The Rise of the Machines

Ah, thank you very much. Okay. So welcome everybody. And thank you very much for giving me the opportunity to be there remotely. If not in person, I must admit I was, I was very much looking forward to being able to come out in person this year and looks like we as a planet, just couldn't get that right. And hopefully next year I will be enjoying some of the wonderful Munich beer with everybody in Munich. Again.

So as I said, my name is Alan Foster and I'm the chief evangelist here at for truck and have been looking at this issue around many of you that know me or that I've spoken to know that access control is one of the things that is sort of very near and dear to my heart. The, as a sort of a little bit of an aside, the, the, we may remember the standard Zall and I'm one of those people that whenever I say Zal everybody in the room starts groaning loudly, but I've been around with access to control for, for a very long time.

So really what I want to talk about is when we have a look at access control to try and break it down a little bit into thinking about what are the tasks that actually is involved. And I sort of wanna break down the, the actions of access control into these sort of three various areas, right? First of all, before we can actually do any access control, we have to do the setup, the requesting access, the approving somebody to get it and getting all of the setup, sort of traditionally, we can think of that as provisioning, then we've got the enforcement, right?

Which is when a, a user tries to do something. And we have to make a decision as to whether they're allowed to do that or not. On the right hand side, we've got the validation and maintenance, which is often overlooked, or at least doesn't get the attention that it deserves. And so each one of these sort of phases in managing access control brings into play a different set of problems, right?

And, and how we can actually deal with them. And there's two different kinds of actions that we have to deal with. So when we actually look at access control, most of the events that we have to deal with are synchronous. And what I mean by that is that there's some event that initiates it, a user requests, access to a resource or a user is moved into a new role. There is a forcing event, right?

That, that before that point, nothing can be done. And as a result of that event, there is an action that is actually required. Now I'm gonna come back to this in a little while, but there's an action that is required to continue. And until that is done, we kind of have to sit in a holding pattern, waiting, waiting for that to happen. I'm sure every single one of us have been through the process of joining a company and asking to get access to whatever the system might be, the XYZ system or some particular software.

And we have to sit and wait, we wait for somebody to approve our access before we can actually get into it. However, there's a whole nother set of events, which I'm sort of thinking of as asynchronous. These are events or things which have to be done.

However, there's no forcing event. Very often. These are compliance and regulation kinds of things. We need to make sure that people only have access to the things that they need. And so there's no forcing event. And at the time there's no consequence for not doing, or at least there's no consequence for delaying it. At some point, we have to go back in and make sure that that is done, but those kind of events actually lead us to some interesting challenges.

So, so in the light of this, if we go and have a look back at that access control piece on the left hand side, when we are talking about that setup, this is traditionally the access request, the approval process, and then the provisioning process, you know, and all of that happens generally once, generally in response to a forcing event, a, a user or a device or a service needs access to something. And so we have to go through the process of giving them access, which generally they then keep moving forward. I spoke about enforcement and I've got a slide about that in a second.

And then on the right hand side, the non-interesting the, the sort of boring side of access control. This is the access certification and revoking access and the auditing. And even when we start having a look at the, the ensuring that people have specific use, that, that they need to be able to have and, and separation of roles and things like that. So these are the sort of three areas that we sort of want to have a look at. Let's start with the enforcement one. I want to start here because it's really fun.

However, it's not particularly challenging. We know how to do this, right? This is typically the agent or the access control decision in the old Zal parlance. This was called the policy enforcement point. We know how to do this. Normally at the point that we do this, we know who is attempting access, or at least we know who the authenticated entity is. There's been an authentication process before this, and we know the identity of what, of who, or what is trying to perform the access.

And at this point, it's really just the simple job of checking to see whether that identity has the appropriate entitlements to be able to access this resource and then make a decision as to whether we are going to allow or deny that access. Now, I don't wanna downplay this because I love this space, right? There's a lot of really fun technical issues here.

However, the issues here are well understood and generally tend to be focused around scale performance and, and flexibility in terms of how to actually set this up. It's really nothing more than a decision, right? Enforcing a decision. And you know, whether we can do that in under a hundred milliseconds or under 25 seconds or, or even in the single millisecond range, right. That's really a performance challenge. We pretty much know how to do this. So let's take that and say fine. We know how to do that. What about the rest of it? Right? Let's go and have a look at these other problem areas.

These other places where the challenges come in, there's not a lot of intelligence in that enforcement point, and I'm not trying to be disrespectful to the enforcement space. You have an identity, you have a set of privileges and you get to make a decision. I'm sure many of us have seen the UK television show where the person sits there and says, the computer says, no.

Well, that's the decision, right? The computer says, no, we don't know why or, or what it's coming up with that decision. It just says it. And we enforce that point, but let's go and have a look at these other two areas. Let's start over on the left hand side, right? The access request, the approval process that we then need to have a look at.

