The shift to a zero-trust security model, while it sounds revolutionary – in reality, comes down to its reliance on identity and access management (IAM) systems to succeed. Without a well-defined way to effectively manage identities and access rights, the question for security pros remains: How can an organization pursue a zero-trust approach successfully?

For starters, many organizations are probably not getting the optimum value out of their IAM tools and programs because they have not reached a sufficient level of IAM maturity – and that’s the core of achieving zero-trust. To advance their maturity, organizations need to assess where they are currently with IAM as a priority.

How many questions about identity can the organization clearly answer? There are several relevant questions that any security team should answer if the organization plans to truly operate as a mature user of IAM:

  • Who has access to what at any point in time?
  • How did a particular user obtain a certain level of access?
  • Who approved the access for a particular user at any point in time?
  • How do users gain access to different applications?
  • Which users have privileged access and how much privileged access do they have?
  • Which of the various services has the organization deployed, and do they really use them?

An IAM platform offers multiple capabilities. In most scenarios, an organization may leverage some of these, but not others or might use all of them, but not effectively. In any given case, the level of use of these services has become a good measure of maturity.

Here are the most important services an IAM-mature organization should use:

  • Directory Services: The central piece of IAM that houses all the identity data about all the users in the organization. It’s a basic IAM function that all organizations should already use if they expect to get any value out of these platforms. Data would typically include first and last names, user names, passwords, email addresses, and any other pieces of important information for uniquely identifying a user.
  • Identity and Access Governance (IAG) Services: This IAM domain manages how applications are provisioned within the organization. Look for how many of its business applications, or what percentage of its application portfolio, does the organization control through IGA? These services answer three of the questions listed above: who has access to what; how they got the access; and who approved the access.
  • Authentication Services: IAM systems authenticate and authorize users based on the access levels indicated in their directory profiles. They can also automatically control user access using other factors to specific functions of the system. Multi-factor authentication (MFA), where users must provide something, they know, plus something they have, is essential for zero-trust security.
  • Privileged Access Management (PAM) Services: Some users, such as administrators, are granted a higher level of access than others and therefore are more likely to become the target of attacks. That means their accounts need greater protection. PAM, and Privileged Identity Management (PIM), offer monitoring and protection of privileged accounts in an organization's IT environment. Privileged identities today come in various forms, including elevated accounts on cloud services, shared administrator accounts on servers, and service accounts used by applications.

Security teams also have to consider how the various services are used and which use cases they support. For example, are they being used to support various user lifecycle events, such as onboarding or changes in job titles, responsibilities, or departments? What about when an employee goes on a leave of absence and then returns to the organization, or when the company hires a contractor and that person later becomes a full-time employee?

In some cases, these employees might have been using competitive technology or research and development projects that require highly secure access to systems and data at different points in time. Or a company might need to apply a separation of duties when multiple people are needed to complete a task.

Each of these scenarios can happen over the course of a user’s time with an organization, and the security team can apply IAM to all of them to ensure that the right level of access gets provided. The more use cases and processes an organization automates through an IAM platform, the greater the level of maturity.

While IAM can complement zero-trust security, it can only do so if they are used optimally. By measuring their level of IAM maturity, organizations can determine where they stand and how they can make improvements.

Vikram Subramanian, vice president of solutions, Simeio