Use Case 2 - Digital Worker Access
Zero Trust architecture eliminates traditional chokepoints as seen in Legacy Trusted Internet Connection (TIC) and DOD Joint Regional Security Stacks (JRSS)/Internet Access Points (IAP)/Cloud Access Points (CAP). Decentralizing these chokepoints and designing into a distributed architecture that aligns with the NIST Special Publication 800-207 PEP/PE/PDP framework may improve security and support digital transformation initiatives. Creating secure access from anywhere on any network giving a user the right access under the right conditions is vital. NIST 800-207 outlines three approaches to Zero Trust of software-defined networking or perimeter, identity governance, and application micro-segmentation. While all three areas may interact together, each focuses on a specific piece of an access attempt.
- Software-defined perimeter and network infrastructure are focused on delivering and routing network and internet traffic.
- Identity governance is focused on uniquely identified people or things requesting access.
- Application micro-segmentation is focused on network segmentation but also relies on identity governance.
CURRENT STATE APPROACH
- A digital worker is an automated technology like a Robotic Process Automation bot that uses artificial intelligence to automate manual tasks.
- A digital worker is usually assigned a group or system account, which generally comes with an excessive amount of privileges, leading to requiring the digital worker to be attended when it would be more efficient for it to be unattended.
- A group of agency users generates a weekly analysis that incorporates data from a legacy database. An RPA script automates the manual data gathering process that requires the user’s credentials to run. The RPA does not extend any privileges to the user’s existing access. The RPA process cannot pass data to the user that the user would otherwise be unable to access. The user has direct access to the database but should have read-only privileges. The RPA process rights to the database must also be limited to each of the users’ privileges (read-only for one example user, but others can copy or delete).
ZERO TRUST OBJECTIVE
- This example intends to enforce least privilege and allow unattended digital worker access. Both require a combination of identity governance and micro-segmentation. Identity governance to uniquely identify a digital worker and micro-segmentation to enforce the least access to only those components necessary.
- This use case assumes the digital worker is accessing agency or public information from an agency network and “lives” on agency owned equipment. This use case does not consider or take into account what the digital worker is accessing, the results of the digital worker process, or the ethics or bias of a digital worker.
VALUE PROPOSITION FROM ZERO TRUST APPROACH
- Like a human worker, a digital worker should have a unique credential enforcing least privilege and not require compensating control of an attended human. Based on a risk assessment, an agency should leverage unattended digital worker capabilities through identity governance and micro-segmentation.
- Eliminate the need for attended humans to leverage automated technologies with confidence.
- Realize digital workforce and automation benefits while maintaining the security and compliance of agency data and decision processes.
WHERE TO GET STARTED
- Conduct a digital worker risk assessment to determine access and governance requirements.
- Identify an identity management system that can credential a digital worker.
- Leverage an identity governance and administration service to enforce access reviews and certification.
- Leverage application micro-segmentation to enforce the least access to only those components needed to complete a task.