The term `Zero Trust´ has been around since around 2010 but is getting more attention than ever these days. Identity and Access Management (IAM) solutions like TrustBuilder.io Suite are uniquely positioned to implement the Zero Trust principle and defend organizations against the rising number of threats.
Different evolutions have led to an awareness that organizations need to reduce trust on the network. Just think of the explosion of mobile computing and the increased use of Software-as-a-Service (SaaS) and other cloud consumption models. COVID-19 forced most people to work from home, and remote working became an extra risk factor for corporate networks.
Understanding Zero Trust
To really understand Zero Trust, we need to go back to the start of networking and the internet. For a long time, organizations practiced the ‘fortress’ principle: they built a wall around the company, for instance by installing a firewall that kept everyone out who was not granted access by the gatekeeper. Once the user has proven who he is, he can enter the fortress and consult any data or documents available. As ever more applications and data are moving to the cloud, the fortress principle will no longer do.
A number of evolutions have contributed to invalidating the fortress principle:
- Companies started working with more external people, either partners engaging in open innovation, or contractors working as freelance employees. These external people need access to certain applications or documents, but not all resources should be made available to them.
- Remote working was already a trend before COVID-19 struck, but since the lockdowns in 2020, working from home has become the norm rather than the exception.
- Cloud applications: it would be difficult to find a company that does not have a hybrid strategy and is not using any application in the cloud or any Software-as-a-Service (SaaS) application.
That’s why companies are moving from ‘Trust, but verify’ to ‘Never trust, always verify’. This is the basis of Zero Trust.
Implementing Zero Trust
With Zero Trust, anyone consulting a document or using an application needs to prove who he is and what rights he has to the document. A Customer Identity and Access Management (CIAM) system always starts from a Zero Trust principle: any time a person wants to consult a document, the CIAM system will check if that person is who he claims to be and if he still has the necessary rights to that document.
Zero trust is at the core of the TrustBuilder.io Suite. TrustBuilder checks every request on the fly at Identity Providers, Authentication Servers and Application servers. Unlike traditional CIAM solutions, TrustBuilder.io has the ability to check not only information provided by Identity Providers but can also retrieve information from internal, external and authoritative sources. It checks if the user still has the correct roles, privileges, and requirements to access a specific resource. By performing these checks in real time, TrustBuilder is always sure of consulting the accurate and updated information.
Deciding who has access to what resource can be based on the role a person has in an organization or, when more fine-grained security is needed, can be based on attributes of the person. Using an attribute-based access management system like TrustBuilder can define, in more detail, what attributes are asked of a user to verify their identity.
Zero trust: who do you trust? What do you trust?
Zero trust is not only applied to human users. After all, not only human users are seeking access to applications, other applications are too. That means that applications, too, need to be scrutinized, or the APIs that connect the different microservices. Even when an API has authenticated with the gateway, we do not automatically grant access to that API to consult other APIs. Instead we provide an extra authentication check for airtight API security.
Cloud computing brought a new paradigm to the way IT is consumed. At the same time, it brought new challenges to the way applications and resources need to be protected. Thanks to Zero Trust, you can now fortify your cloud as was the case when you applied the fortress principle. The cloud has effectively become your new castle.
