EY Zero Trust Framework: Impact on the Business

Authored by Sam Tang, EY Chief Identity Architect

It's probably not a surprise to anyone in the IT and security industry to say that Zero Trust is a "top of mind" initiative for professionals over this past year and a key part of an enterprise organization's 2022 strategic planning. The challenge is that few organizations know where they are currently and how to get to this destination or should I say, more realistically their journey. Some of the key elements towards this journey include aligning across an organization's people, process, technology, and most importantly but less thought of, is the company culture.

During the recent SailPoint Navigate 2021 conference, Ernst & Young LLP ("EY") was given the opportunity to present a roundtable discussion focused on the future of risk and ways organizations can start to view risk through a lens of modernization. This session highlighted who should be thinking about implementing a Zero Trust framework, how to implement it, and what challenges clients may face during the implementation process.

In this session, "Zero Trust Framework - Impact on the Business", Sam Tang, - EY Identity Access Management ("IAM")'s Chief Identity Architect, Henry Burgess - an EY Cybersecurity Managing Director and Gaurav Sheth & Rob Foster - both Cybersecurity Senior Managers, discussed and defined the concept of Zero Trust, the main pillars of the Zero Trust framework, and the types of organizations that can apply this framework (spoiler alert - all organizations can leverage this framework!)

So, what is Zero Trust? During the panel discussion, Rob Foster explained that the key concept behind Zero Trust is zero standing privilege, which means users are not granted explicit access to any resources based on their user profile. Instead, a Zero Trust ecosystem continuously verifies a user's identity and authorization at runtime, reacting to the risk environment dynamically, to provide coarse and granular access to network zones, data, drives workload management, and application access. In this paradigm, as users request more specific access, their identity is re-validated at key control points and the user is challenged appropriately based on a gauge of trust in the user's identity, device security, channel-level security, and even behavioral aspects of the user's current session. The phrase "always verify" seems like a great way to summarize this incremental access management approach.

During the session, Sam Tang discussed how a Zero Trust security strategy stands in contrast to traditional access management approaches, where a user is granted relatively static, pre-determined sets of access rights that are unlocked when that user presents a valid credential (e.g. username and password, digital certificate). This is a point in the traditional security model that can frequently be exploited - if users' credentials are compromised, a bad actor can impersonate them and automatically gain access to that set of resources. The old model of "trust the credential" or "trust then verify" has proved not to have its gaps, and reliance on less-secure authentication methods like passwords (no matter how complex) amplifies the risk further. A true Zero Trust strategy incorporates continuous verification, regardless if it is an authentication, authorization, identification, or business transaction.

The end goal of Zero Trust is to have continuous verification at every transaction - it sounds complicated, but it will simplify things. In the roundtable, Gaurav Sheth described just how this can be done: if you've identified the right use cases, applied automation where feasible, and have implemented the right architecture, Zero Trust can really take a significant amount of effort off your administrators. How you design things and how you think about the balance between risk and controls are paramount to a successful Zero Trust journey.

Surprisingly, what we have seen at EY with our clients is that the most challenging aspect moving toward Zero Trust is typically an organization's culture - stemming all the way to the end-users. When we talk to clients and they are considering a Zero Trust journey, they are already looking at solutions and products. This approach could easily overlook the user interaction (both end-users and administrators) and adoption of Zero Trust practices, which could be the ultimate blocker of this transformation. The best approach is to understand how Zero Trust will fit into the company's culture. Senior-level, C-suite leadership is truly critical for success.

Zero Trust is not a one-size-fits-all solution - the needs of every organization are different; however, this framework can be applied to any of them. Companies may choose to start by looking at their identity security needs today and identifying key use cases that will address major areas of risk (e.g. network segmentation, workload segmentation, application authorization). After that, they can map how the Zero Trust framework can be applied and determine the balance of risk and control that is acceptable for that specific organization. Having an identity governance program leveraging a solution like SailPoint can provide a foundation for a Zero Trust model.

The power and scale of Zero Trust can grow along with the organization. If you'd like to watch this session, head over to the SailPoint Navigate site, go to View Navigate 2021 On-demand and select "EY Sponsor Session: Zero Trust Framework - Impact to the Business" to tune in.