access is driven by identity authorities.”

In most organizations, the only identity authority is a repurposed human resources system which should not be confused with a cybersecurity-centric identity management system rooted in zero trust. These systems were created to manage employee benefits and compensation, not third-party, non-employee identities. It’s trying to put the proverbial square peg in a round hole.

Organizations can effectively manage both employee and non-employee information with Identity and Access Management (IAM) systems, however, the absence of a non-employee authoritative identity source leaves gaps in the approach of meeting zero trust.

“It does not take into account all the context that we need to properly protect the access behind that data,” says Pignolet, “it’s a mistake to not account for that right up front, along with the employee population.”                  

In adopting zero trust architecture, organizations must implement continuous monitoring and validation of every identity in its population and confirm that identity has the correct access and privileges. It is the organization’s responsibility to be aware of all of its accounts and their access, whether employee, non-employee, third-party or non-human, regardless of the organization’s direct control or the account’s geographical location.

Easy Preparation Steps for Adopting Zero Trust

To learn more about the recent executive order and how it affects your organization’s adoption of zero trust architecture, visit our zero trust webpage where you can view the webinar, Easy Preparation Steps for Adopting Zero Trust, featuring Mike Brown, Frank Briguglio, and David Pignolet; moderated by Johanna Baum, CEO and founder of cyber security and global technology consulting firm, S3.