Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program


Log in and watch the full video!

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static and there is needed a implementation strategy which must be proportional, sustainable and relevant in the agile and disparate world with limited resources.

Identity Fabric has become a reference architecture for IAM recently and describes how identity services could be built. But it is still one of multiple subdomains of information security. We will take a broader look and analyze how the Identity Fabric could fit into the cybersecurity programs.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
There is the, I got this topic from Roger, the invitation to speak about it. And there are two kinds of topics. When I take the challenges to speak, there are things which are no and things which are challenging to understand. And this is the second category I am fabric and how it integrates with cybersecurity program. The two huge things, two huge architectural definitions and especially challenging is to put it together in the one presentations. I honestly, as an engineer, I started to, I did some round of interviews with our architects, our CPOs chief program owners, but then the I, all of the sudden I saw some in some weeks just before the presentation was the time. Was there some pattern in the communicating with developers, other developers. And then I decided that I will want to speak, reach to the, to the topic with kind of round and want to speak about the communication between the identities and the relations between identities from the developers point of view and how it looks like.
And then we reach to the answers. One of the answers, because there are many answers, there are huge things there, how the I am publics and how it integrates cyber security program in the one particular context, which is the identity communications and environments. So let's have some scenarios because it's afternoon, there are some scenarios which I want to show you that how we think that things are and how they actually are. So scenario some typically scenario, how we think that it works. So there is the Mary, the team lead says that Peter, you will manage our new CRM server, please re rights needed because usually it starts, the rights are not access Reed front team. There, there is some negotiation between your manager. So, and Peter, yes, done. We placed request for sued admin server 1000. And honestly, Mary has no clue what the server is, but, and then there is something coming, sorry, forgot one thing.
SU admin is also needed. And Mary approves, it's no problem approved it. This is common scenario, but you see that already, that warning sign is that Peter, the additional request. And I'm honest, I don't know when Mary doesn't know whether, whether it was authentic request from Peter or whether somebody included request. But anyway, the scenario is that any, anything is approved with what, what you get. This is the reality and how it actually works, how it actually works. That Peter goes to service Porwal and places request. And then the service Porwal there is identity. I use specifically the, if you, I, I believe, you know, that S of Terminator areas because they are superhuman super powerful entities, but still robots. So the first one is TX. And from Terminator three, he he's the one intermediary. He's the one, actually, she's the one which actually presents the Mary.
The question that Peter asked for rights do approve. And the Mary is then actually not getting the Peter's questions, but he's something which is intermediate by the, by the other identity. And then this identity takes the service. Porwal goes to the Mr. Active director and asks to Peter to grant the admin rights. And I use the director of T 8,850, which is the Terminator from the Terminator free, which is done, which is also super human power, overall active directory, which can do everything. This is how it happen. Actually happens. The communication between the different service identities and different identities and our identities are intermediated not, we, we don't really see those authentic. Then another scenario generally be how we think that it works, then marry again, Peter, our CRM CRM needs to have access to our active directory to show employees, okay. Peter, I request right from active directory service to our service account.
We want to implement to our service 6 66. And then there is the CPO or the owner of the active directory services. He thinks, okay, I see the request. I know Peter. So I grant taxes just because I know the Peter also, I don't even know don't understand why he needs his access and why the service accounts is the, this authentic. I just know the Peter and how it actually works is that Peter talks to Porwal the service Porwal and service Porwal talks to mark, mark, Peter asked to read to, I have to want to hold the right. And mark thinks if it's Peter, then it's okay, but it's assumptions. He thinks that if it's Peter, but it may not be the Peter. And then the service Porwal goes to this 3000 and says that, yes, the 2000 who is capable doing anything in this area is fulfills diss without even knowing for it's actually came from it, come talks to TX.
And then the next scenario, business scenario, how it actually work, how it actually works. For example, some the, there is the work I want to transfer the 500,000 Euro dollars to CRM. And he asks for CRM to transfer it. He come to it himself because there is the CRM, this, the database and multiple layers, and the CRM is checking permissions, but not direct Peter submissions, basically what the problem is that he can check anybody's permissions. He can make the decisions, and it's just, she's good. Will whether he actually does this. And then he ask Mr. Database because he, it's not directly doing this, the run up the record comment for the ID set amount to plus 500,000 done the database even doesn't know that the full do did it. He just sees the communication from this other service account. So those are the scenarios how it works for actually, we, we, we, we quite few times think about it.
And there we come to the quite trivial conclusion that, which we have seen a lot of in the identity conferences, especially in our audience, yes, identities, the central point of everything. This is the, the, this, the central common point of those things. The communication is our identity and how we protect it, how we set it up. But this is what, not the conclusion, what I want to reach. This is just a starting point. So, but we agree that identity is the security parameter in those communications. But the things which I want to talk about is that often there's some paths between those which we often overlook. First of all, the human human to human communication, the authenticity, how we can actually be sure that something which is comes to our desktop, our outlook, our phone is actually coming to this counter person already. This identity just is intermediated by the auto core, by the, by the services between us, the JIRA, whatever.
