For decades, vendors in the IAM and IGA spaces have promised their solutions solved the problems of organizations looking to ensure the right users were granted access to the right resources without friction. Each vendor brought their perspective to the problem they were trying to solve. But every year brings new challenges, technologies, and threats causing each vendor to deliver more granular identity data connections to keep pace. At the same time, many organizations are integrating new technologies to address changing work trends and cyber threats while not moving away from legacy identity solutions that have been in place for decades.
Identity data has moved to the cloud, and it’s also staying on-premises, further complicating the problem of identity sprawl. Zero Trust has taken hold to address today’s risk and security concerns from the disappearance of traditional perimeter security. Now the focus is on providing secure anytime, anywhere user access. Implementing a Zero Trust Architecture requires all users to be authenticated, authorized, and continuously validated before being granted access to applications and data.
Unfortunately, there are no silver bullets when looking to implement a Zero Trust Architecture. You can’t buy a ZTA solution out of the box. This is precisely where the new work from NIST, Special Publication 1800-35, Implementing a Zero Trust Architecture, comes into play. The good news is that the NIST guide provides a step-by-step, modular, end-to-end example of ZTA to guide the implementation of a ZTA using off-the-shelf solutions.
The Missing Link, an Identity Data Strategy
One of the most defining statements in NIST’s new guide pointed out the lack of understanding that existing IAM/IGA solutions can’t deliver integration and correlation capabilities—or even operate well together. This one fact alone is perhaps the most significant finding in the report. The problem with IAM and IGA solutions is not in the capabilities they were designed to carry out; it’s in the quality and timeliness of the data these solutions require to operate accurately and efficiently. These solutions have the capabilities to acquire identity data. Still, they are challenged to access all the necessary data to make real-time decisions due to the complexity created by identity sprawl. This means that connecting IAM and IGA solutions to the essential identity data they need to make timely decisions is not practical or extensible. Which is precisely why there is a need to have these components integrated via an Identity Data Fabric so they all can work “better together,” solving the problems they were designed to address.
Identity sprawl is often a major roadblock to building a ZTA because organizations have various data sources storing identity information. These identity data sources include directories, multiple Active Directory domains and forests, legacy LDAP directories, relational databases like Microsoft SQL Server and Oracle, and even ultra-legacy sources like mainframes. This creates a dimensional level of complexity for enterprises to manage. The types of data sources vary, but each also represents identities differently, with different access points, multiple protocols, diverse namespaces, and various authentication protocols.
NIST recognizes the problem with identity sprawl:
“Often organizations do not have a complete inventory of their assets or a clear understanding of the criticality of their data. They also do not fully understand the transactions between subjects, resources, applications, and services.” (lines 234-236).
A lack of central visibility and control over organizational assets represents a significant hurdle for IT teams for every project—not to mention creating a primary security posture concern.
The objective of a ZTA is its ability to assign appropriate permissions at admin time, enforce them at run time, and prove it at audit time. This single objective must be adhered to regardless of changes to underlying technologies, from identity-consuming apps, the directories, and databases that provide necessary identity data, regardless of how any capability is currently deployed, or will be deployed in the future. What is needed to address this interconnection friction is a single authoritative source that all ZTA components can access at any stage of the access process.
The NIST report calls out exactly this requirement as a Policy Information Point. The report defines the PIP as “The authoritative collection of identity information required to author and evaluate enterprise policy which controls whether to grant access requests. The policy information point is the system entity that acts as a source of attribute values for the PAP and PDP.” Furthermore, the report also names RadiantOne as the solution capable of fulfilling the role of a PIP by being “The primary source of normalized, aggregated, and correlated user and object identity data in the form of attributes from all sources of truth, delivered in a highly available and performant platform which is accessible by the PDP and all downstream consuming applications across a variety of protocols and views.”
The Key ZTA Enabler: Identity Data
Implementing a unified identity data strategy is critical to building a capability that allows services to work together and operate off the same identity set. Integrating identity needs to be a seamless, repeatable process. Whether for a merger or acquisition, collaboration across entities or partners, enabling new applications and implementing more robust governance, or any other identity initiative—all require a unified source of identity to accelerate deployment, saving time and money. Or, in the words of NIST:
“In complex architectures, a ZTA requires an identity data foundation that bridges legacy systems and cloud technologies, and that extends beyond legacy AD domains.” (lines 2431-2433).
Five Criteria To Look For When Choosing an Identity Data Strategy
Five critical criteria must be met to enable a desirable ZTA outcome when looking to implement an identity data strategy. A solution must be capable of building a unified identity data source from distributed systems that can:
- Deliver correlated, attribute-rich global profiles of all users (enabling fine-grained access control)
- Incorporate standards-based accessibility in a flexible data model cable of connecting legacy, on-prem, cloud, hybrid/multi-cloud identity environments
- Scale and perform in real-time environments, even accessing hundreds of millions of identities
- Ensure resiliency, high availability, and flexible deployment options (vendor and platform neutral)
- Automate groups definition and membership across sources
The Right Approach to Implementing Your Identity Data Strategy—An Identity Data Fabric
The emerging pattern in the IAM market is based on the concept of a fabric or mesh approach. The previous approach that focused on over-centralizing and over-synchronizing identity into a single “master” data source is unworkable in the context of a ZTA. This approach has proven to be unwieldy, brittle, and inflexible, which is why we see distributed identity architectures being incorporated in NIST’s future-looking ZTA guide.
In the context of identity data, a fabric architecture leverages identity federation to weave the necessary elements of identity data into a central source while allowing identity management to remain local to authoritative systems. An Identity Data Fabric bridges the various identity needs across platforms and protocols and provides a seamless experience for users, administrators, and developers—for harnessing the value of identity data. This approach avoids centralizing into a rigid structure that can’t evolve to meet changing requirements or scale to modern organizational demands–like cloud, multi-cloud, and hybrid deployments, fine-grained access models, and rapid change ingestion.
Radiant Delivers the Identity Data Fabric to Enable Your ZTA
NIST’s guide establishes Radiant Logic as the starting point when designing a Zero Trust Architecture. Radiant Logic obviates the need for custom coding and fragmented workarounds when integrating IAM, IGA or other identity consuming apps into the plethora of identity data sources when building a ZTA. RadiantOne addresses identity integration complexities with a platform that enables organizations to interoperate with dispersed on-prem, legacy, and cloud technologies to protect resources with minimal impact on end-user experiences while reducing internal resource burdens—helping an indeed Zero Trust strategy. RadiantOne accelerates and enhances the implementation of a ZTA by laying an identity data foundation—on which all ZTA components can rely.
Subscribe to receive blog updates
Don’t miss the latest conversations and innovations from Radiant Logic, delivered straight to your in-box every week.