The Only Path to Zero Trust Runs Through Convergence

Without a genuinely converged identity solution, companies have zero chance at Zero Trust.

Many executives outside IT and security are enamored with Zero Trust and shiny new solutions that promise easy-button style security. 

For those of us working in the security trenches, fancy labels and trendy buzzwords don’t matter as much as executing what the ideas imply. In this case, maintaining least privilege.

Security leaders must resist the internal and external voices suggesting they can just “buy” Zero Trust in a product or platform. Vendors are magnificent at selling the idea of an off-the-shelf option – unfortunately, not all security solutions are created equal. Especially, when it comes to supporting a “never trust, always verify” approach.

While Zero Trust principles help plug cyber defense gaps, companies must be careful to not buy the buzz and make a devastating, first mistake: accepting non-convergence.

Non-convergence describes when vendors stitch together disparate products across identity governance and administration (IGA), privileged access management (PAM), application GRC, and third-party access governance.

This is the root of the problem. 

Deploying individual point identity security products eventually results in security gaps,  management nightmares, and increased costs.

How Non-Convergence Inhibits Zero Trust

You’ve heard the maxim, “a square peg will never fit a round hole.”

In the cybersecurity domain, we can apply this to using fragmented identity tools (even if marketed as an ‘integrated solution’) to support Zero Trust. When enterprises can’t unify security tools or capabilities, least-privilege wanes and weakens the Zero Trust foundation. 

When explaining the pitfalls of non-convergence, here are a few of the issues I highlight: 

Non-convergence means separate point solutions. 

Non-converged offerings may be disguised as integrated, while actually being cobbled together behind a single sign-on (SSO) wall and lacking a unified architecture. A converged solution, however, is architecturally unified across functionality on a single code base to eliminate silos and blind spots. This allows security teams to manage identity security from a single point of control – without disruption or delay.

Non-convergence requires untangling overlapping identity personas and correlating information silos. 

Many IT teams are embracing “one identity for life“ to improve access and risk-based decision making. Unifying identities helps companies better see exactly what users have access to in order to prevent separation of duties (SoD) violations. The information is also used to assess the risk of access to resources and can be understood across both on-prem and cloud environments. Consolidating multiple identities into a single identity also helps simplify access risk assessments across varied environments.

Non-convergence limits visibility in multi-cloud environments. 

Supporting Zero Trust requires that companies solve the security and governance challenges introduced in multi-cloud and hybrid environments. For example, companies with resources spread across multiple cloud providers are more vulnerable to toxic permission risks. Converged models (by definition) provide in-depth views of cloud and on-prem resources. 

Once every architectural environment is visible, security leaders can centralize information from various solutions and map identities and permissions back to compliance controls. Then, they can apply these throughout their security program. Naturally, sound risk decisions become easier. 

Non-convergence restricts access request usefulness. 

Wide open access held by superusers is Zero Trust’s kryptonite. 

Unlike patched-together point solutions, converged identity platforms centralize identity management and governance with components that share underlying processes. By bridging IGA, PAM, and third party and application access governance, companies can better right size access, unify controls, and improve risk management for every identity, application, and cloud. 

Security administrators can also bring contextual (e.g. – average peer usage or requestor’s role permissions) and device information, user behavior, and analytics into access request processes to better protect their IT environments. 

Moving Forward

Resisting insider threats is one of the most complicated defense activities. 

As Security Intelligence details, distinguishing between a user’s normal activity and anomalous activity is a challenge. Insiders know where sensitive data exists and many possess elevated levels of access. 

Converged solutions reduce threats stemming from this – and reduce related issues of over-provisioning and always-on access. 

Of course, Zero Trust is a mindset and a journey; you can’t go buy it.

But, you can enable it through a coordinated effort to provide minimal, as-needed access for employees, third-parties, and machines. This requires tools that are flexible and extensible to meet constantly changing IT infrastructures, user demands, and threats.