When companies adopt hybrid IT, they discover that their traditional identity and access management systems are incapable of keeping up with the changes.
To digitally transform their businesses as quickly as possible, enterprises are embracing mobile technology, smart devices, machine learning, and new, more agile methods of application development, deployment, and administration. Businesses have never had to contend with such rapid technological change.
The transformation, on the other hand, goes beyond the addition of new intelligent features and mobile apps. Emerging cloud platforms and microservice designs, which work in tandem with more static legacy systems, are driving the changes that are permeating the organization’s core.
“This creates a lot of challenges when it comes to managing systems across the enterprise,” says Scott Crawford, director of information security research at 451 Research, which is part of S&P Global Market Intelligence. “This creates a lot of challenges when it comes to security and access management,” specifically. How can businesses ensure that only the right people and systems have access to a company’s data and systems?
There is no simple solution to this
The process by which businesses determine whether or not they can trust users or systems to connect to any given resource at any given time has become significantly more complicated as a result of the increased interconnectivity and dynamic nature of computing across a variety of cloud platforms, as well as cloud services, microservices, and software components. How can a user be trusted to behave in a reliable manner when attempting to carry out a specific action? With automation on the rise, how can a server, workload, or software component be relied on to integrate traditional on-premises systems with cloud-based systems?
Businesses are increasingly adopting the zero trust model
Zero trust is a philosophy of identity and access management in which no user or program action is trusted by default. In contrast, traditional approaches trust users and software by default. In other words, make certain that everything is legal. According to the concept of zero trust, every user, device, and instance of an application must demonstrate that they are who or what they claim to be and that they are authorized to access the resources that they seek.
Companies are investing in the tools and services that allow them to operate with zero trust. The zero-trust market is expected to grow to around $39 billion by 2024, up from around $16 billion in 2019. This represents a 20% annual growth rate. This increase is predicted by MarketsandMarkets.
Traditional methods of identity management are insufficient
The traditional authentication methods of “authenticating once and trusting forever” do not work in today’s multi-cloud computing and microservices contexts. At any time, newly created workloads or software services may call on any given resource to perform a task. “In non-zero-trust settings, connectivity between resources was trusted once a user or device was inside,” explains Colin I’Anson, a Hewlett Packard Enterprise fellow. “We are unwilling to do so right now because we do not trust them. Entities will need to demonstrate who they are before they can be authenticated in real time and on a much finer scale to access any task or feature.”
How is it possible to have no faith? Before an enterprise can begin to continuously monitor access and look for irregularities, all users, workloads, and data must be authenticated.
Because of their dynamic and hybrid designs, modern businesses find it much easier to say than to do. One of the most important steps that must be taken to achieve the goal of zero trust between people and systems is to standardize and automate the zero-trust authentication processes. This works particularly well in cloud-native systems, where it can thrive without modification.
The concept of zero trust has nothing to do with implementing a specific networking or security solution. It is an entirely novel approach to carrying out security architecture in the traditional manner.
Consider HPE’s recent acquisition of the zero-trust company Scytale
Scytale launched a series of initiatives to consolidate and standardize access control in complex hybrid environments. The first initiative, SPIFFESPIFFY (Secure Production Identity Framework For Everyone), defines a set of specifications that, among other things, define an application programming interface (API) to facilitate the simple establishment of trust between workloads and system actions. SPIFFY attestation and authentication, in contrast to procedures that require manual key generation and distribution, can be automated because it is based on APIs.
“SPIFFE establishes the foundation for enterprises to use existing on-premises service authentication protocols [such as Kerberos and OAuth] with workloads running on increasingly dynamic computing platforms, such as cloud and containers,” says Sunil James, a former Scytale CEO who is now a senior director at HPE. “SPIFFE provides the foundation for enterprises to use existing on-premises service authentication protocols.”
Scytale’s second project has been SPIRE, the first software implementation of SPIFFE
SPIRE components can be used in conjunction with call providers, middleware layers, and other hardware trust mechanisms such as trusted platform modules and hardware security modules. SPIRE can be used by workloads in any environment, including Azure, Kubernetes, and data center applications. “This allows for a finer level of authentication, right down to the exact activity of a person or workload that is required,” says I’Anson. Furthermore, “this provides a more robust degree of authentication.”
