Identity-Centric Security: Ukraine's Zero Trust Identity Implementation

Identity-centric security represents a fundamental shift in how organizations structure their defense—from a perimeter model that trusts everything inside the network boundary to a model that treats identity as the primary control plane for all access decisions. The principle—often summarized as "never trust, always verify"—recognizes that traditional network perimeters have dissolved: employees work from home, cloud services host critical applications, and attackers regularly breach perimeter defenses to gain "inside" network positions. For Ukraine, where cloud migration has accelerated rapidly under wartime conditions and work from multiple locations is common, identity-centric security aligns with operational reality better than perimeter-based models that assume employees are at office desks.

The Perimeter Security Model's Failures in Wartime

Ukraine's wartime experience exposed the inadequacy of perimeter security in multiple documented incidents. When physical offices were evacuated and employees continued working from homes, hotels, and displaced locations using VPN, the VPN connection to the "trusted" network provided a single choke point whose compromise gave attackers broad network access. NotPetya-era lateral movement and post-2022 Russian intrusions both demonstrated that once an attacker obtained valid credentials and network access, flat trusted-network architectures provided minimal obstacles to reaching sensitive systems.

The forced migration of many government employees to remote work in the early weeks of the full-scale invasion was both a crisis and an accelerant for Zero Trust adoption—the impossibility of maintaining perimeter security for a radically distributed workforce under attack conditions drove faster adoption of identity-centric controls than pre-war planning had achieved. International donors including Microsoft (through its Government Security Program) facilitated Azure Active Directory and Microsoft Entra ID deployment with Conditional Access policies that implemented identity-centric access control at scale.

Continuous Authentication and Adaptive Access

Continuous authentication extends identity verification beyond the initial login event, monitoring behavioral signals throughout a session to detect anomalies that might indicate account takeover or credential sharing. Behavioral biometrics—mouse movement patterns, keystroke dynamics, typing rhythm—can authenticate users continuously without explicit re-authentication challenges. Risk signals like access from new geo-locations, device health status changes, access time anomalies, and resource sensitivity level contribute to continuous risk scoring that dynamically adjusts session privilege levels.

Microsoft Entra ID Conditional Access implements this model in Ukraine's government cloud environments: access to sensitive resources requires not only valid MFA authentication but also device compliance verification (ensuring the accessing device has current security patches and is registered as a government device), location verification (flagging access from Russia-adjacent countries), and user risk score assessment based on Microsoft's threat intelligence feeds. High-risk access sessions trigger step-up authentication challenges or automatic session termination.

Identity Security Program Components

Single Sign-On Security Considerations

Single Sign-On (SSO) provides operational security benefits—users authenticate once and access multiple systems without repeated login, reducing password fatigue and enabling central session management. However, SSO introduces a critical dependency: the SSO identity provider becomes a high-value target whose compromise grants access to all connected systems simultaneously. This "blast radius amplification" risk requires that SSO infrastructure receive the highest level of security controls: phishing-resistant authentication for SSO administration, privileged access workstations for SSO administration tasks, comprehensive audit logging of authentication and administrative events, and near-real-time monitoring for anomalous authentication patterns.

The 2023 attacks on Okta's support systems—where attackers accessed customer environments by compromising Okta's support tool with a support engineer's session token—illustrated the supply chain risk in SSO systems. This incident prompted SSSCIP guidance on SSO third-party dependency risk, recommending evaluation of SSO vendor security practices as a component of critical vendor risk assessments.

Risk-Based Access Policies

Risk-based access policies evaluate multiple contextual signals at authentication and access time to determine whether to grant access, require step-up authentication, or deny the request. Signal inputs include: compromised credential reports (Microsoft Entra ID Protection aggregates credential breach intelligence from dark web monitoring), device health and compliance state, geographic anomaly (access from location inconsistent with user's typical pattern), threat intelligence context (access during a period of elevated threat for the specific user's profile), and behavioral anomaly signals.

Ukraine's SSSCIP baseline for government cloud applications specifies that access to sensitive government data must evaluate device compliance at every access request, that access from unrecognized devices requires MFA re-authentication regardless of existing session, and that access from geographic locations associated with high Russian cyber activity triggers step-up authentication. These policies are implemented through Conditional Access policy sets maintained by a central government identity operations team within SSSCIP.

FAQ

How is "identity as the new perimeter" concept practically implemented?

Practically, "identity as the new perimeter" means that access decisions are based primarily on verified identity and context rather than network location. Implementation involves deploying an identity provider (Azure AD, Okta, Ping Identity) as the central authentication point for all applications, configuring applications to require authentication through the central IDP rather than relying on network trust, implementing Conditional Access policies that evaluate multiple signals before granting access, and removing implicit trust granted by VPN or internal network position. Users and devices must continuously prove their identity and security posture rather than being trusted simply by virtue of being on-network.

What happened to Ukraine's authentication infrastructure during the initial invasion period?

The first weeks of the full-scale invasion in February 2022 were chaotic for government IT infrastructure. Many government buildings in Kyiv were evacuated, taking IT staff and local server infrastructure offline. Microsoft's rapid activation of cloud infrastructure support—moving government workloads to Azure and enabling cloud-based identity authentication through Azure AD—was credited by Ukrainian officials as critical to maintaining operational continuity. The cloud-based identity infrastructure was accessible from anywhere employees evacuated to, enabling continuity that on-premises servers that were physically inaccessible could not have provided.

How do Ukrainian government employees authenticate to sensitive systems while working remotely?

Government employees cleared for remote work on sensitive systems use FIDO2 hardware security keys (YubiKey and Google Titan keys were provided to thousands of government employees through international assistance programs) or Authenticator app-based TOTP MFA as the second factor, in combination with a government-issued virtual desktop session that streams a managed desktop environment rather than running sensitive applications locally on a potentially less controlled personal device. This virtual desktop approach extends the security of the managed government IT environment to remote work scenarios without requiring trust in the employee's personal device security.

What is Privileged Identity Management (PIM) and why is it important for Ukraine?

Privileged Identity Management (PIM)—available in Azure AD Premium and through CyberArk, BeyondTrust, and similar PAM platforms—implements Just-in-Time (JIT) privilege elevation, where users request required admin access for a specific purpose and limited duration with approval workflow, rather than holding permanent elevated roles. Standing privilege (permanent admin account membership) is a major risk factor: if a domain admin account's credentials are stolen, the attacker immediately has domain admin access. With PIM, even domain admins only have their privileges active during approved windows for specific tasks, dramatically reducing the window of attacker opportunity from privileged credential compromise.

Does the Diia digital identity platform use identity-centric security principles?

Diia's architecture is inherently identity-centric: it provides citizens with digital verifiable credentials (digital ID, driver's license, insurance documents) stored in a government-managed identity system that generates cryptographically signed presentations for each verification request. Access to government services through Diia requires authentication to the citizen's identity account (phone number + government identity verification), and each service interaction is tied to verified identity claims rather than session cookies or network trust. Diia's identity security architecture was designed with Zero Trust principles from inception, which contributed to its resilience against attacks that might attempt to forge credentials or impersonate citizens.

Sources

1. Microsoft — "Ukraine Government Zero Trust Journey," microsoft.com 2023
2. SSSCIP — "Zero Trust Architecture Implementation Guidelines for Government," cip.gov.ua 2023
3. NIST — "SP 800-207: Zero Trust Architecture," csrc.nist.gov 2020
4. Okta — "State of Zero Trust Security Report," okta.com 2024
5. Ukraine Ministry of Digital Transformation — "Diia Security Architecture Overview," thedigital.gov.ua 2022