Zero Trust Paths: IAM, Micro-segmentation, Software Defined Perimeters

Bryan Christ

June 14, 2021

Today, there are several ways that an organization can build out a Zero Trust Architecture (ZTA). Each method varies in components and organizational policy rules for its resultant architecture. The National Institute of Standards and Technology (NIST) guidelines identify three main approaches to ZTA:

  • Micro-segmentation
  • Software-defined perimeters
  • Enhanced Identity Governance

All of these are designed and deployed adhering to the same basic Zero Trust tenets, including but not limited to:
  • Nothing is implicitly trusted.
  • All data sources and computing services are considered resources.
  • All communication should be secured regardless of network location.
  • Dynamic, contextual, policy determines access to resources.

While each of these methods is rooted in these ZT foundational principles, specific approaches lend themselves to some use cases more than others. And each has strengths and is not mutually exclusive. However, an organization looking to develop ZTA for its enterprise applications is the next-generation gold standard in a world where the perimeter plays a less significant role for ideal enhanced identity governance and identity access management (IAM). A deeper examination of both micro-segmentation and software-defined perimeters will demonstrate the benefit of enhanced identity governance further.

ZTA and Micro-segmentation

For many years, micro-segmentation was the only model available for Zero Trust Architectures. This history often gives it a leg up for being well-established. It requires an organization to implement ZTA by placing individual or groups of resources on a unique network segment protected by a gateway security component. 

Some form of identity governance program is required to make micro-segmentation function. Additionally, it is best suited for smaller and static network environments as it becomes more challenging and expensive in organizations with dynamic and complex infrastructures. In a maturity model which deemphasizes the perimeter,  compartmentalizing your network architecture ever further by creating new perimeters within perimeters seems counterintuitive. This is often done to safeguard legacy systems where options are limited. A better approach would be to select an IAM solution that provides, native, encrypted connectivity to older systems (like a mainframe).   Moreover, in a SaaS-driven world where the enterprise has little or no control over the application environment, micro-segmentation becomes increasingly challenging.

ZTA and Software-Defined Perimeters

This implementation allows organizations and the policy administrator to restrict network access and provide customized, managed, and secure access to networked systems via a policy engine defined by a software-defined perimeter. Connectivity is based on the need-to-know model in that each device and identity must be verified before granting access past the network perimeter. 

Like micro-segmentation, software-defined perimeters rely on traditional IT boundaries to work and benefit organizations that still maintain these structures. And as technology continues its migration to the cloud, these perimeter networks are less important.

ZTA, Identity Governance, and IAM

Why are perimeters and by corollary both micro-segmentation and software-defined perimeters becoming increasingly outmoded? According to the 2021 Verizon Data Breach Investigation Report, while 80% of breaches are committed by external actors, 20%, or a fifth, are from internal actors. Also, most external actors purchase valid credentials on the dark web or socially engineering and phish credentials from valid users. So, even indirectly the threat still comes from inside even though the perpetrator is external.  Creating more perimeters in a micro-segmentation model or arming your boundaries with software-based policy enforcement cannot be your only line of defense. You need to be able to deflect attacks inside your network. 

Beyond their ease and versatility in deployment, IAM systems provide single sign-on and federated access whether you’re on-premises, off-premises, or in the cloud, creating a Zero Trust network that doesn’t rely on fences but still maintains cutting-edge security.  Moreover, most external breaches occur through hacking and social engineering but a Zero Trust Architecture based in IAM grants access by automated provisioning and de-provisioning. This automation following the rule of “least privilege” and “just-in-time” access replaces the need for passwords, so there are no passwords to hack or socially engineer in the first place. 

As deperimeterization grows, you will need a ZTA that is dynamic, elastic and scales with it even as the borders between systems begin to dissolve. And because identity access management knows no boundaries, it’s an effective next-generation Zero Trust solution.

Beginning Your Zero Trust Journey

Beginning your Zero Trust journey with an access management solution requires an outlined and finessed approach. To start, you’ll want to work towards Zero Trust by initiating Reduced Trust. Learn about this formative first step and more of the ZT transformation by downloading our ebook: Zero Trust and Access Management: A Journey, Not a Destination.

Download the Free EBOOK