Federal government pushes zero-trust architecture
In response to the increasingly critical cybersecurity situation, the Department of the Interior advocates a gradual evolution toward zero-trust architecture
13. July 2022
The German Federal Office for Information Security (BSI) has been noting an increasingly heightened threat situation for Germany for some time. At the annual conference of the Teletrust association in Berlin, Andreas Könen, head of the cyber and IT security department at the Federal Ministry of the Interior (BMI), called for a move toward zero-trust architecture as a response to the critical situation and a preventive protective measure.
The approach of a zero-trust architecture (in German: "Traue niemandem") assumes that no user and no application may automatically be considered trustworthy. Due to the growing number of users connecting to enterprise applications via different networks and devices, authentication becomes necessary for each individual access. Put into practice, this requires secure and scalable authentication servers and also brings the issue of digital sovereignty back into focus.
Building a zero-trust architecture
In concrete terms, such an orientation first brings the need for action to identify which applications and providers are being used. In the particularly sensitive environment of critical IT infrastructure (KRITIS), only providers with controlled German or European origins should then be used in the long term. In the cloud environment, there will also be additional special requirements to strengthen the domestic economy.
The establishment of a zero-trust architecture is already a long-established approach in the IT security market, with some practical guidance. However, the core of the zero-trust concept is not a concrete instruction but a common understanding to authenticate all accesses, even if they originate from one's own internal network, and to acknowledge the need to monitor all applications and accesses. Since all areas of IT are affected by the security concept, the establishment of such an environment for companies thus requires an overview and control of all users, services and devices within their data environment. All accesses and access authorizations are enforced via information on user roles. Multi-level procedures are also inevitably required for authentication, as passwords alone are not sufficient.
Figure 1: Example of multi-factor authentication for Bare.ID Single Sign-On_
If all infrastructure components, applications and devices continuously authenticate each request individually and repeatedly, the requests to the central authentication and authorization service multiply enormously. At the same time, this becomes the most critical element for the entire business operation. But it is not only the load on this system that increases, but also the amount of data managed, since authorizations on user identities have to be managed for many of the systems that are connected and need to be checked. Many companies underestimate the share of the authorization service in zero-trust projects and see the greater effort in the individual services.
In order to proactively secure one's own IT environment and to meet expected requirements in advance, it is advisable for companies, especially those in highly regulated industries, to take the first steps toward a zero-trust architecture. The announced support for the domestic economy must also be taken into account and presents companies with the challenge of checking their service providers and suppliers even more closely in the future with regard to location and data protection standards and changing them if necessary.
Bare.ID's team of experts is here to support you with experience and take the hassle out of running your authentication and authorization solution. We offer you effective rights management as well as a wide range of integration options and KRITIS-compliant private cloud operation in Germany. This allows you to fully concentrate on the implementation of the actual Zero-Trust architecture without having to worry about operational issues, performance and scaling.
Simply make a non-binding consultation appointment via our contact form and our team will get in touch with you as soon as possible.
SaaS Leader Award 2023
Bare.ID GmbH receives recognition at the SaaS Leader Summit 2023 in the category of IT Management & Governance
EU NIS 2 – Why All Industries Should Take Action Now
EU NIS 2 - What's Changing and Why Should All Industries Take Action Now?
Bare.ID Aligns with the Federal Digital Strategy
The federal digital strategy is undergoing revision, with a focus on digital sovereignty - an aspect that is already inherent to Bare.ID today.
Get in touch
Request a non-binding consultation now and discover how Bare.ID can be integrated into your IT environment.
Sign up for our newsletter to stay updated.
Bare.ID represents user-friendly Identity & Access Management in the cloud. With Bare.ID, digital business processes and applications can be connected to a local user directory, benefiting from centralized security and Single Sign-On. Whether On-Premise, Hybrid, or Cloud, Bare.ID offers a multitude of pre-configured integrations. 100% security, Made in Germany.
Bare.ID's offerings are exclusively intended for business customers in accordance with §14 BGB. All prices are to be understood as net prices, plus applicable VAT at the time of billing.
Bare.ID is a product and registered trademark of Bare.ID GmbH - an AOE Group company © 2023 - All rights reserved.