The Zero Trust Paradigm Shift: Three Theses for the Future of IAM

The protection of sensitive corporate networks and critical infrastructures (KRITIS) is also increasingly in focus in light of the tense security situation. The cybersecurity concepts currently in use are often tested.

It is becoming increasingly clear that classic firewall concepts alone can no longer offer sufficient resistance to hybrid attack patterns.

Against this background, IT security experts at Becom Systemhaus GmbH & Co. advise. KG IT managers are increasingly relying on a mistrust approach to network security. This is also evidenced by the recently published US government memorandum on cybersecurity with corresponding guidelines for government authorities and agencies. Modern and centrally organized identity and access management is of particular importance. In this context, mention three basic theses:

Thesis 1: MFA: Do not use anything that is not anti-phishing

Many companies and government agencies feel a false sense of security because they have implemented multi-factor authentication (MFA) methods. However, not all of these technologies provide sufficient protection against online attacks. For example, one-time passwords (OTP) via a smartphone app, recordings via SMS or voice calls are no longer resistant to phishing by today’s standards. On the other hand, standards-based MFAs such as WebAuthn or Fido2 are recommended for hardware-based security tokens or smart cards.

The second premise: the era of passwords is coming to an end

In the context of modern Identity and Access Management (IAM), passwords have lost their former role and typically provide no added value beyond the perceived gains in security. Ideally, passwords can be dispensed with entirely. If this is not possible or desirable, you should – counterintuitively – avoid complex password rules or commit to changing your password regularly. The reason: It has now been shown that regulations of this kind often have the opposite effect in practice and tend to lead to less secure passwords and operations.

Thesis 3: Give access as often as absolutely necessary

Role-based access control typically relies on relatively fixed, pre-defined roles. This almost inevitably means that employees also have unrestricted access to resources that they use over and over again, but relatively rarely. It is therefore advisable to use more dynamic and detailed access permissions as possible. Ideally, users can access a particular resource only for the period when such access is actually required.

“Ultimately, lack of trust means a clear paradigm shift. The previously used concept of a supposedly secure internal network, which is protected from threats from the Internet by a firewall, no longer provides sufficient security against modern attack techniques. On the other hand, the basis of the Zero Trust concept, on the other hand, is is to consider the internal network to be fundamentally insecure and vulnerable. The logical and obvious consequence of this is the transition from user login at the network level to login or authentication at the application level. “The growing number of reports shows About cyber attacks that are more professionally executed by a wide range of actors how important it is to implement such a network security architecture and how important it is to time.” KG & Associates.

Leave a Comment