Resources
Jul 25, 2022

How Opal Fits into your Zero Trust Strategy

Opal works better together with Zero Trust solutions to deliver a modern identity strategy

Stephen Cobbe
CEO

What is Zero Trust?

Zero trust is a security posture that fortifies organizations against attack by limiting the amount of network access given out. Developers who need access to infrastructure can use zero trust solutions like Twingate, Teleport, Tailscale, and more to receive narrowly scoped network access to connect to the desired resource. This contrasts sharply with VPNs which often grant overly-broad network access.

Opal implements many of the same zero trust principles in its approach to access management outside of the network layer. Users who need access to developer infrastructure, identity provider groups or third-party SaaS roles can use Opal to request and receive narrowly scoped access to the desired resource.

In other words, zero trust solutions and Opal are complementary approaches for achieving least privilege across your technology stack. By integrating with zero trust solutions, Opal provides a unified surface for access orchestration for resource types inside and outside the network layer.

Zero trust is an essential piece of your access management story

Organizations manage access to many resources. Some resources such as infrastructure and internal tools lack hardened APIs so organization keep them off the public internet. Consequently, in order to provision access to these resources, organizations must grant both network as well as resource access. For example, for an employee to access data in a database, they must be authorized by the network to connect to the database, and then once they connect, they must be authorized by the database itself to access data.

At many organizations, employees are granted network access using a legacy solution such as a VPN or bastion host. While simple, these solutions are problematic because they grant overly broad network access. Once an employee is on a VPN or bastion, they are able to connect to a multitude of resources by default because the VPN or bastion is a trusted source on the network. This leads to an unnecessary increase in attack surface for an organization.

As a result, organizations are increasingly adopting a zero trust architecture which treats no source as trusted on a network. Instead, all traffic, regardless of origin, is continuously verified. With zero trust solutions, employees are granted short-lived network access only to the resources they’re authorized to access, nothing more. In other words, zero trust solutions help organizations implement least privilege access in their network layer.

How Opal Supports Zero Trust Architecture

As with zero trust solutions, Opal implements the principles of limiting and continuously verifying access. However, Opal’s focus is managing resources outside the network layer, including developer infrastructure, identity provider groups and third-party SaaS roles. With Opal, employees are assumed by default to be unvetted. Access, for the most part, is not automatically granted and must be manually requested using Opal’s seamless workflows. Once granted, access is continuously re-certified, either because the access grant was short-lived or as part of periodic compliance reviews.

To fully implement least-privilege in the network layer, Opal recommends using a dedicated zero trust solution. While most zero trust solutions integrate with identity providers to centralize and automate access provisioning via groups, the reality is many operational workflows are missing from zero trust solutions, including:

  • How users request short-lived access to individual resources
  • How users request changes to which resources are in which groups
  • How owners propagate changes after approving requests
  • How owners conduct access reviews on these resources for compliance
  • How owners are even defined
  • How a consistent set of security policies are implemented across zero trust infrastructure and the rest of the resources at the company

Even if a zero trust solution implements some of these workflows, they must be managed in concert with similar workflows for the rest of the company’s resources including identity provider groups, internal tool roles and third-party SaaS roles.

For smaller organizations, these operational workflows are manageable. But for larger organizations, zero trust solutions should be used alongside an access orchestration solution like Opal so that zero trust can be scalably implemented across all apps and resources at the company, not just those in the network layer.

Fortunately, Opal integrates with a number of zero trust solutions to help orchestrate infrastructure from a consolidated control plane. Opal scales the day-to-day management of zero trust solutions by unifying them with the rest of an organization’s access management processes and policies. Opal offers decentralized and self-service workflows to handle all of the operations related to day-to-day access management at scale. Decentralization ensures that those with the most context are the ones actually administering access, meaning less access is granted overall and bottlenecked teams like IT, DevOps, Security and Compliance are free to do higher impact work.

About Opal:

Opal is the centralized authorization platform for IT and Infrastructure teams. Deeply integrated with developer infrastructure, SaaS applications, and custom internal tools, Opal enables companies to implement scalable access management.

Want to see it yourself? Contact hello@opal.dev or book a meeting here for a personalized demo.

Stephen Cobbe

Updates + insights about the future of access management