Future of IAM

Image by https://lifars.com/2020/03/zero-trust-security-report-2019/

Identity Security

This focuses on securing individual identities throughout the cycle of accessing critical assets.

Nowadays Identity Security is a very crucial thing to consider as the trend is more towards cloud-based solutions, not on-premise ones. With the multi-cloud solutions and the worldwide pandemic situation, the users (employees, customers, partners) access the applications from different locations and different devices. So with the thousands of entry points, the network perimeter becomes more open to the cyber attackers as the attackers keep innovating. Cyber-attacks often happen by initiating the initial compromise and then executing the full attack. So focusing on preventing initial compromise is really important.

Zero Trust Security

This is simply don’t trust anyone.

Verifying

Zero Trust Security is not a single technology, but an approach that has been built on the belief that organizations should not automatically trust anything inside or outside. It ensures that the user’s identity is verified, their devices are validated, and limited access.

Traditional Castle-and-Moat approach

The traditional belief on allowing access to an entity is that everything already inside the perimeter can be trusted. This relies on trying to separate the bad cops from the good cops and assumes that the good cops can be trusted very well. This approach opens paths for the attackers to onboard systems. Once the attackers gain access inside corporate firewalls, can move through internal systems without much resistance.

Building a Zero-Trust Culture

Implementing zero security is not an overnight task but definitely, it will add more value to the system from a security perspective.

  1. Authenticate

When verifying identity/ devices strong authentication plays a big role. Strong authentication can be achieved by using techniques like multi-factor authentication and adaptive authentication. As convenience versus security is a concern when using MFA, some modern IAM solutions use frictionless access control. Frictionless access control eliminates the use of all credentials, and instead, the person becomes the credential

2. Authorize

Granting each user access to only the most essential resources with relevant permissions and limiting access for the other resources (least privilege access) will narrow down the risk even if the user’s credentials are compromised in a security breach.

3. Access

Some modern IAM solutions enable just-in-time (JIT) access, where access can be granted for predetermined periods of time and only on an as-needed basis, reducing the risk. If more access is required it can be discussed and obtained. Additionally, the access can be restricted using Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) by using adaptive authentication or by engaging some security policies. Further, it is really important to automatically disable user access from the system once the users are de-provisioned.

4. Audit

The users who use the system should be continuously monitored and verified. Any frauds can be detected by using Analytics or audit logs.

Why Zero Trust Security is important?

Let’s consider a practical example to see why this is important.

ABC is a famous company that sells products online and they do in-house development and QA tasks. They have three main environments for development, QA, and production. The usual practice there is the developers do the development in the development environment and the QA team conduct testing in the stage environment. Once in a while QA team do some smoke tests in the production environment too.

Bob is a member of the QA team. He has added all the credentials in a sticky note and pasted them on his laptop as he has to change the passwords from time to time due to company regulations. He pasted it on his laptop as he forgets the passwords.

One day he got a task to test a secured endpoint in the production environment and got access to the production environment with super-user privileges. Bob completed the production testings and moved to a different task and stayed happily.

After few days Bob got to know that an attacker has reached the production environment and stolen some sensitive data. When doing the investigations it was found that the attacker has reached the system by using Bob’s credentials.

Poor Bob :(

Bob got access to the production system as the others trust brob as he is an employee who is in the inner circle. But due to his weakness, the whole system got attacked.

In the retrospective of the above incident, it is noticed that this could be avoided,

  • If bob got only JIT access for a certain period of time
  • If bob got only the required permissions, not the superuser permissions
  • If strong authentication has been implemented
  • If the infrastructure team has not trusted the inner circle employees
  • If the sensitive data has been protected by encrypting/hashing

After analyzing the facts the management decided to move with the Zero Trust approach.

Challenges of Zero Trust Security

  • Transforming the legacy applications will not be easy and time-consuming. The cost will be a bit higher.
  • Changing the employees' mindset to not trusting anyone will be a challenge.
  • If any ‘Regulations’ which has not yet adopted the Zero Trust model, which means the organizations under compliance may have trouble passing an audit.
  • Not every situation requires the same level of authentication. Therefore it may need to use flexible authentication policies.

With the above challenges implementing Zero Trust may sound complex, but adopting this security model can be relatively simple and will be very important as security is a key concern.

Thanks for reading.

Associate Technical Lead @ WSO2