The NTT DATA Zero Trust story is simple and elegant – it starts with using identity to ensure only authorized users have access to what is needed when it is needed while keeping everyone out at arm's length. Zero Trust relies on identity as the context of continuous verification for permissions and access across all network resources. While the NTT DATA approach is straightforward, the journey was anything but. As a complex global organization that has grown through acquisition, NTT DATA required alignment from the global CISO community and board-level buy-in.
"NTT DATA is growing continually, and a significant part of that growth comes through mergers and acquisitions," says Hiroshi Honjo, Head of Cyber Security and Governance at NTT DATA's Technology and Innovation General Headquarters in Tokyo. "We had a very frank discussion with the board early on, and our position was that the only way we can consistently grow globally and stay secure is through a Zero Trust architecture." Identity management and continuous verification require a unified user directory across all applications: you need to start with a single source of truth. To ensure you can accurately assess and assign each transaction, you need to have a known and trusted source of record. In our case, NTT DATA implemented an identity management ecosystem that pulls identity data about systems and users from various systems of record.
Once we had a single source of truth, we needed to map out the identity and role mining workflows and ensure separation of duties and least privilege. We worked to establish governance over those identities: that is to say, we laid out clear rules defining who had access to what and how access would be approved or denied. There must be a recertification workflow for access to applications, so users aren't simply accumulating access the longer they stay with a company. As we worked through our role mining, we designed for separation of duties and least privilege — core tenets of Zero Trust.
Having a single source of truth allowed us to federate access, having one identity for both cloud SaaS applications and on-premises applications. We have implemented two-factor authentication and are moving towards a passwordless user experience, which allows for better security and, most importantly, a better user experience. (Passwordless authentication verifies identity via an alternative method such as biometrics, security keys or a mobile device.) Multi-factor authentication is critical for good security as identity becomes the new perimeter. Using biometrics or hardware keys strengthens identity by increasing the assurance that the identity claimed by the person at the keyboard is true.
Of course, it’s important to remember that It is not just users that have identities: systems, devices, and applications also have identities. We use device management to authorize endpoints to detect risk when an employee tries to connect from a device that is not corporate-owned and secured. Only authorized endpoints can access systems and data. Our IDM then integrates with our endpoint identity to ensure only authorized endpoints and users target systems and applications. Our IDM SSO provides the last mile identity and access security to systems and data. This security extends to our use of conditional access and private access agents for users and endpoints, creating a VPN-like "bubble" around our various digital properties and internal systems.
Conditional access allows you to move away from binary decisions. "In the old days, as soon as you logged into your computer, you had access to almost everything on that device and the entire corporate network," says Dan Glass, VP, Corporate CISO at NTT DATA's Dallas-Fort Worth Headquarters, "It was all about a username and a password. If you were at work, you were likely on the domain, and then that domain trusted you. You and any other trusted user in that domain and you had access to pretty much everything that the domain had to offer."
Instead of a binary decision, conditional access provides a more nuanced approach. Conditional access enables security signals fed from identity systems or endpoint management solutions to decide the level of proof required for access. For example, most modern identity solutions include threat information that determines when a company email address and password used as account credentials for a breached website are for sale on the dark web. The authentication process can block breached accounts during login based on this threat information.
Similarly, users are more likely to connect from home computers rather than corporate devices. Therefore, you might want to seek greater assurance that they are whom they say they are using multi-factor authentication. The world is moving toward a paradigm where it’s not the network device nor the application making the call to the database but the users themselves. The user makes the call to the database via the application in question, so the identity is being certified at every level.
Consider conditional-based access to be a light version of attribute-based access control, allowing you to use attributes to adjust the risk of providing access. There are a variety of use cases: evaluating whether the activity a user is conducting is logical, or whether they’re coming from the correct machine, or at a time of day the user usually performs the action in question. Data scientists have developed many ways to positively identify users based on context and behavior — not simply because they provided proper credentials. The endpoints themselves are managed and must have endpoint detection and response capabilities. The management and patching of endpoints are architected to use the least privilege.
All of this points to why identity needs to be the purview of security teams to implement Zero Trust fully. "If security doesn't own identity, it is really difficult to do Zero Trust,” says Glass. When you put it all together, it’s clear that identity is critical to Zero Trust–and that’s why it is the foundation of NTT DATA’s ZTNA.
Post Date: 2022-03-16