Zero trust has become an overused marketing term that has lost its value. Vendors are claiming to sell you a Zero Trust solution. They cannot. The original intent was to establish that all components of a digital process need validation (e.g., an employee accessing company email). This includes the identity, the devices, the software, the network, and the data itself. Each item needs to have controls in place to continually assess and provide assurance it is doing what it was designed and authorized to do.
Identity is no different. It is sometimes used synonymously with the person using it. This also spurs an emotional reaction as the Zero Trust concept implies, “I do not trust our employee John Smith”. When the approach should be: “I do not trust the username, John.Smith”. The company issued John Smith a digital asset: John.Smith. That asset, just like a laptop, cellphone, or server, should have controls put in place by the company, to ensure it is operating in a manner as intended when it was assigned to the employee. The goal should be to remove any blind spots and track that asset separate from the actual person.
Asset management is a well-established concept for laptops, desktops, software, and other items procured and issued to employees. IT Asset management is well defined with NIST Special Publication 1800-5, declares ITAM is “foundational to an effective cybersecurity strategy”. This approach relates well to the other 4 items called out with Zero Trust but does not specifically address digital identity as an asset.
That is the gap. Identity is an asset. It is a logical asset assigned and issued to a person or machine to conduct business on behalf of the company. This includes the customer, workforce (employees and contractors), and business partners. These Identities are created for designated purposes. Starting with that knowledge, we can define policy based on the risk rating of that asset becoming too high due to: impossible travel, unauthorized device, deprecated software, or the data being accessed. Action can now be taken.
Understanding the risk and deviations in behavior provides the business data to measure against Key Risk Indicators (KRI) and is an Indicator of Compromise (IoC). Having the visibility into that asset is crucial to ensure that what was issued is doing what was intended.
EVOTEK can help to capture all your identities and provide mitigating controls to lower the risk to your business.
