Jul 19 2021

Zero-Trust Architecture Depends on Granular, Role-Based Access Management

As federal agencies move to a zero-trust architecture, they will need to make changes to their identity and access management systems and take advantage of just-in-time escalation.

Federal agencies have a mandate to move to zero trust for cybersecurity, as part of President Joe Biden’s May 12 executive order. But many IT leaders may still be figuring out what exactly that means for their organizations.

The White House is helping agencies along, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recently developed a zero-trust maturity model to help agencies determine their progress across five pillars: identity, device, network, application workload and data.

That first pillar, identity, is essential. In a zero-trust world, even though an agency has issued a device to a user, that device and that user are not trusted until they have been authenticated, via multi-factor authentication (MFA) such as Common Access Card and PIN, or through Microsoft 365 MFA. The key is that anytime anything requests access to anything else, that thing — a person, a device or an application — needs to identify itself in a valid way.

To make zero-trust security work, agency IT leaders will need to refine their identity and access management (IAM) tools to become more granular and role-based. And they will need to implement just-in-time escalation protocols, so that trusted users can get access to data they need for a limited time only when they are seeking access to it.

A More Finely Tuned Approach to Identity and Access Management

One important aspect for IT leaders to understand about the shift to zero trust is that it’s not a technology that can be bought and put in a box. It is more of a philosophy, and it requires rethinking how existing technologies, such as IAM tools, are deployed.

For example, if an application is trying to access data in a database, that app needs to be validated using certificates and public key infrastructure to determine that it is an approved app accessing an approved database. Agencies need to create systems to verify that identity so that the verification can occur at every step in the process. Once it is determined that the system knows who or what is seeking access, it can move on to the next step. If that verification cannot be made, the process stops and validation is requested.

This requires three steps to occur. First, agencies need to be able to verify a user, device or application’s identity with strong verification. Anything that touches the network or infrastructure falls into this category.

The second step is ensuring that access is compliant and typical for that identity. That means determining whether users are trying to access tools and data they normally have access to. For example, if someone who typically does not look at the organization’s finances tries to access financial information, that would be a red flag and require further verification.

The third step involves following least-privilege access principles. Essentially, that means determining the minimum access a user needs to do his or her job. Agencies need to put business policies in place that follow this principle, after which they can start going down the road to zero trust.

This starts from a place of assuming that users do not need to access anything. Then, based on their roles, they are given access to certain tools and applications. Agencies should create defined roles and the privileges and levels of access that go with them. In any event, when someone is given a role and certain authorizations, a process of certification and attestation still needs to be applied.

For example, a user could be given access to certain applications and databases based on a project he or she is working on. But once or twice a year, agencies should determine whether that user still needs access to those apps and data.

Agencies can also deploy tools that monitor for behavioral anomalies to help with these efforts, and some certification and attestation can be automated, including removing access if users do not need it.

DIVE DEEPER: How are feds thinking about zero-trust security?

Enable Just-in-Time Access for Certain Roles

A related concept is known as just-in-time access, which is less about the permission users need to do their jobs and more about when they are requesting elevated permissions.

Historically, if someone became an IT administrator for an agency, he or she would get a higher level of access on an ongoing basis. This is no longer the case with zero trust. With just-in-time access, admins don’t have permanent and unfettered access to any advanced or elevated permissions, apps or databases.

Instead, the user would request access and, after being verified, would get that access for a set period of time, perhaps only a few hours, so that a specific task can be performed.

This concept applies not just to IT admins but to anyone seeking a higher level of privilege. For example, a manager might get access to personnel files only when conducting internal employee reviews. If that manager is compromised by a malicious actor, the access he or she was granted would be in place only for a short period.

Agencies can also establish conditional access policies and role-based access policies. For example, users could be able to look at a file only when they are physically in the office or when they are connected to a VPN after completing a multifactor authentication process. Or users could be blocked if they are attempting to log in from a certain location.

Various vendors provide just-in-time access tools as part of privileged identity management, including Quest’s One IdentityThycotic’s privileged access management tools and Microsoft Identity Manager.

Putting all this together is a team effort. A CISO is going to require the policies, and a CIO needs to put the infrastructure in place to support the policies and provide training to end users. IT leaders should also involve the business and program offices.

It will probably take time to train users on this new architecture. But by putting technical policies in place, IT leaders can alleviate some of that friction. The systems on the back end will be granting and revoking privileges, and users will only be able to go so far without verifying themselves. With the right automation tools in place, role-based access management can become a seamless part of an agency’s daily operations.

Zero trust is the destination for agencies now. They can get there faster by upgrading their identity and access management systems.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

da-kuk/Getty Images