Why identity-based security access needs a Zero-Trust approach

In an earlier blog on why the approach to admin access needed to change, I touched on the point that user identity had become the new security boundary. This change is largely due to the dramatic effect cloud computing has had on how we interface with our technology services.

For a security environment where authentication is based upon a user’s identity to work, we need to be absolutely sure that an access request is coming from who it claims to be from, regardless of where that user may be working, and that only the required access is given. Sounds easy, right?

Well, it’s definitely getting easier. Cloud-based identity management systems have to be secure by design. To achieve that, these systems are designed with a fundamental ‘Zero-Trust’ assumption that every access request could potentially be a bad actor pretending to be a legitimate user. And this approach to authentication is already widely used in some of the most popular cloud services.

SaaS services, like Microsoft 365, already use a wide number of identify-based services to authenticate and provide access, such as multifactor authentication (MFA), just in time access (JIT), just enough access (JEA), privileged identity management (PIM), conditional access and Defender for Identity… the list is very long and quite distinguished. There are very good articles on Zero Trust out there but this recent article from Microsoft on what Zero Trust is, provides a great place to start. 

In that article, Microsoft goes on to describe Zero-Trust as a security strategy, not a product or service, but an approach to designing and implementing the following set of security principles:

  • Verify explicitly
  • Use least privilege access
  • Assume breach

When we introduce hybrid identity management systems, things get a little more difficult. We can still use the aforementioned technologies for cloud services but we are limited to the preventative actions we can take due to Active Directory being the master provider for on-premise identity management.

There are many other Zero Trust technologies available to on-premise and hybrid environments like Zscaler ZIA and ZPA, but I want to continue to draw the spotlight on user identities and how we may see them play a larger role in on-premise infrastructure.

The Active Directory Connect service has come a long way in the past few years and we now can offer a self-service password reset functionality even in hybrid environments, but this has not been enough for many enterprises so they have had to introduce additional identity products and by nature additional expense to close the gap.

That said, there is light at the end of the tunnel for on-premise and hybrid environments. This recent article from Microsoft outlines a new approach and direction its Microsoft Defender service is taking to detect and respond to potential identity breaches. 

What I am most excited to see is the investment Microsoft is making into extending their best of breed response actions back to the on-premise world. We can see now how these technologies will be integrated into Active Directory where I believe there is currently the most risk. I am also happy to see that Microsoft 365 MFA is coming to Active Directory identities and look forward to seeing how Modern Work providers continue to adapt to the Zero Trust approach to security.