How to Establish a Zero Trust IAM Framework

4 min read

Enterprises cannot implement Zero Trust cybersecurity without real-time dynamic authorization and authentication for every access request. The principles of Zero Trust and Identity and Access Management (IAM) best practices help fill the gaps that traditional cybersecurity systems often create and ignore.  

Conventional cybersecurity methods involve setting a perimeter around corporate systems and protecting entry points with firewalls and VPNs. Anything already inside the network is considered trustworthy and allowed full access to data and other company assets. However, this “castle and moat” security model leads to unhindered lateral movement by malicious actors if they ever successfully penetrate the system. In addition, it encourages the misuse of privileged access by internal threats. 

This article discusses how Zero Trust addresses these vulnerabilities and the role IAM plays in striving for the ideal Zero Trust framework.  

What is Zero Trust security?

Zero Trust is a cybersecurity framework requiring every access request to be authenticated, authorized and validated. “Never trust, always verify” is the Zero Trust mantra. 

A subject (user, device or application) is not trusted simply based on location or asset ownership and is constantly evaluated from a security perspective. The Zero Trust model assumes that the network has already been compromised and attempts to prevent lateral movement by placing authentication and authorization checks throughout the system. 

The Zero Trust market value is estimated at $27.4 billion in 2022 and is expected to grow at a compound annual growth rate (CAGR) of 17.3% to reach $60.7 billion by 2027, according to a report by Markets and Markets. The term Zero Trust was popularized by Forrester Research and later developed into a standard by the National Institute of Standards and Technology (NIST). 

The NIST 800-207 Zero Trust Architecture (ZTA) paper laid the groundwork and provided guidelines to U.S. agencies for executing a Zero Trust strategy. Having gone through extensive validation by private enterprises as well, the NIST 800-207 is now considered the standard for implementing Zero Trust. 

To build an enterprise network based on the NIST 800-207 Zero Trust Architecture, we should make the following assumptions:

1. Nothing on the enterprise’s private network can be implicitly trusted. 

2. Not all devices on the internal network are owned or configurable by the enterprise. 

3. There can be no inherent trust and all requests must be evaluated by a policy enforcement point (PEP). 

4. Not all resources exist within the enterprise infrastructure.

5. The local network connections of remote subjects and assets are not secure. 

6. Assets and workflows that move between internal and external networks should have a consistent security posture defined by policies. 

Zero Trust aims to mitigate the damage caused by breaches. According to IBM, a mature Zero Trust program can save a business $1.5 million on data breach costs. 

The security perimeter dissolves as organizations undergo digital transformations and move towards remote work and multi-cloud environments. An alternative way to secure these environments is to break the corporate network down into segments and manage workloads within these segments. The network segments should all have granular ingress and egress controls to prevent unauthorized lateral movement, which is why IAM is essential for a Zero Trust strategy.   

Learn more about implementing granular policy-based data access controls in this Open Policy Agent (OPA) starter guide

Zero Trust: Identity and access management

IAM systems need to be dynamic, adaptive and granular for an effective Zero Trust strategy. Authentication and authorization work together to secure access across the entire organization. 

Zero trust authentication

An identity provider uses authentication standards, such as multi-factor authentication (MFA), single sign-on (SSO) and OpenID Connect or OAuth2, to verify identity and generate ID tokens for subjects requesting access. The ID token contains all relevant contextual information about the subject and is used to pass this information on to the service the user or entity is trying to access. 

Zero trust authorization

Zero Trust authorization — the next step — can be implemented with OPA, which allows for fine-grained access control using policy as code. OPA is a unified standard for authorization in cloud-native systems that acts as the policy decision point (PDP) in a Zero Trust authorization architecture. OPA can be deployed next to any admission point to make access control decisions based on policies and the information contained within the ID token. 

Traditional authorization methods, such as RBAC, lead to excessive permissions being granted, defeating Zero Trust’s purpose and compromising network security. With OPA, you can define policies with as much granularity as needed. Granularity is vital in achieving Zero Trust and practicing the security principle of least privilege. 

The idea is only to provide the level of access required for business operations and nothing more. For example, you can write policies that make OPA consider real-world context and dynamic factors — such as user role, location and time of day — before granting access. You can use OPA to provide authorization anywhere in the cloud-native environment. Only the policies that OPA evaluates need to be different for each access point. 

Besides end-user access control, OPA excels as a lightweight but powerful Zero Trust policy engine in microservices. It handles authorization for service-to-service requests, at the API gateway and at the service mesh layer. OPA communicates with sidecar proxies through APIs and externalizes access control decisions from the service itself. 

Deploy OPA at scale with Styra DAS 

As enterprises scale up, managing OPA across the entire system becomes a difficult task due to the sheer number of deployments. Having a unified control plane for OPA management is necessary to encourage collaboration between siloed teams and ensure Zero Trust compliance. However, building one in-house is time-consuming and distracts developers from their revenue-generating tasks.

Styra Declarative Authorization Service (DAS) is an OPA control plane brought to you by the same team who created OPA. With Styra DAS, you get centralized OPA management that lets you validate and test policies before implementation, enforce policies across the entire organization and see compliance violations in real-time. 

Microsoft Security reports that 96% of organizations believe a Zero Trust strategy is critical to their success. Styra DAS simplifies your Zero Trust IAM strategy and comes with shareable policy libraries and built-in policy packs, enabling you to reach a faster time-to-market. 

Best of all, with Styra DAS Free, there is no trial period. It’s free forever. 


Least privilege vs zero trust: What’s the difference? 

Least privilege and zero trust are both cybersecurity best practices. Least privilege means granting the required level of access to resources and nothing more. It is an essential part of a zero trust strategy. With zero trust, an entity’s identity must always be verified before granting access to resources. 

What are some challenges of Zero Trust?    

Zero Trust challenges include:

— Zero trust is not a product or solution but only a philosophy and a mindset. It would be best if you combined different strategies and tools to achieve it. 

— Zero trust can sacrifice productivity and user experience for the sake of security. 

— Legacy systems designed for security perimeters are hard to convert to a Zero Trust framework. Replacing these systems can be costly.

Cloud native

Entitlement Explosion Repair

Join Styra and PACLabs on April 11 for a webinar exploring how organizations are using Policy as Code for smarter Access Control.

Speak with an Engineer

Request time with our team to talk about how you can modernize your access management.