In a recent blog, we explored how Zero Trust is not a feature or a function, but a principle related to wider identity fabrics or architectures. It’s interesting that although Zero Trust is getting a lot of attention now and in recent years, the underlying principles have been in operation for quite some time, and are, in fact, fundamental to several other Identity and Access Management use cases – including identity relationship management.
Before we dive into the detail, lets recap on Zero Trust. As we read in the blog, Zero Trust is a concept that, through appropriate architectures and policies, can ensure suitable protection for a particular use case. Being simply a concept, Zero Trust is not something that can be bought ‘off-the-shelf’. Zero Trust is engineered into targeted situations.
Zero Trust is not just authentication
It’s very easy in a first impression to assume that appropriate levels of authentication are the solution to Zero Trust, but this is really only a small part of the solution. Deploying a multi-factor authentication (MFA) scheme will add increased assurance to the presented ‘identity’, but might not increase the ‘security’ of the area being accessed.
The more important aspect is authorisation.
Authorisation concerns the definition of what is allowed (or denied) in a particular context. In most cases, the authorisations given are a result of the context itself, and the (authorisation) policies defined. We can see that context is an important parameter in this process, and that couples back to principles of Zero Trust. Contexts change, and aspects of a Zero Trust implementation, for example lock screen or session timeouts, will ensure that there is opportunity for changing context to influence authorisation over time. A need to re-authenticate or re-authorise allows for adaption and embracing of the principle of least privilege as core to a Zero Trust approach.
Not just one use case
It’s quite easy to visualise the scenario above – a user accessing a service and operating in conformance with various defined Zero Trust principles. However, we have to deal with complexity and this means many users accessing many services. The result is a large policy set with users having varying rights in varying systems.
If we consider the broad array of functions and roles that a given user might undertake, this results in a large authorisation definition, and it’s here that Zero Trust principles can help us – with policies generating only the authorisations needed for the context at hand.
Of course, nothing comes for free. Context-dependent policies move the risk from too much privilege/trust to complexity in authorisation policy definition.
Let’s take a simple, classic example – the employee who needs a new mobile phone. In most organisations, this is centrally supplied or handled via an expense claim. Why? Because corporate governance seeks to eliminate the need for trust – a human Zero Trust model if you will; actions and activities are verified at the point in time, removing the requirement for digital trust.
Imagine trying to create a set of policies to codify the authorisation to purchase a new mobile phone that can be actioned via an automated (identity) platform. That’s going to take some effort and carry some risk. The cheaper alternative is to revert to administrative control.
Enter Identity Relationship Management
Now imagine that you have a platform that can delegate authorisations (trusted relationships) between identities – driven not by complex policies, but by process or context. Applying a short-term authorisation as a result of receiving delegated rights ensures that the principle of least privilege is preserved. Not only that but the ‘existing’ Zero Trust controls requiring re-authentication and re-authorisation mean that those ephemeral authorisations are applied and removed in an appropriate manner.
So delegation requires Zero Trust?
It’s easy to infer from what we have discussed so far that you can’t have delegation without Zero Trust… but I’d suggest we turn that around. If you are leveraging delegation, you are already taking advantage of aspects of a Zero Trust model, but more, delegation itself is enabling parts of that Zero Trust model.
It doesn’t matter if you think of it as Identity Relationship Management, Delegation, Relationship Based Access Control or even Consent (although I might argue philosophically against the term ‘Consent’ for this use – but that’s another story). The ability to define authorisations based on a linkage between identities (be they individuals or organisations) enables both operational efficiency and opportunity for increased security.
Ubisecure’s Identity Platform enables advanced identity relationship management capabilities. If you’d like to find out more about how these can support your Zero Trust initiatives, get in touch.