Why Your Zero Trust Needs an AI Refresh

Zero Trust rose from obscurity quickly as modern security attacks and state-sponsored breaches became commonplace.

Sometimes called perimeterless security, the concept began as part of a thesis in April 1994 by Stephen Paul Marsh at the University of Stirling. In 2003 Jericho Forum (now closed) discussed it and Google dabbled with it with its implementation of BeyondCorp in response to Operation Aurora. Today’s model is based on the work done by John Kindervag when he was at Forrester.

Yet, despite the nearly three-decade history, the conversation around Zero Trust is only now becoming louder. And that’s after the recommendations of U.K.’s National Cyber Security Centre (NCSC) and the publication of its architecture by NIST and NCCoE in the U.S.

But for Zero Trust to truly become effective, SailPoint believes it needs AI.

What has changed

While the idea behind Zero Trust of assuming no perimeter makes sense, it was a difficult sell when many corporate workers were sitting behind hardened corporate perimeters that their employers had poured a lot of money into.

“Historically, organizations only had to manage closed and relatively static environments. Anyone on a network was deemed safe once proper login procedures authenticated the user; trust would then automatically be granted,” says Chih-Feng Ku, SailPoint’s director for sales engineering at APJ.

With the rise in cloud adoption, this perimeter began to dissolve. It ushered in new identity types such as contractors and partners, forcing CISOs and their security teams to rethink how they protect their business.

“The Zero Trust model is based on the idea that no one should automatically be trusted — either from inside or outside a network — until their identity has been fully verified. That means authentication is required before users are given access to resources, even if those users are employees already inside a network,” explained Ku.

In the Zero Trust methodology, every identity and device can be a potential threat. But this idea of trust no one until verified became most relevant after the pandemic when corporate employees were no longer sitting behind any perimeters.

As many companies accelerated cloud adoption, many found that their employees’ machines lying outside the corporate perimeter were becoming targets. As a result, they saw the Zero Trust approach making sense.

“In fact, 99% of companies surveyed indicate that a recently implemented Zero Trust model is already delivering increased security,” says Ku.

Zero Trust begins with identity

So when you strip out the perimeter, you’re only left with identity data. And this is where Zero Trust begins, writes SailPoint in the eBook “Balancing Zero Trust With a Strong AI-driven Identity Strategy.”

“Zero Trust Security is based on the notion of ‘never trust, always verify’ and ‘assume the breach.’ What this means in practice is that no one should automatically be trusted to access resources, whether inside or outside of an organization. Essentially, every user is considered suspect until proven safe,” says Ku.

Analyzing identity data becomes a crucial first step in a Zero Trust model. It holds vital information such as identity attributes, access rights, access entitlements, behavioral data, and role and group memberships.

“In fact, according to a recent IDSA report, 97% of IT security experts agree that identity is a foundational component of a Zero Trust security model,” says Ku.

In the eBook, SailPoint notes that companies need to go beyond simple authentication decisions and use a complete, up-to-date identity record for each user; enforce Least Privilege at scale using roles, role-based access controls (RBAC), and complex access policy logic; employ strategies to keep security up-to-date and adapt as changes happen or when security teams detect new threats.

AI unravels identity complexity

The challenge with all the new identity security measures is that they can be exhaustive. It can also be a roadblock for a fast-growing company and make security increasingly complex to manage globally.

So, in the eBook, SailPoint suggests using AI. “Traditional identity security relies on human decision to make an approval. With the speed of digital transformation and exponential growth of identities, application, and data, organizations are overwhelmed with the amount of identity data generated and lack the internal expertise needed to maintain their zero trust strategy properly,” says Ku.

He believes that it is “beyond the scope of human ability” to sort through all of this information manually and analyze the vast amounts of identity-related data to make correct access decisions that is proving to be a challenge for many organizations.

“AI-driven identity security helps to automate the discovery, management, and control of user access. It leverages AI/ML technologies to discover insight and patterns, spot potential threats, and remove blind spots. It gives enterprises the ability to make better identity decisions by creating access recommendations, automating security tasks, and keeping policies up to date as organization changes,” says Ku.

The fact that AI algorithms constantly learn adds a new dimension to security beyond static rules and historic pattern recognition.

“AI algorithms are designed to learn from existing identity data, uncover hidden patterns, and make recommendations and decisions. Organizations will benefit from AI-driven identity security from day one, and quality of intelligence improves over time as more data is available,” says Ku.

However, this learning takes time. Cutting short the learning time with pre-trained models can also be a considerable challenge. “Pre-trained models can be difficult as identity data is complex and unique to the organization,” Ku points out.

No reason not to start AI-driven identity strategy

Despite the time needed for learning, Ku believes it should not stop security teams and CISOs from deploying an AI-driven identity strategy today. Such a strategy can speed up digital transformation and address concerns that security worries hold back digitalization ambitions.

“Do not let security concerns hinder or slow down organizations’ digital transformation. The business environment is changing rapidly, and organizations need to stay agile, adaptive, and innovative,” Ku says.

“AI-driven identity security accelerates digital transformation by enabling rapid adoption of Zero Trust strategy and building a strong foundation of enterprise security,” he adds.

Like all IT projects, SailPoint recommends a phased approach to get the quick wins that CISOs and security teams need to build a company-wide strategy.

Ku points out five phases:

• Start with establishing visibility to who is having access to what and clean up orphan accounts
• Streamline access certification and drive compliance
• Develop policy-based access model and governance (separation of duty)
• Automate identity lifecycle events (joiner-mover-leaver or JML Lifecycle events) to reduce helpdesk cost
• Implement a role-based access control (RBAC) model

An AI-driven identity strategy approach will also become crucial as corporate security shifts left.

“Hence complete visibility and control are necessary to detect potential anomalies, enforce access policies, and govern identity changes. AI-driven identity security platforms focus on driving the visibility, compliance, and efficiency,” concludes Ku.

Winston Thomas is the editor-in-chief of CDOTrends and DigitalWorkforceTrends. He’s a singularity believer, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].

Image credit: iStockphoto/elenabs