And the, the associated provisioning doesn't RAC and AAC solve this problem. No Rach and AAC are simply ways to try and simplify the administration of setting policy. It's very difficult for us to go through and determine exactly what an individual or at least an individual identity should be allowed to do or not allowed to do. And so we try and reduce that complexity by grouping people together. We do that by trying initially to group them via roles. And we can say everybody who performs this task or that task should have access to these particular resources.

Well, yeah, that kind of works. But then that gets a little complicated because now we want to say, oh, well, you've got that role, but it also depends on your geography. And it also depends on the department that you're in. And maybe it also depends on whether you've had certain training or not. And so it gets more complicated. Okay. So then we'll bring on aback attribute based access control, which really, when you have a look at it is just multiple attributes rather than the single attribute of role. And we can express some very powerful ways of doing them, enforcing the policy, right?

You can say, if you have this attribute or you've got this attribute that has this range of values, we can now go and define what this particular identity can do. It leads to, to some problems, right? And there's a bunch of problems that comes up with this in trying to reduce complexity. What we end up doing is making it more complex. The problem with roles is that, well, we kind of forget what each and every role is there for and leads to what we call the role proliferation problem.

I ended up talking to one of our customers who had about, I believe they had 15,000 users, they were managing and ended up having 150,000 roles defined within their system because they really didn't have a good way of keeping track of all of the constraints around an individual roles. And so what Rach really does is it moves the problem from an individual policy to managing users' roles and having to keep track of what the individual roles do.

Another one of the problems here is the fact that the modern work environment isn't structured in such a way that we can all just easily replace each other in the workplace we're individuals. And very often, if look at the apps that individuals should have in the workplace each and every person is often different, and there are different circumstances as to why this person should have access to that system and not have access to this system. And so these are failing to meet those demands. There's another reason that these are failing to meet them them.

And that is the general assumption is that the number of identities tends to be relatively constant. We don't expect identities to come and go. They tend to be long term.

Again, that's changing in the modern world. We're now seeing identities that are initiated exist and then are terminated sometimes all within the same hour. Think of the use case of Kubernetes and things like that, where you're talking about servers. It used to be that a server was a physical piece of land that sat in the data center. And now it's a virtual device that starts up runs, does some work and then quits, however that server or that virtual server still needs to have access control, enforced as to what it can and can't do.

And so having to have us manage this attributes or these access control policies is breaking down and ending up, making us make very general decisions. And yes, these services can access that service. And we define it at the server level, or maybe even at the data center level without being more and more accurate. And ultimately people still have to approve every single request.

In fact, if you're a manager, this is probably the story of your life, right? You have to spend an in ordered amount of your time, making sure that the people who work for you, the people who you are trying to enable to get work done, have access to the appropriate, to the appropriate systems. And often this is just hiding behind adding them to roles, not fully understanding or aware of what that role does, but knowing that well, if they've got that role, they can access one particular system. And yet we still sit there waiting after the access request for the access request to be resolved.

I'm sure every single one of us have been in the situation of this young lady where we need to get access to could be Salesforce, could be accounting system could be a file server, whatever it might be. And we are waiting for the fairly long drawn out process of handling that access request and then doing the approval and the provisioning to make that happen.

Now, granted, we've gotten a lot better at this. This used to take couple of weeks. I remember when I first started working and this is my apology for my, my gray hair. When I first started working, it would literally take two or three weeks before we had all of the appropriate access in order to get our jobs done.

Well, we've, we've made that a lot better. Now. We can often do it within a few days, but still it's in a few days. And I was just talking about resources that come and go within the scope of an hour or less. And so these forcing factors are still frustrated, right? We're still frustrated in what we're trying to get to, but let's go over to the other side of the diagram, right? Let's go and have a look at that.

What we, we termed about the maintenance and the access certification side of things, because at least the, the access requests and the approval process that poor young lady is sitting, waiting for us to get our job done. And until we do, they're gonna keep complaining that they can't get their work done. So the access certification side is often driven by compliance. It's an ongoing maintenance to ensure that this person still needs access to this machine or that this resource still needs access to that service, right? They regulatory requirements.

There's no forcing function and no one is waiting for us to get it done. We absolutely have to do it right, because we've all seen if we don't get this compliance, right. We end up on the front page of the newspapers because ultimately it leads to a breach, but there's nothing forcing us to do it. There's nothing making it other than policy within the company, right. And the managers, our managers coming up to us and said, have you done your quarterly access review? So there's a problem here.

And, and it can be a big problem. And ultimately it's back on that poor manager again. So here's the problem that that manager has and see if this relates to you, right? First of all, the manager has to manage the entitlements. And there's an inherent conflict of interest here because things are working. And we all know that there's that old sort of mantra that we live by, right? If it ain't broke, don't fix it.

Well, when we start looking at access control, there's a strong impetus for us to live by the rules. It says it's not broken. All of my workers can get their job done. I don't know that if I take this privilege, this entitlement away from one of my users that they aren't going to now be not be stopped in being able to get their work done. And so very often managers see this as busy work, they see it as a conflict of interest and they see it as nearly a formality and they go through the spreadsheet and they checkbox every item on the spreadsheet saying, yes, it's still working. Yes.

