Zero trust and IAM

The rapid pace of the digitisation of business has brought immense benefits. However, it has also introduced new threats to the organisation. These can be impossible to predict, difficult to contain, and costly to remediate.

Introducing zero trust architecture

Until relatively recently, perimeter-based network security models were considered the most effective approaches to protecting an organisation’s assets. However, since 2019 the UK’s National Cyber Security Centre (NSCS) has recommended that Enterprise architects consider a ‘zero trust’ approach to IT architecture.

The early driver for zero trust architectures was ecommerce, where it is impossible to assume safe passage of data between merchant and consumer across the internet. This led to the ubiquitous deployment of browser-based authentication and encryption, negating the need for either party to concern themselves about the integrity of the network.

Zero trust architecture derives its name from its core assumption that the network is already compromised. Therefore, it cannot be trusted. Instead, trust is established at application layer, within encrypted sessions between mutually authenticated endpoints. Consequently, the security of the session does not rely on the presence of a trusted network. Instead, it relies on the integrity of the endpoint and user identities.

The principles of zero trust architecture

Identity and authentication, therefore, are key to zero trust architecture. In fact, four of the six “zero trust principles” highlighted by the NCSC are directly related to identity and access management (IAM).

A single strong source of identity

A consistent, overarching system of identity enables applications to reliably identify users. Users’ identities must be based on the most authoritative sources of data. This ensures that users’ digital identities keep in step with reality.

User authentication

Users must prove their identity by authenticating when accessing any system. Single sign on (SSO) can be used to avoid repeating authentication. Multifactor authentication (MFA) can be used to secure users’ SSO credentials from misuse, if compromised.

Access control policies within an application

Recent applications that support modern approaches to identity can be exposed directly to users. Access decisions are taken by the application based on user information provided by the institution’s authentication system at time of access.

Authorisation policies to access an application

Legacy applications that do not support modern approaches to identity can be segregated behind an SSO-enabled portal. The portal is used to manage authorisation policies and enforce them, based on users’ authenticated identities.

The other two principles (machine authentication and machine integrity) are closely aligned to these. They are concerned with the identity of devices (rather than users) and authorisation based on software configuration (rather than a user’s entitlements).

Planning your organisation’s zero trust strategy

A zero trust architecture requires a conscious pivot to rethink security through the lens of identity rather than the network.

While the detail will vary between organisations, your planning should consider the following key issues:

  • It is important to have a full inventory and understanding of the user types and roles within the organisation and the processes concerned with the registration and maintenance of these. This information is usually stored within authoritative sources such as the human resources (HR) and customer relationship management (CRM) systems. This information informs the privileges accorded to the user types and roles needed to grant access to services.
  • The organisation needs an IAM solution that can create and maintain the single strong source of identity based on this information. It must also authenticate users, and authorise their access or provision authorisation information to services.
  • Finally, the business’ applications and networking infrastructure must be architected to provision access to services based on authenticated and authorised user identities. This will sometimes include other contextual or compliance information, such as machine health. The network should focus on connecting users to services, efficiently and effectively, and the IAM solution on security policy enforcement.

Finally, because zero trust touches all aspects of an organisation’s digital architecture, it should be treated holistically. This requires a strategy that joins together a range of activities across the business, rather than a discrete project.


Zero trust architecture shifts the focus from the network to identity, delivering more secure outcomes that are centred on the end user’s needs. Implementing a zero trust architecture requires rethinking and retooling some aspects of provision. However, a gradual transition is achievable for most organisations through incremental change. The key consideration is the IAM solution that underpins the identity and authentication requirements of zero trust, and its integration within the organisation’s digital architecture.