Federal government promotes zero-trust architecture

The Federal Office for Information Security (BSI) has been recording an increasing threat situation for Germany for some time. At the association's annual conference Teletrust In Berlin, Andreas Koenen, Head of the Cyber and IT Security Department at the Federal Ministry of the Interior (BMI), calls for development towards Zero-trust architecture.

The zero-trust architecture (in German: “trust no one”) approach assumes that no user or application should automatically be regarded as trustworthy. As a result of the growing number of users who connect to corporate applications via various networks and devices, authentication is required for each individual access. Implemented in practice, this requires secure and scalable authentication servers and is also bringing the issue of digital sovereignty back into focus.

Building a zero-trust architecture

In concrete terms, such an orientation first requires action to identify which applications and providers are being used. In the particularly sensitive environment of critical IT infrastructure (KRITIS), only providers with controlled German or European origins will then be used in the long term. In the cloud environment, there will also be additional requirements to strengthen the domestic economy.

Building a zero-trust architecture is already a well-known approach in the IT security market with some practical help instructions. However, the core of the zero-trust concept does not consist in specific instructions but in the common understanding of authenticating all accesses, even if they originate from one's own internal network, and acknowledging the need to monitor all applications and accesses. Since all areas of IT are affected by the security concept, setting up such an environment for companies therefore requires an overview and control of all users, services and devices within their data environment. All accesses and access rights are enforced using information about user roles. In addition, multi-stage authentication procedures are absolutely necessary, as passwords alone are not enough.

So if all infrastructure components, applications and devices continuously authenticate each request individually and over again, this also multiplies the requests to the central authentication and authorization service enormously. At the same time, this is becoming the most critical element for the entire business operation. But it is not only the load on this system that is increasing, but also the amount of managed data, as many of the connected and audited systems have to manage authorizations to the user identities. Many companies underestimate the share of authorization services in zero-trust projects and see the greater effort involved in individual services.

In order to proactively secure their own IT environment and meet expected requirements in advance, it is advisable for companies, especially in heavily regulated industries, to take the first steps towards a zero-trust architecture. The announced promotion of the domestic economy must also be taken into account and presents companies with the challenge of monitoring their service providers and providers even more closely in future for location and data protection standards and, if necessary, switching.

Need advice?

The Bare.ID team of experts has experience at your side and takes over the operation of the authentication and authorization solution for you. We offer you effective rights management as well as a variety of integration options and KRITIS compliant private cloud operation in Germany. This allows you to concentrate fully on implementing the actual zero-trust architecture without having to worry about operational issues, performance and scaling.

Simply arrange a non-binding consultation via our contact form and our team will get back to you as soon as possible.

‍