Commissioned by RadiantOne
1 Introduction
The process of becoming a digital enterprise will affect every aspect of the organization. Reaching an initial capability to operate digitally is the first and most difficult major milestone, but there is no endpoint-the whole idea is to become flexible enough to succeed in a permanently accelerated environment of business, social and technological change. There really is no choice other than to engage: digitization is driven the convergence of expanding technology enablers (a carrot) and business necessity (the stick!)
The high-level capabilities essential for the digital enterprise can be boiled down to three: continual innovation, business agility and security of digitized assets. The balance of this whitepaper will focus on security, and to a lesser extent on agility, as they are where corporate IT can contribute the most:
- Continual innovation-Figuring out how the latest technology can be used to create business value will be an ongoing and vital activity, but it is most consequential in the business units,
- Business agility-Corporate IT has a critical role in enabling business agility: implementing the capability for flexible, fast and efficient reconfiguration of the digital infrastructure,
- Security of digital assets-Corporate IT (together with the corporate CISO, depending on how these functions are organized) also has lead responsibility for developing and implementing the enterprise cyber-security strategy.
Limitations of the accepted perimeter-based strategies for securing digital assets started becoming noticeable decades ago. They were initially exposed by emergence of the Internet as an important way for an organization to interact with an expanding variety of customers and business partners. By the 1990's security professionals were talking about "de-perimeterization" and securing their "extranets." The sophistication of perimeter-defense tools grew, but the complexity of the challenge grew even faster. The concept of an alternative to perimeter defenses was given a name-"zero trust"-in 2011 by Forrester Research analyst John Kindervag. In August 2020 NIST published SP 800-207, Zero Trust Architecture, giving official recognition to the model, along with a more formal definition and much valuable guidance. Meanwhile, zero-trust had acquired buzzword status. Starting in the spring of 2018, Google searches on "zero trust" and related terms went exponential, and numerous vendors and consultants now characterize their offerings as zero-trust solutions.
Buzzword or not, zero-trust architecture (ZTA) is the leading candidate to address the problem of securing increasingly distributed digital operations. The security strategy behind ZTA starts with accepting that the perimeter-based security model-which seeks to isolate the organizational network to create a threat-free zone where all users are trusted-is a poor fit for today's business (or government) operations. Instead of protecting the network, STA protects essential business assets: information and business processes. It does this by making sure that no protected asset can be seen or changed except by a user who can be held accountable, and who is authorized by organizational policy to access that specific asset. In effect, the core strategy of STA is to implement strong authentication and policy-based fine-grained access control, enterprise-wide.
Our takeaway from this at CISA's space is that identity is everything now. We can talk about our network defenses, we can talk about the importance of firewalls and network segmentation, but really, identity has become the boundary, and we need to start readdressing our infrastructures in that manner[^1]
This strategy removes location of both users and protected assets as a limiting factor on business operations. In principle, users or employees can be completely mobile, and assets can be moved to different hosting arrangements, without exposing the assets to attack and with minimal reconfiguration of ZTA security components. These flexibilities make ZTA an excellent fit for the dynamic, distributed digital enterprise.
However, implementing the ZTA model requires its own set of security capabilities, most prominently a very comprehensive IAM infrastructure: an identity fabric. Every enterprise already implements some form of IAM infrastructure and other ZTA-related components. While few of those existing components are as capable as they need to be to provide the enterprise's first line of cyber-defense, they can provide a starting point that can be enhanced and extended over time.
ZTA is characterized by its need for a lot of high-quality data to deliver the precise control required to allow all authorized-but zero unauthorized-access to protected information resources. Prominent among the pre-requisite data for properly implementing a ZTA is what NIST calls a subject database: ". . . the set of subjects (human and processes) of the enterprise or collaborators and a collection of subject attributes/privileges assigned." [^2]
This subject database, more commonly called a directory in the IAM context, is at the heart of ZTA. These human users and non-person entities are the only subjects allowed to connect to protected enterprise assets, and each access request is limited based on enterprise policy as applied to the attributes of the requesting subject, the requested information resource, and other conditions at the time of the request. The central role of the user directory in ZTA is why some have declared that identity is the perimeter of the digital enterprise.
The features of a directory component that implements ZTA security principles also enhance enterprise business agility. The ability to support mobility and distributed operations is the most obvious enabler.
Radiant Logic originated the virtual-directory concept: a logically centralized but physically distributed enterprise identity repository. This structure, together with other features of their current RadiantOne suite, is even more compelling today as an implementation of the ZTA "subject database" that protects and enables the highly-distributed, diversely hosted and very dynamic digital enterprise. RadiantOne capabilities include:
- Establishing a "single source of truth" about users
- Automatically sync of changes made anywhere to maintain the "single source" efficiently
- Extensive and flexible support for user authorization (privilege) attributes
- High-performance resilient and scalable Cloud data store
- Extensive support for rapidly building interfaces to a wide variety of applications and domain-specific IDPs, and to identity-related data sources.