This is the first follow-up to my blog post from December 11th, The CSO’s 4 Key Takeaways from Gartner IAM 2017. In this post I drill into my perspectives on why an effective security program must be identity-centered. Let’s start with a little bit of background on my perspectives about security so readers have a sense of where I’m coming from. One key thing that underpins my thinking is a belief that the zero trust model is the only real valid way to approach security for a modern enterprise.
First introduced by John Kindervag with Forrester in 2009, the zero trust model is closely tied to the work introduced by Google in their work on the BeyondCorp model for enterprise security. At the core of this model is the idea that there is no such thing as a trusted network or a trusted device. This means that every single action taken must be properly authenticated and authorized. As authors Evan Gilman and Doug Barth state in the introduction to their 2017 book titled Zero Trust Networks: Building Secure Systems in Untrusted Networks:
“…in this model, nothing is taken for granted, and every single access request–whether it be made by a client in a coffee shop or a server in a datacenter–is rigorously checked and proven to be authorized.”
The Model for a Cloud-centric Mobile Workforce
I find the zero trust model to be especially compelling with the shift to cloud computing in all its forms (SaaS, PaaS, IaaS) and the continuing “mobilization” of the workforce. Security systems and programs must evolve to embrace these new models and adopting the zero trust model is a key part of making the transition. Once you make the switch to this model, identity becomes the critical component in your security program. Not only the identity of people, but identity of the devices they use and the identity of the systems and applications they access. The other interesting transition that happens is that authentication and authorization for internal people starts to look a lot more like what is needed for customers, which means the capabilities of your internal and external identity platforms start to merge.
In a zero trust model, authentication and authorization decisions need to happen much more frequently, leverage more information about the context of the event, and can no longer be limited to simple username/password authentication. Authentication and authorization decisions need to become risk-based rather than binary, and take into consideration a rich set of information including:
- The sensitivity of the data being accessed or the transaction being requested (viewing an account balance may need a lower level of authentication assurance than requesting a wire transfer).
- The Authenticator Assurance Level (AAL) or the strength of the authenticator used (a password is a much weaker authenticator than a cryptographically strong hardware-based token).
- The level of assurance that can be attributed to the identity of the device being used.
- The association between the device and the entity requesting the action (and for some use cases, is the device known to be an officially authorized device)?
- The context of the request (location, time, device type, browser/application, installed software, etc) and the typical patterns for this entity.
- Other data sets that can be used to increase the assurance level including biometric data, behavioral pattern data, etc.
Ultimately, the decision to allow an action to proceed will come down to determining whether the entity requesting the action is authorized to do so, and if they have proven they are the entity they claim to be with a sufficient level of assurance based on the risk of the specific action. All of this hinges on a well-designed identity platform that allows these decisions to be made quickly while reducing friction.
The ForgeRock identity platform is well-suited to meet the needs of an identity-based security program. With features like an adaptive risk engine, contextual continuous authorization and highly versatile authentication built on a platform designed to deliver high performance in high-volume environments. Security leaders looking to evolve their security program using a zero trust model should take a close look at how their identity platform measures up and make sure they’re on a platform that will help them achieve their core mission.