Zero Trust & IAM: The Role of IAM in an Efficient Zero Trust Strategy

The traditional perimeter model is becoming increasingly obsolete. Once an attacker enters the IT system and gains access to the internal network, they can move laterally (meaning they can explore and access systems and services within the network) often without strong authentication or authorization controls at each step. 

This lack of control allows the attacker to increase privileges, access sensitive data, or compromise other systems. 

This is where Zero Trust comes into play. In Zero Trust, nothing and no one is trusted by default, even within the perimeter. Access attempts are dynamically verified by taking into account identity, context, and security posture. 

IAM (Identity and Access Management) aims to: 

• Verify identity (human and non-human) 
• ● Apply conditional access policies 
• ● Manage rights with models (RBAC, ABAC, CBAC) 

In this article, we will see that IAM is not just a component, but a pillar of a Zero Trust strategy. 

Zero Trust in a nutshell According to the NIS 

What is Zero Trust? 

The NIST (National Institute of Standards and Technology) answers this question in a publication called Zero Trust Architecture. 

NIST defines Zero Trust as a paradigm that grants no implicit trust to a user, device, or network (whether internal or external). Access to a resource must be authenticated, authorized, and continuously validated. 

The 7 pillars of Zero Trust 

To implement a sound Zero Trust strategy, NIST identifies 7 foundational pillars:

1. Resources: All assets (data, devices, etc.) are considered resources. 
2. Communication: Communications are no longer trusted, whether they are internal to company equipment or coming from outside. Consequently, the same security measures must be applied by default (they must be authenticated and authorized). 
3. Session-based access: Access is granted per session with granular control. 
4. Dynamic Policies: Access decisions are based on dynamic policies that include context and behavior analysis. 
5. Monitoring: The integrity and security of company assets must be continuously monitored. 
6. Authentication & Authorization: Access to resources is dynamically authenticated and authorized through continuous monitoring, re-evaluation, and policy enforcement to maintain a balance between security and efficiency. 
7. Constant Improvement: The organization must collect as much information as possible about its assets, infrastructure, networks, and communications to strengthen its security policies. 

Logical Components of a ZTA 

There are several necessary logical components for implementing a ZTA (Zero Trust Architecture). These components are services that can be On-Premises or even in the cloud. 

Here is the description of the components: 

• Policy Engine (PE): Makes access decisions. 
• Policy Administrator (PA): Implements decisions through the network. 
• Policy Enforcement Point (PEP): Implements access policies at the resource level 
• Data sources: CDM, PKI, SIEM, IAM, etc. 

IAM: The Foundation of a ZTA Policy 

IAM is at the Heart of Zero Trust 

IAM manages, verifies, and controls identities (human and non-human). It enables granular and dynamic access control based on attributes, context (location, time), and behavioral context. 

In Zero Trust, every decision depends on precise identity verification and real-time context evaluation. These two points are managed by IAM. 

Without IAM, a Zero Trust strategy could not be relevant.

Essential IAM components  

 Several IAM components are crucial for implementing a ZTA. Ariovis proposes here a list of essential components: 

• Identity Lifecycle Management: Onboarding, Offboarding, Joiner-Mover-Leaver (JML), temporary access, all processes that ensure the right access at the right time for the necessary duration. 
• Strong Authentication: Adaptive MFA, biometrics, passwordless. 
• Rights Models: Use of rights models such as RBAC (Role-Based Access Control) and/or ABAC (Attribute-Based Access Control) for the principle of least privilege and contextual access. 
• Privileged Access Management (PAM): Strict control and monitoring of administrator and sensitive accounts. 
• Non-Person Identity (NPE): Securing the management of service accounts, API keys, secrets, and certificates used by services, bots, and applications.

From traditional IAM to Zero Trust IAM 

Static IAM vs Dynamic IAM 

Traditionally, IAM relies on single authentication during login and a static RBAC model. Zero Trust IAM requires continuous validation of identity and context during a session. Access is dynamically re-evaluated based on context. 

Integration with other Zero Trust components 

IAM does not work in isolation in a ZTA. For IAM to be as effective as possible, it must be integrated with Zero Trust components: 

• UEBA (User and Entity Behavior Analytics): By analyzing behavior and detecting anomalies, UEBA enables IAM to trigger additional authentication or dynamically restrict access. 
• Policy Engine (PE) and Policy Administrator (PA): IAM directly uses these components to apply real-time decisions on access control. PE and PA will use IAM information to make granular decisions. 
• Standard Protocols: SAML, OIDC (OpenID Connect), and SCIM protocols are essential for streamlining identity federation, authentication, and managing identity lifecycles. Here, you can find a guide on how to connect an application with OIDC.

Migration to a ZTA 

To migrate to a ZTA, there are two key points according to NIST: 

• Start with a hybrid approach: Most organizations use a hybrid model, which combines the perimeter model with a Zero Trust approach. 
• Progressive and based on Use Case: Migration should be incremental, focused on specific use cases rather than a complete transformation all at once. 

Here are the key migration steps: 

1. Identify the actors: To begin, list the users, services, and non-human identities that interact with resources. Don't forget identities that come from shadow IT, which we call ​ "Hidden IAM " 
2. Asset inventory: Next, make an inventory of the hardware, software, data, and cloud services that the organization manages or owns. 
3. Identify key processes: Then, identify critical workflows, and perform risk analysis to define access requirements. 
4. Define access policies: Next, develop dynamic policies based on identities, asset status, and context (e.g., location, time, etc.) 
5. Technology selection: Before deployment, research and choose solutions for Zero Trust components: IAM, PDP, PEP, etc. 
6. Initial deployment and monitoring: Now begin deploying the ZTA. Start with low-risk use cases. Monitor the new architecture and make configuration adjustments if needed. 
7. Extend the ZTA: Finally, continue deployment on increasingly critical systems. 

Conclusion 

IAM is much more than a cybersecurity component; it's a pillar of a sound Zero Trust strategy. In a world where identity is a major target for attackers, IAM is the control tower for continuously verifying, authorizing, and monitoring every access request. 

At Ariovis we apply these principles with our clients. In all our integrations, we use a Zero Trust approach. This means that every solution we implement has no implicit trust, requires authentication at every step, and applies dynamic rules based on context. For us, Zero Trust is not just a "buzzword," but a concrete model anchored at the heart of our IAM projects.