Zero Trust and the Identity

Digital transformation is occurring faster than most people realize, and is impacting every component of the IT organization. Some of the many catalysts include users and applications moving outside the traditional perimeter, users accessing applications that are anywhere, and utilizing many different types of devices.  IT organizations are now challenged to keep pace with this transformation, while simultaneously ensuring critical resources are protected. 

TCBlog.pngVisualize the challenge at a high level with a simple dry erase board exercise and draw out where your users are in relation to the applications they use, versus how they accessed those applications ten years ago. This shift of users and apps moving out of the network perimeter, but still requiring fast and secure access, coupled with protecting the assets, requires a partnership between IT/Security and the business units they serve. All of this results in the need for a zero trust mindset.

Cloud Native Now

The basic concept of zero trust is “there is no inside/outside” therefore, trust no one. Of course, access still needs to be provided for business functions, so we must be able to authenticate users regardless of their physical location. In order to effectively do this, identity becomes a key player.

Identity, in short, is proving who are you are (or claim you are).  Many attributes combined together builds the picture of your identity. This identity varies based on context and role. For example, I am one person, however, my identity varies depending on the context and role which I am functioning in. I am a husband, father, brother and uncle – and each has unique attributes which define me in each of those identities. As father, I am described in ways that are different from my description as a husband or as a brother. I am the same physical person, however, different attributes define my role and what I do.

The concept of identity is also at the forefront when thinking about zero trust and digital transformation. We must be able to identify who/what the subject is (authentication) and then we must understand the rights the subject needs access to (authorization). If the user is a device, it too must be authenticated and authorized to do something. As a result, IT must partner with security and other business units to truly understand, manage and adapt, to the constantly changing identity and application ecosystem.


To accomplish this, directory sources and stores are used to maintain identities. A directory source, such as active directory domain services (AD DS), lightweight directory access protocol (LDAP) or some other directory contains the users and their attributes. These can also be accomplished via the use of Identity Providers (IdPs), who also store these attributes of the user and their authorizations to grant access to resources.  

IdPs integrate the components used when identifying users and securing applications. They verify something the user knows, e.g. username and passwords, or can access like SMS text, OTP, push notifications, etc. Many IdPs support advanced authentication protocols such as secure authentication markup language (SAML) or OAuth or OpenID connect (OIDC), where passwords are not used at all in establishing trust between two networks. This is even better since it eliminates the need for users to remember passwords and increases user adoption and enhances experience with single sign on (SSO). This means users have to authenticate once against directory source, and after successfully authenticating, can access other applications with the simplicity of clicking/accessing directly without the need to resupply credentials. 

With IdPs, there are two primary flows. One, all applications can be launched via the IdP landing page, which is typically called an IdP initiated flow. Or, application resources can be provided via a direct link, if the user is not authenticated, then a redirect action to the IdP is called. This is referred to as a service provider initiated flow, or SP initiated.  

In an ideal world, protecting corporate assets is a responsibility for everyone. However, IT and SECOPS bear the brunt in making sure technology is aligning with company security policies and minimizing risks while also enabling businesses to accomplish their objectives. 

We must be able to identify users and understand the data flow – whether it is outside/remote users coming in, or internal users accessing data out. Of course, with no perimeters, threats can be launched from anywhere, which makes it all the more imperative to utilize identity when inspecting requests for data and traffic.

 Between remote workers setting up shop at home and on the road, and the ever-changing threat landscape, there are many opportunities for data loss and security breaches. However, with a zero trust architecture and utilizing the concept of identity, businesses can stay on the defense and safeguard valuable data and information. Zero trust is a journey, and it’s up to you to take the first step. 

For more insight as to why your IT team needs to embrace zero trust, read this paper.


*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Tommy Cormier. Read the original post at: