Automated Zero Trust: The Only Thing to Put Your Trust in
How to reap the benefits of great IAM solutions, but remain in control of your own destiny
There’s no question that centralized identity and access management (IAM) helps companies reduce risk and prevent attacks. But, as this week’s Okta attack shows, centralized IAM doesn’t eliminate all risks. Attackers with access to IAM data can use this information to easily access downstream systems or modify permissions to grant elevated access to malicious parties.
Reducing this risk requires a shift in how you manage identity and access; not away from centralization, but rather towards a zero-trust model.
What is Zero Trust
In a Zero Trust model, a user or entity must be verified at every transaction, regardless of whether it has been previously authorized. In the context of permissions, rather than granting certain users permanent system access, privileged and elevated permissions are granted for a limited duration, upon request. This ensures sensitive accounts and information are only accessed as needed, and access is revoked when the need expires.
This keeps accounts in a constant state of least privilege—meaning users are only given the minimum amount of access needed to perform their work. Further, even if account credentials are compromised, malicious actors won’t be able to escalate privileges or move laterally within the network without first gaining verification.
Automation can enhance Zero Trust practices in a number of ways to reduce risk even further. Here we’ll explore a few specific workflows within Torq that can help you operationalize Zero Trust within your organization.
Suggestion #1: Automatically Identify Outdated Permissions
For customers who haven’t fully adopted a Zero Trust approach to identity and access, it’s still critical to ensure that inactive accounts are identified and suspended. This is especially true for teams that work with external contractors where access may not be required at all times and such accounts lie dormant between engagements.
These inactive accounts are ripe for exploitation by bad actors. Because they’re tied to external vendors, access from outside corporate networks does not always register as suspicious—making them expedient vectors of attack.
At Torq, we strongly recommend that all customers using Okta also leverage the Suspend Inactive Contractor Accounts workflow template. This workflow polls Okta on a daily basis to identify contractor accounts with no logins for the past seven days (users can easily adjust the timeframes based on internal policies.)
Accounts that meet the threshold for inactivity can then be suspended immediately, but for greater control, the workflow sends the findings to a designated Slack channel for human review. When or if the account is approved for suspension, any future login attempts for that account will require reactivation and verification.
Workflow template for suspending inactive contractor accounts
This is a high-impact process to start with because it can run in the background, helping to silently reduce risk and improve protection without any overhead on the security team.
Suggestion #2: Just-in-Time Access
A more proactive way of automating Zero Trust practices is through just-in-time (JIT) access.
Many of our customers already leverage Torq in conjunction with Okta using this exact workflow.
Torq workflow for just-in-time access via Okta
Instead of granting permanent access, users can trigger a Torq workflow vis Slack to request access on-demand, for a limited duration. This workflow sends details of the access request to an approver in Slack, who can then approve or deny temporary permissions, and then sends the requestor a follow-up. The process happens in real-time, so as not to disrupt the normal course of business.
One of the key benefits of this workflow is that it maintains the “human in the loop” for making the decision to grant or deny access while automating the low-level work of passing requests and checking existing access.
Suggestion #3: Accessor Chat Bots
While the JIT workflow may be useful for scenarios where access isn’t needed frequently (say, once a week), some organizations may find that the number of times such requests take place will still overwhelm any given person. For cases where requests happen multiple times a day or hour—for example, where access is needed to pull data—further automation may be useful.
Many Torq customers use the platform for semi-autonomous workflows that support “accessor” or “operator” chat-bots. These bots act on the behalf of the requesting user, and can perform trivial actions like data retrieval, thus eliminating a user’s need for access and contributing even further to a state of least privilege.
Automate Your Way to Zero Trust
Whether you’re all in on Zero Trust identity and access or just getting started, Torq’s template library offers dozens of workflows that inherently establish industry best practices—ready to be deployed and activated in minutes. This automation supercharges the benefit IAM platforms like Okta deliver, while keeping you protected in case of compromise.