And this is, are the signs. When we see our, in our outlooks, we see already the protections that this text they're on email, we see all the warnings are there because to remediate, they see fact that we actually are not very good of checking or not capable of checking the real authenticity, unless we don't do the old stuff, which is exist long time ago, for example, some BGP or the, the encrypted emails, or then we really check the signatures. But we often don't do another thing is which we often overlook is the relationship between the engineers and the service accounts, or there terminators or superhuman identities, which they control, who can control actually, what, what, and what can can they do make it, which credentials I still have, which I have in cyber, which I have in my, in my computer or where, and what can, what else can I do it and how I can use it?
And whether I actually use it for some other purposes, and then the communication between the, these robots or the service identities, the questions about the least privileges between them. It's not about our least privileges because mostly when we apply the least privilege principle, we apply to, we think that we apply to the, our humans, but behind of this, when we send any comments to any services, we actually forget anything about least privileges. They, there are service countries can literally do anything because they must fulfill the orders of the most powerful users, including the administrators. So they must be able to do anything. So this is just a game between us and service accounts. So there are concerns often missing. And then just to refresh our, what, what we are talking about, how many non-human identities we are, this, this huge, we have devices, it admin, which are the service accounts.
We have software intra, which need entities. And finally, so far, we have already intelligence. You will get the presentation later. So it's just, just a puzzle. You that there are already more than authentic non-human identities. And then another chapter, which I don't want to concentrate on reading because I just intentionally highlighted the, the yellow part. You can read it later, but this is where I come now to the topic. So what is the identity fabric in this context, the complexities in the architecture at the end to end communication between the identities and the identity fabric is exactly the architecture of design approach. It's not the kind of solution. It's the, how we continually updating our enterprise architectures, how we actually bring all identities in the same level, how we offer the services of protections or creating identities, processing identities, covering all the different types of identities, the sources of identities, and the ways they communicate.
So end to end identity protections. And provisionings is the, my interpretation of identity fabric. And another thing which is highlighted is that we must do it in standardized manner because to, to decrease the surface of ambiguity or, and that, and by the way, interesting thing there is that I found it in BIA. And I don't know, even the identity for creative Israel, it's Kate Amory, maybe it's Martin, actually Martin Kuppinger because the sentence is really nice and clear. And then yes, the things from the identity fabric, the things which is trying to solve is the really the broken identity chain. We have well established identity. Proofings so far between the human identities and first level service accounts. The, we are quite good to verify the tokens with do off. And, but, but with any, any kind of, this is the represented by car. So we show somebody the credentials, which is very strongly protected.
We proof our identity to the first level service accounts or services, but then what happens our identity next, the communication between the underlying service accounts or the systems are really because I just say so we, we are thinking that request came from Peter because under service account saying, so we don't really know that we even cannot validate itself. They don't even bypass our, our proofings there. So then the, we come to here, this, the human silos that we are different silos, human. I am silos non-human silos. There are, there are different ways of communicating between them, between our humans. And there is no end to end identity proofings and identity, identity transfers. And finally, then what we all reach is the cybersecurity mesh the common buzzword from Gartner cybersecurity, mesh architecture is composed about scalable approach to extend the security controls. You can read it later, but what is important is there, you can see the significant part of this is distributed identity fabrics.
So those are the things when things come together, the identity fabrics is the integral part of cybersecurity, mesh architecture and entities as security pyramid in the cybersecurity, the mesh terabyte just not meant to be reading, but meant to be later reading. And just one more note to, to prove that it is the concern, the, this is the sentence from some Excel froms that the software agents are not anymore the concerns in the cloud, because there is no agents in the cloud. And there are other, when we this think about, for example, at the serverless computing, there is not nothing that agents, we, we cannot have them. And we really have the, this set of identities. There is only what is for sure there is identity layer. And just another one think about it that this is one, the sentence one can see why after years of preventing Azure and Microsoft Al told hacker don't break in the login, we reach again to the importance of identity, identity proofing, and its integration into cybersecurity mesh data fabrics must integrate into cybersecurity hunt.
How this is my final slide. How, how then what does it mean? So we have in central identity, we must protect identity. We must have end-to-end identity proofing. We must think about that, how they actually communicate what is architecture of it, which applied. And we do it with using the identify fabrics and rest of the old of the rest, which, which is left off. We have to protect with cybersecurity measures. We have to protect and how the credentials are kept, how the communication happens. It's not intercepted, it's not broken. We must protectable vulnerabilities, but those are, these are the things how they are, are, are coming together, by my opinion, in this context, although there are lot of more context and lot of more relationship between those term things, because those are very broad topics, but this is the, was the one thing which I wanted to share with you today. Think about end-to-end communication between it entities and how you protect them and how you integrated with the source of cybersecurity program.