IDaaS, Zero Trust, and security-in-depth
In our previous blogs, we looked at how remote access has evolved and how identity-as-a-service (IDaaS) solutions have stepped in to fill the security void that was inherent when an increasing population of remote users was accessing corporate workloads. Now, let’s look at how you can develop a security-in-depth framework that will satisfy your security needs without locking you into directory-based solutions.
With the notion of Zero Trust, we no longer look at a “trusted” internal network versus an “untrusted” external network, nor do we think of the network perimeter as the “edge” for security. The edge, instead, is whatever access point from which the user is trying to access resources.
The premise behind Zero Trust is simple: No user is universally granted access. Instead, they must (via behind-the-scenes software solutions) prove that they are who they claim they are, that the device is recognized, and that their permission to access the requested workload at that precise time, location, etc. is allowed. But Zero Trust doesn’t stop there. Instead, the premise of continually verifying “trust” means solutions continue to verify that user’s access credentials throughout the session. The Zero Trust solution will disconnect the user if any required criteria are suddenly not met.
Effective Zero Trust
In order for Zero Trust to be effective, it has to rely on the organization’s identity management strategy. For small organizations that could be as simple as their Azure Active Directory (AAD), but many organizations look to streamline and obfuscate security so the user can sign on once and access whatever he or she has the privilege to access. One popular solution for identity and access management (IAM) is Okta Verify, and many Zero Trust access solutions are designed to integrate with Okta. This is the beginning of a security-in-depth strategy at the edge: Identity management and access are coupled with a Zero Trust foundation that ensures only those for whom access is allowed can actually get into applications and workloads.
By decoupling Zero Trust from IDaaS, organizations can leverage multiple IDaaS solutions and simply point them to the same access engine. This also means organizations can leverage specific IDaaS solutions that play well with business platforms — for example, Azure Active Directory — while still maintaining a robust Zero Trust strategy. Microsoft is a good example of why decoupling Zero Trust and IDaaS makes sense: AAD only services some Microsoft workloads and applications, requiring organizations to implement a somewhat complicated set of different verification tools to extend Zero Trust across an organization.
There is where bespoke Zero Trust applications come into play and often make better sense for an organization than trying to build a Zero Trust solution from a single IDaaS player such as AAD. The key here is selecting a “front-end” Zero Trust solution that can integrate with existing IDaaS solutions so the organization can leverage a “best of all possible worlds” approach and have a single management point for their Zero Trust.
Barracuda’s CloudGen Access Zero Trust platform integrates with IDaaS solutions, including Azure Active Directory, Okta, and Google Suite. This allows customers to deploy and manage a single Zero Trust platform yet take advantage of built-in security telemetry provided in these top-tier directory services. A single Zero Trust platform also means organizations aren’t locked into specific security paths or methodologies that will evolve as IDaaS becomes the mainstream method of securing remote authentication.