The Zero Trust Framework

PAM = Privileged Access Management

It can be defined as: “How organizations define, monitor, and manage privileged access across their IT systems, applications, and infrastructure.”

(SOURCE: https://www.coresecurity.com/blog/whats-difference-between-iam-iga-and-pam)

This can be viewed as a subset of IAM, in that deals strictly with those accounts that are “privileged” in nature. These are the accounts that grant higher and specialized privileges to a certain group of employees. They typically fall under these categories:

1) Root/Administrator Accounts: These accounts possess full authority to systems and have no restriction for accessing services or data residing on a server. They are considered the most valuable targets for threat actors.

2) System Accounts: These accounts are used for running operating system services and can modify the relevant files and configurations. They are typically provisioned with the operating system.

3) Service/Application Accounts: These accounts are used for running processes and applications through automated, often unattended tasks. They frequently own or have access to data, resources, or configurations not available to non-privileged users.

(SOURCE: https://www.coresecurity.com/blog/whats-difference-between-iam-iga-and-pam)

CIEM = Cloud Infrastructure Entitlements Management

It can be defined as: “Solutions that are designed to manage identities and access privileges in cloud and multi-cloud environments.”

(SOURCE: https://www.cyberark.com/what-is/cloud-infrastructure-entitlements-management/)

CIEM based solutions are designed to secure those privileged accounts that are housed strictly in a Cloud based environment, such as that of Microsoft Azure. It is typically used for Hybrid Clouds, in which account security becomes a primary security concern. CIEM is not designed for On Prem Solutions.

A unique term used here are “Entitlements”. These refer to the rights, permissions, and privileges, that are assigned to the privileged accounts.

Another equally important concept here is that of “Least Privilege”. This is where an employee is given only enough privileges, rights, and permissions to do their job, nothing more and nothing less.

PIM = Privileged Identity Management

It can be defined as: “As a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization.”

(SOURCE: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure)

This tool allows you to further manage the rights, permissions, and privileges of those specific individuals with Privileged Accounts. While PAM/CIEM lets you to activate and deprovision Privileged Accounts, it is the PIM that gives you the granular control over them.

JITA = Just Time In Access

It can be defined as: “A fundamental security practice where the privilege granted to access applications or systems is limited to predetermined periods of time, on an as-needed basis.”

(SOURCE: https://delinea.com/what-is/just-in-time-access#:~:text=Just%2Din%2DTime%20(JIT,malicious%20insiders%20can%20readily%20exploit.)

This is where an employee is given a Privileged Account right when they need it the most, and is deactivated or terminated once that particular job task is done. There are three types of JIT accounts:

1) Justification based Accounts: This can also be referred to technically as the “broker and remove” accounts. For example, if the Project Manager needs to have Network Admin privileges, they have to provide written justification to the manager of the IT Security team why this kind of access is needed and for how long.

2) Ephemeral Accounts: JIT access is given to complete just one specific task, for just one employee.

3) Privileged Escalation: This is where an employee is given just a subset of the overall rights, permissions, and privileges of a Privileged Account for a brief time period for one employee.

ZTF = Zero Trust Framework

It can be defined as:

“An enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”

(SOURCE: NIST)

In other words, absolutely no entity, whether human or machine can be trusted. Each one must be fully authenticated before accessing shared resources.

The Core Components Of The Zero Trust Framework

There are three core components which are:

Policy Engine (PE):

The PE handles the ultimate decision to grant, deny, or revoke access to a resource for a given subject. The PE calculates the trust scores/confidence levels and ultimate access decisions based on enterprise policy and information from supporting components. The PE executes its trust algorithm to evaluate each resource request it receives.

Policy Administrator (PA):

The PA executes the PE’s policy decision by sending commands to the PEP to establish and terminate the communications path between the subject and the resource. It generates any session-specific authentication and authorization token or credential used by the subject to access the enterprise resource.

Policy Enforcement Point (PEP):

The PEP guards the trust zone that hosts one or more enterprise resources. It handles enabling, monitoring, and, eventually, terminating connections between subjects and enterprise resources. It operates based on commands received from the PA.

Important Definitions Of The Components Of The Zero Trust Framework

They are as follows:

Policy Decision Point (PDP):

The PE and PA combine to comprise the PDP, which executes the decision on whether a subject is permitted access to a resource.

Policy Information Point (PIP):

The PIP provides telemetry and other data to enable the PDP to make informed access decisions. This includes PAM, EDR, and identity-based threat and response solutions.

Subject:

An end user, application, and other non-human entity that requests information from resources.

The Gateway:

Responsible for enabling, monitoring, and terminating the connection between the subject (user or application) and resource via the agent so all activity can be assessed and documented.

The Gateway Enclave

It can be defined as:

"A granular segmented perimeter with assets accessible only through a gated and monitored network path. While resources within the enclave can have loosened security controls to meet the operational business requirements, they are still monitored for inappropriate behavior when activity originates from outside the enclave. Think of the enclave as a mini trusted network within another network.”

These are added safeguards to the Zero Trust Framework so that only authorized people can access the shared resources.

(SOURCE: Advancing Zero Trust with Privileged Access Management (PAM) Whitepaper)

The Resource Enclave

“It is a variation of a network zone or VLAN. It is a collection of resources (assets) (applications, operating systems, network devices, databases, etc.) with a hardened perimeter around all the assets. In lieu of a perimeter being a broad network zone, it is isolated to only critical assets within the resource enclave for a given purpose. Essentially, a resource enclave is a secure network zone with limited external access and is fully segmented. Access of any type must come through a gateway, as described by a gateway enclave. Essentially, a gateway enclave defines the path for secure access and the resource enclave defines the resources contained within.”

In other words, it adds extra segmentation to the ones that already in the Zero Trust Framework.

(SOURCE: Advancing Zero Trust with Privileged Access Management (PAM) Whitepaper)