Why zero trust depends on solving identity sprawl

The concept of zero trust isn’t new — the term was coined by John Kindervag at Forrester over a decade ago. But until recently, zero trust was seen as a cutting-edge approach that only a few organizations were tackling.

In today’s cloud-dominated, remote-oriented world, zero trust has swiftly transitioned from the fringe to the most effective way to secure access in an expanding digital landscape.

The approach hinges on the concept of “never trust, always verify.” The decision to grant access takes into account a variety of factors — or attributes — that, taken together, verify that a user has the right to take specific actions.

Rather than granting systemwide access simply for having the right credentials, the system takes a risk-based approach to assessing users. The verification steps are determined by contextual signals such as location and device, as well as the importance of the assets being accessed.

Ironically, zero trust relies on access to trusted identity information. Identity is the lynchpin holding a zero trust approach together, and a successful strategy demands access to high quality, context-rich data about each identity within an organization. Inaccurate data can stop legitimate users from doing their job, but worse, creates opportunities for threat actors to infiltrate the network.  

Defining identity data

Identity data is at the heart of any modern digital organization. Yet many businesses still have a surprisingly shaky grasp on the identities underpinning everything they do. Any given user may have dozens of different accounts or personas spread across multiple unconnected systems.

Identity can also be a combination of user identity and device — and device identities are likely to explode with the growth of operational technology and IoT. It is not uncommon for a single car or lifting crane to have hundreds of connected sensors, all with a single identity.

Most businesses have no mechanisms in place to keep track of all these profiles and tie them together to form a consistent identity. Without a clear picture of users and how they connect with different assets and devices, designing an effective zero trust data management strategy is difficult. 

One of the most important aspects of zero trust is the implementation of a universal least-privilege policy. All users should only be able to access the data and systems they need for their job, thereby mitigating the risk of a compromised account or a malicious insider. The more an organization knows about its users, the more effectively it can execute least privilege. The user’s role, current location, requested resources and intended actions are all critical pieces in the puzzle of their identity. 

A complete picture will make it easier to confirm whether an identity’s actions are normal and highlight potentially malicious behavior. On the other hand, each missing piece will make it harder to accurately permit or deny system access.

So, what’s stopping organizations from effectively managing their identities? 

Why is identity such a roadblock to zero trust?

Most firms have a wealth of knowledge about their users, information that contains everything they need to make comprehensive access decisions. The issue is that they can’t easily tap into all of this data. 

A combination of identity sprawl and inflexible legacy systems is the biggest issue. User data is commonly spread across multiple siloed systems and applications. Is that Tom Smith on SharePoint the same Tom Smith on Salesforce? Without a single repository for this information, finding out can be slow and painstaking work. Synchronizing these disparate identities is complicated by the inclusion of legacy systems that are often incompatible with modern digital solutions.

These issues become a serious barrier to zero trust, impacting the design, implementation and deployment timeline of any zero trust efforts. Manually untangling all these identity threads will also increase the burden on internal resources and inflate the project’s cost.

Further, any gaps in identity will greatly hinder a zero trust strategy once it is up and running. Continuously verifying that users can be trusted to access the system is only possible with high-quality, context-rich data about their identities.

The labs at NIST recognize this challenge. Addressing the difficulties around identity sprawl specifically, they’ve highlighted the need for identity correlation to combat fragmentation and lack of complete identity data about each user.

Strengthening identity data management to accelerate zero trust

Organizations with complex infrastructures and scattered identities may feel stuck between a rock and a hard place. They need to move ahead with zero trust, but the cost and complexity of getting identity data under control is exorbitant.

Fortunately, there are ways to simplify the integration, unification and quality of identity data without breaking the bank. One of the most effective approaches is known as an identity data fabric. This setup weaves the individual strands of identity into a single layer, creating a single point of control and visibility. This makes it possible to immediately match any digital identity to a particular user — and what they have access to.

With the thousands or even millions of identities most businesses have accumulated over the years, reaching this point requires much automation. Specialized tools can search all fragmented pieces of identity scattered across different systems and assemble them into a coherent whole by mapping them in an abstraction layer.

Once complete, an identity data fabric provides a flexible, extensible resource for identity processes underpinning zero trust. Organizations can trust that users are verified based on accurate data and that least-privilege policies governing access will always be executed based on reliable and current information. This single data layer can also greatly simplify the identity compliance team’s controls and activities.

While it may seem ironic, the more you know about your users, the better your security posture — because the more fine-grained your decisions can be. A unified identity approach provides the quickest way to unify all available identity data and make it consumable by your security components.

Zero trust is no longer the future — with the right approach, it can be attainable now.

Kris Lovejoy is global security and resilience practice leader of Kyndryl and a Radiant LogicBoard member.