Managing Z3 SASE > Identity Access Management (IAM) > Authentication and Access Control

Authentication and Access Control
Authentication and Access Control are the foundation of our organisation’s security posture. They ensure that only authorized users, devices, and applications can interact with our systems, while enforcing the principle of least privilege at every step.

  1. Authentication

    • Authentication verifies the identity of users, devices, and services before granting access to organisational resources.

  2. Identity Providers (IdPs):

    • We integrate with trusted identity providers (e.g., Azure AD, Okta, Google Workspace) to centralise authentication.

    • Supports Single Sign-On (SSO) using SAML 2.0 and OpenID Connect (OIDC) for seamless user experience.

  3. Multi-Factor Authentication (MFA):

    • MFA is mandatory for all admin and privileged accounts.

    • Users must authenticate with a combination of:

      • Password/Passphrase

      • OTP (Authenticator app or SMS)

      • Hardware token (e.g., YubiKey) where applicable

  4. Device Authentication:

    • Devices connecting to sensitive resources must be registered and verified.

    • Extended Device Signature (EDS) or certificate-based authentication ensures device trust.

  5. Guest Authentication:

    • Guest users are authenticated via temporary, limited-access credentials.

    • Guests do not receive dashboard/system-level access.

Access Control

Access Control defines who can access what resources and under what conditions.

  1. Role-Based Access Control (RBAC):

    • Roles (Admin, Editor, Viewer, Guest) determine the scope of user actions.

      • Admin: Full privileges to manage users, policies, and configurations.

      • Editor: Can modify resources and limited configurations, but cannot create policies.

      • Viewer: Read-only access to assigned resources.

      • Guest: Minimal or no access to system dashboard; only authenticated usage of assigned apps.

  2. Principle of Least Privilege (PoLP):

    • Users and services are granted only the minimum access necessary to perform their roles.

    • Privilege escalations are temporary and require approval.

  3. Conditional Access Policies:

    • Access decisions are based on context such as:

      • User identity and role

      • Device trust level

      • Network location

      • Time of access

      • Risk score (e.g., unusual login attempts trigger MFA)

  4. Segmentation & Isolation:

    • Sensitive applications and resources are segmented and protected by Zero Trust policies.

    • Compromised accounts/devices are automatically quarantined.

  5. Audit & Logging:

    • All authentication and access events are logged for compliance and monitoring.

    • Suspicious activities trigger automated alerts and are escalated to security teams.

  6. Access Lifecycle Management

    • User Provisioning: New users are onboarded via HR/Identity systems with predefined role assignments.

    • Periodic Reviews: Access rights are reviewed quarterly to ensure alignment with job functions.

    • De-provisioning: Immediate revocation of access upon employee/contractor exit.

    • Just-in-Time Access: Privileged access is granted temporarily for specific tasks and revoked automatically.