Zero trust redefines legacy Privileged Access Management (PAM) for the modern enterprise IT threat landscape. Organizations must discard the old “trust but verify” model, which relied on implicit user trust plus well-defined boundaries. Zero trust mandates a “never trust, always verify, enforce least privilege” approach to privileged access from inside or outside the network.

Zero trust requires granting least privilege access based on verifying who requests access, the request’s context, and the access environment’s risk. By implementing least privilege access, organizations minimize the attack surface, improve audit and compliance visibility, and reduce risk, complexity, and costs for the modern, hybrid enterprise.

What about ZTX?

In 2017, Forrester gave Zero Trust a refresh resulting in Zero Trust Extended (ZTX). They made it more prescriptive to facilitate implementation. ZTX accounted for business transformation and advances in technology-driven mainly by cloud adoption. They expanded the framework beyond network segmentation into a complete and holistic approach, including:

This extended framework now gives organizations alternative “on-ramps” to achieve Zero Trust based on their risk-mitigation agendas. The on-ramp that best represents the use of PAM to address identity-related risk is the “People” pillar. Zero Trust for People focuses on governing and enforcing security controls during authentication and authorization. I.e., during login to workstations, servers, and network devices and when executing privileged applications and commands to prevent data breaches and ransomware.

Legacy PAM is not enough for the expanded threat landscape

Legacy PAM has been around for decades and was designed back in the day when ALL your privileged access was constrained to systems and resources INSIDE your network. The environment was systems admins with a shared “root” account that they would check out of a password vault, typically to access a server, a database, or a network device. Legacy PAM served its purpose.

However, today’s environment is different. Privileged access not only covers infrastructure, databases, and network devices but is extended to cloud environments. It also includes Big Data projects, must be automated for DevOps, and needs to accommodate hundreds of containers or microservices to represent what used to be a monolithic app on a single server.

We all live in a world of Advanced Persistent Threats (APTs) that create a growing risk to organizations’ financial assets, intellectual property, and reputations. For most APTs, such as ransomware, expanding access and obtaining credentials is a crucial tactic, with privileged access ideal.

Modern PAM, founded on zero trust, is designed to handle requesters that are not only human but also machines, services, and APIs. Shared accounts will persist, but for increased assurance, best practices now recommend using individual identities, not shared accounts, where we can enforce least privilege.

All access controls must be dynamic and risk-aware, requiring modern machine learning and user behavior analytics. PAM must integrate and interoperate with a broader ecosystem, including IaaS providers like AWS and Azure, with DevOps CI/CD pipeline tools such as HashiCorp and Ansible, and container solutions such as Docker and Kubernetes.

A zero trust approach helps enterprises grant least privilege access based on verifying who is requesting access, the request’s context, and the access environment’s risk. Doing so minimizes the attack surface, improves audit and compliance visibility, and reduces risk, complexity, and costs.