SBN

Can Federated Access Lead to Zero Trust?

Congratulations, you (yes, you, the reader) are the identity director of a wildly successful company!

One of your vendors has an employee named Lester, who has been assigned to a project to help deliver your product. You gave Lester access to a few of your company’s systems (your customer database, Slack, and a network folder with product tech sheets) so he could understand what needs to be delivered when.

Lester is a great delivery person, but security isn’t really his thing.  Lester uses the same password for every site and app, both personally and professionally.

Uh-oh, a bad actor has compromised Lester’s account, used it to access your systems, and has caused irrecoverable damage to your company and its reputation. We’ll spare you the doom & gloom, but we’re talking millions of dollars removed from your bottom line here!

So, what are you, the identity director of this wildly successful company, going to do to protect your business in the future?

You’ll probably consider a zero trust approach.

 

What is Zero Trust?

Zero trust is a strategic approach to cybersecurity based on eliminating implicit trust and applying the principle of “never trust, always verify.”

At the root of the zero trust methodologies is the practice of verifying all users before they are trusted with access to an organization’s information assets. This means knowing and verifying the individual requiring access, the data and systems they want to access, when they’re doing it, and assessing how much you trust them before granting access. If your company had these protocols in place, Lester may have been identified as someone you shouldn’t give system access to.

Zero trust has risen in popularity as organizations rely more and more on cloud computing, remote work, and the digital transformation of their business. A zero trust approach helps to reduce complexity, lower costs, and decreases the dependence on both cybersecurity tools and skilled personnel.

It’s important to note that zero trust isn’t a benchmark that you can achieve, but rather an approach that requires ongoing efforts.

While implementing a zero trust approach makes sense for most, a lot of organizations have implemented federated access, which makes achieving zero trust more complicated.  So, the riddle is…how does federated access work with zero trust?

 

What is a Federated Identity Management (FIM) system? 

FIM is a user-friendly authentication technique that allows those requiring access (i.e. Lester) to use their own enterprise credentials to access your company’s data. It’s an arrangement between two enterprises that requires mutual trust of their identities and the access they’re given.

With a federated identity management system, Lester will need to log in only once use his username and password. Once allowed in, he’ll click on the partner company page to be redirected to a request page where access is authenticated.

The portal will directly verify Lester’s data through Security Assertion Markup Language (SAML) or OpenID standards. Once granted access, Lester will only need to log in to your company page for a quick authentication request.  Yay, you’re no longer at the mercy of Lester’s weak password skills!

Bottom line, FIM enables users of one domain (i.e., Lester’s company) to securely access data or systems of another domain (i.e., your company) seamlessly, and without the need for completely redundant user administration.

There are a lot of advantages to a Federated Identity Management (FIM) system:

  • Versatility. FIM allows users to access data with the utmost ease while still offering a safeguard against data breaches.
  • Reduced security risks as users can use their own credentials to access resources instead of needing new credentials created. Also, users won’t need to create separate usernames/passwords for every application they use.
  • You can reduce administrative overhead and headaches. Admins don’t have to spend as much time creating accounts and managing credentials.

This streamlined approach alleviates users from having to log in to each network, application, or portal every time they need to access it, creating a more secure environment.

There are some cons to FIM, however, including:

  • Your organization is placing trust in Lester’s organization to properly vet and manage Lester’s access. That’s a lot of power for you to hand over. How can you be sure Lester should be trusted to access his own’s company’s resources, let alone yours?
  • It can take a long time to implement, as IT teams must agree upon platform processes for not only the technology, but also the agreements, policies, standards, and other elements that define how the service is implemented. That takes time!

 

How to Achieve a Zero Trust FIM System

Unfortunately, many organizations fall for the trap of assuming that once they’ve implemented a FIM system, they’ve achieved zero trust.  That is NOT the case!  It’s a step in the right direction, but FIM alone is not enough to achieve zero trust.

With your organization using more third-party workers and more devices, you need to be equipped to stop the next Lester from wreaking havoc on your company.  And even with FIM implemented, a zero trust approach often runs into challenges as more and different kinds of users (in-office, remote, contractors, seasonal help), devices (mobile, bots, IoT), and data storage (drive, cloud, edge) are utilized.

The good news is a zero trust FIM system IS obtainable. As organizations strive to reduce their attack surface to mitigate the risk of a breach, those utilizing a federation system can also leverage an identity authority platform that allows them to vet each person’s identity before they’re granted access. This powerful combo takes the efficiency and scalability of federation and pairs it with an automated, centralized platform to accurately manage identity.

Organizations are then allowed to verify that each user – not just the partner or vendor the user is associated with – is who they claim to be.  i.e., we’ll be able to tell that Lester is Lester and not a cybercriminal posing as Lester (or someone else from Lester’s company whom we don’t know).

 

SecZetta’s Third-Party Identity Risk Solution

At SecZetta, we enable organizations to layer a robust identity authority with an existing federation system to actively authenticate and revalidate all users before they’re granted access. This granular level of identity-based trust is at the core of zero trust and every organization’s goal of keeping its assets safe.  Should that trust be broken at any point by a detected incident, or an individual’s job status has simply changed, SecZetta can immediately notify necessary systems to ensure access is disabled, thus safeguarding sensitive material.

SecZetta’s solution is rooted in zero trust, the no-code system configuration is simple to use, integrates swiftly with peripheral systems through an open API, and allows organizations to execute risk-based identity access and lifecycle strategies for all third-party non-employee populations.

To learn more about how your company can achieve zero trust and protect yourself from the Lester’s of the world, click here, or request a demo from a SecZetta team member.

*** This is a Security Bloggers Network syndicated blog from Industry Blog - SecZetta authored by Mike Conti. Read the original post at: https://www.seczetta.com/blog-federated-access-zero-trust/