The solution to everyday business challenges is a lack of trust
If the ostensible benefits of zero trust couldn’t solve genuine and pressing business problems, they wouldn’t be worth much thought. Proponents believe that zero trust not only helps to improve security, but it also boosts security cost-effectively and can make security as nimble and elastic as the technical environment requires.
Because zero trust is a security system that attempts to understand what users are doing as they do it and implements appropriate security policies based on the context of an action, it can also improve user experience. This is due to the fact that appropriate security policies are implemented based on the context of an action.
“Zero-trust frameworks assist organizations in wrapping their security arms around a more dynamic enterprise IT world,” James continues. “At the same time, these frameworks improve the user experience for infrastructure, security, networking, and software engineers in an organization.”
New cloud and microservice architectures will be able to easily scale to accommodate zero trust once zero-trust attributes can be defined and automated. It is also not technically necessary to implement a zero-trust architecture in a brand-new environment that is entirely hosted in the cloud, even though it would be much easier. It is possible to achieve success with a zero-trust model even in well-established ecosystems.
Zero-trust implementations that work
“There are a lot of debates going on among our clients about what zero trust means to them and how to execute it most effectively,” says Simon Leech, senior consultant for the worldwide security and risk management group at HPE Pointnext Services. “However, you would prefer that this conversation be focused on business rather than technology. The concept of zero trust has nothing to do with implementing a specific networking or security solution. When it comes to building a security architecture, this is a completely novel approach “He contends.
According to Leech’s advice, “taking a new approach to security architecture will require a very thorough understanding of your current state of operations and what your future state of operations will be,” followed by the development of a business strategy or business case based on this information.
The first step, according to James, is to assess the organization’s current state. “You must first establish a baseline for your current state of operations, and then determine where you want to go,” he says. “You must know where you want to go.” “In such a case, you’ll need to build your business case to give yourself the ability to get there.”
Although it may appear that thinking about identity in terms of granular user access and dynamic workloads will complicate identity management, Crawford believes that the effort will be well worth it in the long run. “What are your plans for the scope of this access? How specifically does it have to be in order to hit a specific target? In terms of regulatory requirements and other factors, who should have access to what types of assets, and what factors should you consider? When identity and access management are elevated to this level, it will aid in increasing security and providing a better experience for all “Crawford explains.
I’Anson adds that in order to get the most out of zero trust, some preparation is required. The good news is that existing investments in identity management and maturity levels will help with the transition. According to I’Anson, the transition to zero trust will be much easier depending on how developed the existing identity management program is. Existing LDAP implementations can be used as a starting point because they already build a solid initial foundation of roles and identities. “Because they’ve already established themselves, you can use them as a starting point…”
The following step is to identify those business cases that have viable implementations. “One of the most important aspects of having zero trust is that it cannot be achieved by quickly switching on or off a switch. You can achieve zero trust by following the steps methodically “I’Anson says “In order to implement zero trust, you must first create a business case, which may be specific to a business unit or domain.”
James concurs. “When implementing zero trust, it is critical to look for potential quick wins and the associated use cases. Design and build a flexible architecture that can provide value to each of those use cases “He elaborates. Rather than splicing together ad hoc components and technologies, “doing so provides a stronger foundation upon which to build.”
As a result, it is critical to agree on and standardize a zero-trust method. According to James, “if you standardize, you won’t have five different ways to zero trust dispersed throughout your organization in two years.” Many of these approaches are unlikely to collaborate and will provide no benefit if not integrated.
Last but not least, Crawford recommends that enterprises use all of the authentication techniques that are now available to them during the initial stage of authentication. “We are seeing an increase in the availability of access control methods that were once considered extremely sophisticated. Biometric authentication is one such method, which is included with a significant amount of commodity consumer endpoint technology. Use these various methods of identification “Crawford claims
Businesses are adopting a wide range of technologies to achieve their goals of completing their digital transformations as quickly as possible. Mobility, cloud computing, machine learning, containers and microservices, and other technologies are among them. If they want to win this competition, they will need an approach to identity management and authentication that is as flexible, elastic, and intelligent as the computing environments they are building. That strategy could entail no trust at all.