Federal government pushes zero-trust architecture

The German Federal Office for Information Security (BSI) has been noting an increasingly heightened threat situation for Germany for some time. At the annual conference of the Teletrust association in Berlin, Andreas Könen, head of the cyber and IT security department at the Federal Ministry of the Interior (BMI), called for a move toward zero-trust architecture as a response to the critical situation and a preventive protective measure.

The approach of a zero-trust architecture (in German: "Traue niemandem") assumes that no user and no application may automatically be considered trustworthy. Due to the growing number of users connecting to enterprise applications via different networks and devices, authentication becomes necessary for each individual access. Put into practice, this requires secure and scalable authentication servers and also brings the issue of digital sovereignty back into focus.

Building a zero-trust architecture

In concrete terms, such an orientation first brings the need for action to identify which applications and providers are being used. In the particularly sensitive environment of critical IT infrastructure (KRITIS), only providers with controlled German or European origins should then be used in the long term. In the cloud environment, there will also be additional special requirements to strengthen the domestic economy.

The establishment of a zero-trust architecture is already a long-established approach in the IT security market, with some practical guidance. However, the core of the zero-trust concept is not a concrete instruction but a common understanding to authenticate all accesses, even if they originate from one's own internal network, and to acknowledge the need to monitor all applications and accesses. Since all areas of IT are affected by the security concept, the establishment of such an environment for companies thus requires an overview and control of all users, services and devices within their data environment. All accesses and access authorizations are enforced via information on user roles. Multi-level procedures are also inevitably required for authentication, as passwords alone are not sufficient.

Figure 1: Example of multi-factor authentication for Bare.ID Single Sign-On_

If all infrastructure components, applications and devices continuously authenticate each request individually and repeatedly, the requests to the central authentication and authorization service multiply enormously. At the same time, this becomes the most critical element for the entire business operation. But it is not only the load on this system that increases, but also the amount of data managed, since authorizations on user identities have to be managed for many of the systems that are connected and need to be checked. Many companies underestimate the share of the authorization service in zero-trust projects and see the greater effort in the individual services.

In order to proactively secure one's own IT environment and to meet expected requirements in advance, it is advisable for companies, especially those in highly regulated industries, to take the first steps toward a zero-trust architecture. The announced support for the domestic economy must also be taken into account and presents companies with the challenge of checking their service providers and suppliers even more closely in the future with regard to location and data protection standards and changing them if necessary.

Advice needed?

Bare.ID's team of experts is here to support you with experience and take the hassle out of running your authentication and authorization solution. We offer you effective rights management as well as a wide range of integration options and KRITIS-compliant private cloud operation in Germany. This allows you to fully concentrate on the implementation of the actual Zero-Trust architecture without having to worry about operational issues, performance and scaling.

Simply make a non-binding consultation appointment via our contact form and our team will get in touch with you as soon as possible.