Identity and Access Management within a Zero Trust Architecture

The unprecedented rise of remote work and use of personal devices has meant users now operate from outside of
what traditionally was thought of as the ‘safe space’ of the office.  Whilst this presents many factors and challenges outside of a company’s control, there is the ability to put strong policy in place to reduce information risk, starting with confirming that you know who your user is. Once you have this information, and once you are certain of it, you now have the power to unequivocally verify this person at every stage of access, no matter their location or device, putting you back in control.

If you are not sure who your user is, then no other security or access control feature matters. Therefore, Identity and Access Management (IAM) should be central to any organisation’s security efforts, and central to IAM should be the basic principles of Zero Trust.

Zero Trust is the outlook that you should not trust anyone on your network at any given time. If IAM solutions are properly deployed and maintained, they can help enterprises enforce Zero Trust security throughout their environments.

What is IAM

According to the National Cyber Security Centre (NCSC) IAM is “the collection of policies, processes and systems which support binding an individual to a set of permissions within your system”. There are three concepts at its core - identification, authentication, and authorisation. These can be defined as follows:


Identity is who the user is, and a digital identity is the electronic representation of them. In the real world this is done via an ID check (when renting a car for example). The company will do this when employees first join, and from here on out as far as the system is concerned, the employee will likely be known by a set username.


The next step once the user has been identified is Authentication. Authentication provides the proof that the user is who they say they are. This is usually done by verifying the user through using something unique to them, commonly referred to as the ‘Somethings’.

       Something the user knows - a password or pin code for example, but this could also take the form of a security question

       Something the user has, e.g. smart card (for example a fob or pass) or an RSA key or token (for example a bank card reader)

       Something they are (also known as biometrics) e.g. a thumb print or facial recognition


Also commonly referred to as “permissions”. Controlled by the system administrator, permissions define what users can and cannot gain access to, as well as the rules in place around this access. For example, set timeframes in which users can log on. They could include the ability to perform functions, access data or administer the system.

Zero Trust

Zero Trust means there is not a trusted perimeter. Everything is primarily untrusted, and a device or user only receives least privileged access, even after authentication or authorisation in some cases. A Zero Trust Architecture is used to stop potential security breaches. You see everything as a potential threat, and you verify everyone.

The “never trust, always verify” principle

Security models conventionally operate on the assumption that all internal network activities can be trusted. They are designed to protect the perimeter. This leaves threats that manage to enter the network uninspected, invisible, and free to move around wherever they choose, potentially extracting valuable and sensitive business data. This traditional approach to security has done little to stem the flow of cyber-attacks and insider threats. To combat this, a fresh approach is required that adheres to the principle above.  One such measure that fits in with this outlook would be increased visibility into internal traffic alongside the application of user context. This can be achieved by using a next-generation firewall with decryption capabilities.

Lateral Movement Security

The purpose of Zero Trust Architecture is to address lateral threat movement within a network by leveraging micro-segmentation and granular perimeters enforcement, based on data, user characteristics, and location.

The lateral movement represents the different techniques that attackers use to navigate through a network when searching for valuable assets and data. With traditional perimeter-based security, sub-perimeters are defined within networks by using a specific combination of rules. As an example, these rules may use the application traffic direction and context around a user to identify anomalies. When an anomaly occurs, the movement of a user or traffic direction is blocked. The spread of an attack within an organisation is then identified by the sub-perimeters.

The point of infiltration is most often not the target location of an attacker. Therefore, stopping lateral movement is a priority. Attackers that infiltrate an endpoint for example, often need to move laterally throughout the networking environment, in search of the data centre housing the targeted content.

How you define movement or access depends on the user and defined appropriate or logical interactions and behaviour. Users from the marketing department for example, often have no access to sensitive financial files about the organisation, but would have access to CRM systems, marketing assets and content. Users from finance do have access to finance-related data sources, but not necessarily information from the human resources department or marketing department. Therefore, identifying who users are and whether their actions during a session are considered appropriate is so important.

When these inspection points or junctions are not in place, it is almost impossible to identify and prevent unsanctioned access.

The absolute ‘need to knows’

Identity and access management can be broken down into four areas, known as “PIPO”:

Policy – The policies you have in place to govern who has access to systems, data, and functionality and the rules around the processes they must go through to get it, as well as when access rights should be taken away (usually based around a Joiner, Movers and Leavers “JML” process).

Identity process management – The procedures you have in place to specify how access is achieved and the approval of it. The process may be dependent on what level of access is required and what role that user has. Usually, a user requesting access will fill in an access request form and submit this to the necessary personnel.

Privileged user management – A privileged user is typically an administrator who can do more than just read and write. I.e. configure the system (execute). Usually having elevated controls put in place to configure sensitive data/systems within the organisation – only accessible to high level users (e.g. requirement of additional authentication or the limiting of functionalities). This protects from both external and insider threats; malicious or accidental.

Operations and monitoring – the processes put into action to identify and record any security breaches with the aim of facilitating investigation and subsequently improving security of systems through lessons learnt.  Monitoring provides the ability to understand how systems and data are being accessed, mainly to detect unauthorised attempts, and ideally respond to these before unauthorised access is achieved.

How to use PIPO for best practice

Policy – Access policies should be based upon the principle of least privilege and zero trust. This should be based around an International security standard such as ISO27001. Not only do such standards provide an excellent framework for your policies, but they also allow you to be assessed against these standards enabling you to demonstrate to employees, clients, and business partners alike that you have excellent measures in place for safeguarding the data, systems, and functionality under your protection.

Identity process management – Best practice for identity processes includes having robust workflows and approvals in place. Ensure technical measures are in place that can help enforce good identity management. Multi-Factor Authentication requires users to authenticate using at least two different “Something’s”. Biometric methods represent the best of these.

Privileged user management – Users with access to business-critical systems should only be able to perform the duties relevant to this data from an approved and trusted device. Further to this, separate accounts should be created for the execution of such duties. They should not be completed using an everyday user account, one that is used for Internet and email access, as this can leave them open to potential attacks.

Operations and monitoring – Due to the level of risk involved if something were to go wrong, IAM systems should have top priority for any organisation. Any patches that are released for these systems should be verified and installed as soon as they are approved. 

Developing a Zero Trust Architecture

Deploying a Zero Trust Architecture will provide visibility and context for all traffic, across users, devices, locations and applications. Steps to develop a Zero Trust Architecture include:

       Gain traffic visibility and context. Traffic needs to run through a next-generation firewall that has decryption capabilities. Next-Generation firewall protection acts as the ‘border control’ within your organisation and enables micro-segmentation of perimeters.

       Have the ability to monitor and verify traffic as it crosses between the different functions inside the network.

       Add Two Factor Authentication (2FA) or other verification methods such as biometric verification, that increase the ability to verify users.

       Implement a Zero Trust approach. This helps to identify business processes, data flows, users, data, and associated risks. It also helps to set policy rules which can be automatically updated based on associated risks, during every iteration.

In summary

       Base your policy around a strong framework which includes least privileged and a zero-trust model. A good guideline can be found within NCSC Zero Trust Principles: 

       Never assume, always verify – the stronger the authentication, the safer system.

       A zero-trust policy is even more important when it comes to sensitive data/systems. The most privileged user should be the least trusted of all.

       Prioritise the protection of your IAM system – it is after all, your gateway.