It's still working. Yes. It's still working. And every quarter they fill the spreadsheet back in to say, yep, I've checked everybody. Everybody still needs it. Everybody's getting their job done. That's not serving the needs of the compliance. It's not serving the regulatory needs. Although yes, it's, it's checking the boxes and it says we are doing it, but are we actually doing the intent behind that?

The other problem with that is that we, as people are really good at imagination and ideas and working out problem solving and trying to work, how everything fits together, this is why we, we enjoy doing the work. Right. And we should be able to leverage people from doing that kind of analysis. The other thing about it is that we, as people really like new and interesting work, we don't really like repetitive same old style where we're doing basically the same thing over and over and over again.

So what about if there's a different way that we can, by doing that right machines and by machines, I mean, any kind of automation are good at repetitive tasks. They don't mind doing the same thing over and over and over and over again with exactly the same result. They don't get bored. Can we leverage machines to do a lot of this work that I've just been talking about?

Well, yes, we can. Obviously we can because I'm talking to you about it. So let's look at how we can actually leverage those. So first of all, we can use machines to be able to look at our identities. Now doesn't really matter whether these are users, physical people, or services, machines, servers, whatever they are. If there is an authentication step that's involved with this, we can use machine learning to look at all of the data that we have as well as all of the entitlements that the identity has and compare it to other identities within our organization.

Now this doesn't solve the first problem, but it does solve the issue of the compliance, or at least it helps us address the issue of the compliance, because what we can now come up with is data like this graph on the right hand side, where we can say the interesting things in access certification. When we start looking at what a user can do, the interesting things are the outliers, the things where one of these is not like all the others.

And so, you know, in this case, we can say, well, if all of our consultants have access to this system, 98% of them have access to the system. It's probably okay for a consultant to have access to it.

However, on the red side, if only three people have access to this particular reporting system that may lead us to ask the question, it's not that it's wrong, but it may lead us to ask the question why. So this is the first thing machine learning and automation can give us a lot of transparency and visibility into what's happening across the entire organization. It can also happen a lot repeatedly so we can easily handle those short lived resources that pop in and pop out.

We also wanna be able to leverage the entire identity, the entire individual, the manager that we are asking to do the work earlier on is only looking at what effects their piece of the business. But again, in today's enterprise in today's business model uses often do a little bit of work for this organization, a little work for that department. They may be working in this project for six weeks. The users are individuals and they impact the business across multiple different lines of business, multiple different departments, multiple different identity systems.

And one of the things that machine learning and that automation is really good at is to be able to leverage all of those different identity sources and get that transparent picture of what the user is doing and what they need to be able to do, which sort of brings us up to our third sort of component where we can go in. And first of all, get the insights, right? Let's look at the context, get the insights on things. And then once we've got that potentially when we've learned what the right behavior is, we can then go and cause actions to happen. Right?

We can have maybe remediation recommendations or we can have predictions around our well users who do this. Also need access to that one. And we can automate that provision and deprovisioning operation.

And again, when you think about that, think about the situation where we have to deal with services that come and go very, very quickly. So how it actually works, right? This is the, the sort of high level picture of how we can have automation and machine learning, really helping us get visibility on what the identities are doing.

So the first step we have to do is look at all of the identity data and have the machine look for trends, look for correlations across all of our different identities and analyze that and use all of the magic that machine learning does to actually come up with a model and, and a view on what's happening with, with all of our identities. Once we've done that, then we can start leading to confidence scores, right? These are normal and good. We're very confident that this is correct. And other ones where it may be read, and we're saying, Ooh, this, this needs some attention.

It may not be wrong, but it needs some attention, which leads us into the third side of things, which is now we can look at the interesting things and take advantage of the things that our manager and our users are good at, which is analyzing the data and looking at the interesting things, the things which they have to make decisions about across the entire process, machine learning and automation, and I'm putting the two together can help us really optimize. And in many cases revolutionize how these things happen, right?

Whether we're talking about access requests or access reviews and everything in between, right? We can now move these processes of building up the access control policies, because remember, we still have to do the enforcement that I spoke about earlier, but we can build up the policies so that we can actually get this done in a matter of minutes or even seconds, to be able to make sure that people have the right access and don't have the wrong access, ultimately leading us so that our machines can do what the machines are good at and automate the process and not get bored.

And the machines can highlight, oh, this is interesting. So that our people who are really good at interpreting interesting data and making those decisions can focus on the kinds of things that they are good at. And I see my time is now rapidly coming up to the bottom of the hour.

So hopefully I've given you a little bit of an insight or a little bit of a challenge to think about how machine learning and AI and automation can help really work with us in this entire access control challenge, both in the provisioning and the certification side or the, the provisioning and the, the, the approval side as well as in the certification side. So thank you very much. And if you want any more information, feel free to reach out to me. You can email me Alan foster.com and I'd love to continue the conversation with you.