Identity First Approach to Zero Trust Security


Author: Riley Martin
Release Date: 25/07/2023

Some people say that the best defence is a good offence, however when it comes to data security the opposite is often true. At its core, Zero Trust Security is the idea and principle that any and all users or devices attempting to access a network or piece of data could be hostile to it and so they must be authenticated, authorised, and observed to ensure they are who they say they are and they are not attempting to maliciously access the network.

Okta takes the Zero Trust Security strategy and applies its tenets to every aspect of the solution by implementing an Identity First approach to their security. By being able to prove a user’s identity when they are logging in to their account, this can be done by one (or more) of the many tools in Okta’s Identity Access Management (IAM) toolbox. This is exemplified with Okta’s different MFA factor types which fall under the three factors of Strong Authentication with MFA: 1, Something you have; 2, something you know; and 3, something you are. By incorporating these authentication factors and ideas into the permitted factors with Okta you can have a user prove their identity before allowing access.

For example, you may have a setup where a user must input their username and password to a login form, this is “something you know”, this can then be backed up with asking for a code from the Okta Verify app which can be set up easily the first time a user logs into the system. This covers the requirements of “something you have” due to the code being sent to another application or device as well as a potential use of “something you are” due to a biometric layer of security to access the code such as a fingerprint scanner, or facial recognition on your phone. This log in process would also probably be set to occur at least once a day under zero-trust; or possibly more often. For example you could set up Okta to ask for login credentials and MFA after anytime the computer is logged in and out of such as after a lunch break or on a scheduled basis such as every three hours. This can be used to ensure that the person using the machine is who is meant to be using it at all times.

You can employ a zero-trust methodology in more aspects of your organisation than just letting people log into their profiles each day. Does a member of the support desk team need to have access to the management team’s tracking spreadsheets for example? Or does a technician need access to the Sales Team’s applications to track potential clients? Probably not. With IAM, each user with their own identity can have access to only what they need. This can be done either by manually assigning each app or area of access to a user, or by using groups tools to give all members of the “Technician” group access to only what they need and denying access to other areas of the business’s file structure and applications.

By taking an approach of deny everything and everyone and authenticate only when a user can prove they should have access, a business can prevent hacks and leaks on a huge scale. Companies that take a zero-trust attitude through Okta to their security see at least 50% fewer incidents of data breach than those with legacy or homegrown solutions and a 90% increase in speed to detect and respond to these potential breaches. By implementing an Okta solution in your organisation, you can reap the benefits of fewer breaches, tighter security, and increased productivity for employees due to ease of use for locating and logging into the many applications they may need in a day.

If you are interested in learning more about Okta’s capabilities, get in touch via our website contact form and we will be more than happy to help!



Somerford Associates Limited

Specialist in innovative disruptive technologies with business focused consultants.