<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

You Can't Have Zero Trust Without Identity and Access Management

Everyone likes to talk about Zero Trust, but what does it really mean? In a recent Gartner podcast, expert John Watts describes it as a mindset or strategy to secure your environment differently than before to prevent breaches and incidents. At its core, zero trust means not assuming that every user or application should have access to things in your network, and that you should be continually assessing risk and trust levels.

Or, to put it simply: trust no one. Regardless of where they’re located or who they are, everyone needs to be authenticated, authorized, and regularly validated before they can get in.

While the concept has been around since before 2000 and surfaced as an issue during the quick transition to remote work, the May 2021 executive order, “Executive Order 14028: Improving the Nation’s Cybersecurity,” thrust Zero Trust further into the spotlight. The order explicitly calls out Zero Trust and the National Institutes of Standards and Technology (NIST) guidelines for Zero Trust Architecture. Because of that, the private sector is taking even more note of what it means to achieve Zero Trust.

Building Zero Trust on solid ground

The core of zero trust implies what its foundations are: access and identities. Put simply, you can’t do zero trust without managing access to your resources. As Watts said in the Gartner podcast, “A lot of zero trust concepts are built around identity (and) knowing who someone is with some assurance.” The implication is that you can’t achieve Zero Trust without knowing who your users are and what they’re doing in your systems.

That’s where the strategy behind Zero Trust comes into play. Achieving Zero Trust requires several critical steps:

1. Identifying users and roles. Not only do your internal employees and development teams need access to your databases, but so do external partners. The first step in Zero Trust is figuring out who needs access and their associated reason for the access. Talk to HR, IT, and department leads to pinpoint what roles exist in your organization. Find out who outside your organization needs access to your databases, servers, web apps, and clusters, and for what purposes. This where a Role and Access Discovery project can be extremely useful to define users and roles.


2. Defining access rules and requirements. Once you know what roles exist in your organization, start classifying those roles and the access they require to different systems. You may have several development teams working on various projects. Each team only needs access to a particular database, for example. You may want to consider assigning access to specific resources to just a subset of users.


3. Understanding your assets. While all data needs protection from malicious actors, some systems are more sensitive or critical than others. Suppose a hacker gains access to supplier names and purchase orders. In that case, they can cause damage – but not as much damage as if they get hold of customer credit card numbers or other PII. These sensitive systems may require even more stringent controls, such as requiring authentication each time the resource is accessed.

Keep in mind that a key principle of Zero Trust is the Principle of Least Privilege (PoLP), which means giving users the absolute bare minimum of access needed to do their jobs or perform essential functions. These steps are necessary to identify what the bare minimum looks like before you let anyone, even an employee, into your systems.

The bottom line: you can’t achieve Zero Trust without access management. If you’re still using manual processes and creating unique roles for every user, you should learn more about how StrongDM can manage and audit access to your assets – and make it easier to get to Zero Trust. Get a free demo of StrongDM today.


About the Author

, Senior Marketing Director, has held marketing leadership roles for Silicon Valley technology companies specializing in database, data management, and data analytics solutions. As head of content marketing at Splunk, Dominic contributed to boosting the company’s market visibility and its growth from a $100M to a $1.3B company. He brings relentless creativity to the task of connecting people with technical products to improve their lives. Dominic holds a B.S. degree in Public Relations from the University of Texas at Austin. To contact Dominic, visit him on LinkedIn.

💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

What is IGA? Identity Governance & Administration Explained
What is IGA? Identity Governance & Administration Explained
In this article, we’ll take a broad look at identity governance and administration (IGA) and examine how it differs from other IT risk mitigation topics. You’ll get insight into the history, benefits, and features of IGA and learn how to start planning an IGA implementation of your own.
Insider Threat: Definition, Types, Examples & Protection
Insider Threat: Definition, Types, Examples & Protection
In this article, we’ll take a look at insider threats in cyber security and the dangers they pose. You’ll learn the insider threat definition, who the insiders are, the types of insider threats to be aware of, and how to detect threats. By the end of this article, you’ll have a clearer understanding of the entire insider threat ecosystem and the best practices you can use to protect your organization, data, and systems.
Spring Clean Your Access Management | strongDM
Spring Clean Your Access Management
Time to spring clean your access management! Use these resources to establish healthy habits to keep your infrastructure access tidy all year long.
Agent vs. Agent-less Architecture
Agent vs. Agentless Architectures in Access Management
Agent vs. Agentless architectures is a recurring debate - covering specifics from monitoring to security. But when it comes to Access Management, some key considerations are necessary when defining the scalability of your solution and its impact on efficiency and overhead over time.
PAM inside of a Pac-man styled interface with the caption
Time for PAM to Go Wham!
Privileged Access Management doesn’t solve the whole access challenge. It’s time for PAM to evolve to support complex environments and put people first.