The industry has come a long way from asking what is Zero Trust. Now enterprises are trying to determine how they will map their current environment to Zero Trust both in theory and practice. YouAttest is ready to help companies map their current identity and identity governance to the Zero Trust concepts and practices.
Introduction to Zero Trust and the Zero Trust Maturity Model
Most in the cyber community, thanks to efforts like NIST 800–207, cyber directives from the White House and the industry in general have educated the public on the concept of zero trust. That is, enterprises must be implementing the concept that users, sessions and processes must be re-authorized each step of the cyber process – especially when concerning ‘sensitive data”.
To implement Zero Trust – we must elevate our identity technology and, just as important, how we utilize the tools to secure our identities. To understand Zero Trust and identity governance – we should we look at the US’s Cybersecurity and Infrastructure Agency (CISA) Zero Trust Maturity Model (ZTMM) 2.0, published in April 2023
The Zero Trust Maturity Model Journey
To understand Zero Trust and identity governance – we must understand the “Zero Trust Maturity Journey”. The “maturity journey” acknowledges that enterprises are conducting security and operations in a manner today and then suggest actions and tools to help on the journey to Zero Trust.
Image 2: CISA has quantified the journey to Zero Trust in (4) Stages: Traditional, Initial, Advanced and Optimal.
Let’s map Zero Trust, and specifically Zero Trust Identity Management, to these 4 stages:
“Traditional” Zero Trust Identity Governance:
“Traditional” is what CISA denotes as the current state of identity management and identity security. It denotes that most processes are manual and static. That is, the tools used are manually operated to create users and to provision rights.
This is the state of most enterprises, especially in small and commercial that YouAttest sees on our first customer calls. If they are practicing any identity re-certification, the reviews are sporadic and 100% manual. (Spreadsheets, emails, etc.)
This ZTMM exist to help enterprises understand that this is not acceptable and focus on tools and changes in practices are needed to elevate enterprises from this level.
In enterprises at the traditional state of ZTMM for identity, there is generally no process, manual or automated for “reviewing” the privileges of the users – to ensure the principle of least privilege is enacted. In addition, in the traditional identity management model, policy enforcement is siloed – and not unified across resources: applications, device, data, etc.
YouAttest exist to help enterprises start their journey in the ZTMM – and thus help these enterprise get to the “Initial” phase of identity governance.
“Initial” Zero Trust Identity Governance:
The first stage in the Zero Trust Maturity Model is Initial – and the key word is “automation”. For Zero Trust Identity Governance this means:
- And Starting Automation of the principle of least privilege
The Principle of Least Privilege (PoLP) is quantified in the ZTMM 2.0 as the goal of the trust model and the method to obtain it is via automation. (NIST Cybersecurity Framework quantifies PoLP in PR.AC-4.)
YouAttest, as the ZTMM initial state suggest, automates to the process of limiting the access users have to resources – by creating a repeatable and actionable process of access review. Managers are automatically messaged, in the YouAttest system to certify or revoke permissions of their users.
“Advanced” Zero Trust Identity Governance:
The “Advanced” state of zero trust identity management – means the enterprise has committed to full automation on the identity controls – for provisioning, assignment enforcement and governance.
The tools in the advanced state should be “building toward an enterprise-wide awareness of risk”, CISA’s ZTMM. The tools used should feed back into the enterprise identity systems, especially around the concept of the principle of least privilege. For example the user access reviews should be able to revoke privileges to enforce governance on the identity systems
Key to this level is that the tools mentioned in the initial phase are used to their maximum ability to automate all identity processes. In this way users are quickly provisioning, role changes are enforced across resources and governance is automated for both static and real time attestation of rights.
YouAttest meets the “Advanced” conditions for identity governance with:
- Automated delegation
- Automated scheduling
- Automated triggers on events
YouAttest is also working on mechanisms to take in the current state of identity and identity trust and feed this back to the identity fabric of the enterprise. Write us directly and we will show you the models and we can make this work for you.
“Optimal” Zero Trust Identity Governance:
At this stage, the enterprise is fully automated on all levels of identity management, provisioning, lifecycle management and governance. In addition automated and observed triggers, dynamic and real-time in nature, enforce key identity security concepts, like the principle of least privilege. That is a change in permissions that is anomalous (and probably malicious) should trigger identity session action such as a step-up authentication or logoff. This requires that the identity tools have technologies such as machine learning that can create a trust score that would be enforced by collaborative identity enforcement tools.
YouAttest is also working on mechanisms to take in the current state of identity and identity trust and feed this back to the identity fabric of the enterprise. Write to us directly and we will show you the identity trust models and how we can take your enterprise to the “optimal” zero trust state of identity governance.
The objective of zero trust is to reduce risk and raise security in our Enterprise architectures. To do this requires both raised awareness of the different components in the identity system and the zero trust maturity state of each component, including identity governance.
YouAttest is ready to immediately take enterprises to the “initial” and “advance” state of the CISA Zero Trust Maturity Model (and can work w/ you on a future “optional” state). Let’s start the discussion on taking your enterprise on the ZTMM journey and making your identities and thus your enterprise more secure.
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO into your existing IAM platforms. Contact us to learn how YouAttest can automate your access review process and help your enterprise enact move to up the Zero Trust Maturity Model ladder.