While digital security used to run on the “verify, then trust” access methodology, it doesn’t make sense anymore. This is a big reason as to how the Zero Trust security model earned its place in the modern market. Zero Trust follows the “trust nothing, verify everything” principle, which is a much safer security framework than anything used prior.
Zero Trust is extremely popular now for a handful of reasons. Devices are more diverse than ever, digital tools continue proliferating, and people don’t only work from the office now. In this modern era, there are too many looming threats that can and will easily take advantage of an outdated security model.
However, with Zero Trust, you can rest easier at night knowing that users accessing your resources are consistently authenticated using a variety of factors that ensure their identity nor device has been compromised.
What Zero Trust Stage are You in?
To create a Zero Trust roadmap that’s tailored to your organization, you need to get a feel for where you’re currently at. JumpCloud’s Zero Trust Assessment Tool will help you establish your current baseline and give you tips on how to get to the next stage within the Zero Trust framework.
- Time it takes to complete: 5-10 minutes.
- All questions are mandatory to ensure your results are accurate.
- Answer each question as honestly as you can with the knowledge you have about your current infrastructure and security strategy.
The Stages of Zero Trust Explained
There are many elements that go into a holistic Zero Trust strategy, which can be broken down into different stages. The four stages of the Zero Trust journey are:
Stage 0: Fragmented Identity.
Stage 1: Unified IAM.
Stage 2: Contextual Access.
Stage 3: Adaptive Authentication.
Stage 0: Fragmented Identity
This is the pre-Zero Trust stage that many organizations currently sit in. Stage 0 does not mean that the organization hasn’t taken security seriously, it simply means that new steps need to be taken to secure resources in today’s modern digital landscape.
Many organizations fall into Stage 0 because they still use Microsoft Active Directory (AD) to manage permissions and access to resources. While this strategy worked well in a traditional Windows-heavy IT environment with a perimeter-based security system, modern resources and diverse IT environments cannot be properly secured this way anymore.
This setup worked under the assumption that if you had the password to the network that was hidden behind four walls in an office, you could be trusted to access whatever you want.
Now, we have a distributed workforce, a plethora of cloud-based apps and tools, digital storage, and diverse endpoints, many of which have their own logins. The underlying assumption found in the traditional AD-centered model simply doesn’t work anymore.
Bad actors can easily obtain passwords and breach your organization’s data without a modern security system in place. Zero Trust security is a great framework to implement to protect your resources from situations like this no matter where those resources exist.
Stage 1: Unified IAM
To get to Stage 1 of the Zero Trust model, you need a unified identity and access management (IAM) solution in place. This IAM solution needs to centralize identity and access storage to give IT higher visibility into what’s going on in the organization. This creates the foundation of your Zero Trust strategy by unifying how users are created and stored as well as how and what access levels different roles are provisioned.
With all users stored in a central directory, you provide bad actors with fewer attack vectors, which is an immediate security improvement. Within this directory, you should also be able to implement single sign-on (SSO) and multi-factor authentication (MFA) across all identities (both internal and external).
This eliminates password sprawl and password fatigue issues that users with separate logins for everything face, and MFA ensures that the user is who they say they are, adding another layer of security onto each identity.
With a central directory and SSO in place, when your organization decides to scale, IT and HR will be set up for success when adding new users into your IAM tool.
Stage 2: Contextual Access
To get to Stage 2 of the Zero Trust journey, your organization needs to use contextual access policies as well as automated access provisioning and de-provisioning capabilities. Contextual and conditional access policies are both integral to your organization’s security posture — they go a few layers deeper than simply allowing a user logged into your network to access resources.
These policies are built to look for abnormalities in how and where users are trying to access company resources, and when an inconsistency is found, reauthorization of their identity will be requested before access is granted.
Example: A Colorado-based employee, that does not have a history of traveling, is attempting to access company resources from Australia — this user will be prompted for another layer of identity authentication before they can go any further.
In terms of conditional access policies, these will simply block access to company resources if the user (even one that’s been fully authenticated already) is trying to perform an unpermitted action. Examples of this are a user trying to access resources from a public WiFi network or an unapproved device.
On top of contextual and conditional access policies, Stage 2 focuses on the automated provisioning and de-provisioning of access via your IAM solution. This is important for efficiently and effectively ensuring that new users have access to their resources on day one, existing users have the right access levels, and access is revoked immediately for departed users.
This kind of automation can be based on information like role, department, or device type, and it ensures that the principle of least privilege access is used across the organization. Moving past the manual access management stage is an important step to take in your Zero Trust journey.
Stage 3: Adaptive Authentication
The final and ongoing stage of Zero Trust is Stage 3. To get to Stage 3, your Zero Trust foundation and infrastructure must be strong enough to hold up and evolve as technology and processes do. Stage 3 also involves the use of adaptive authentication and risk-based access policies, which make up the final layer of security in this model.
Risk-based policies assess events and label them as low, medium, or high risk. You can then set them up to require re-authorization or block access completely, depending on how high the risk is and the tolerance you set. The adaptive authentication system then continues to monitor that user’s behavior to create context around future access attempts.
Different behavioral scenarios can trigger reauthentication, such as a user that has been verified once trying to push further into your infrastructure by opening a certain folder that contains sensitive material. Though this type of ongoing verification can seem limiting, when used correctly, it creates a strong security barrier around your resources without hindering the user experience.