Event Recording

The Future of IAM & Cybersecurity is Policy-Based

Name: The Future of IAM & Cybersecurity is Policy-Based
Uploaded: 2023-05-12T12:00:00+02:00
Duration: 22 min 35 s

Posted on May 12, 2023

There are several sessions at this year’s EIC looking at the roles of policies in IAM, for modernizing and efficiency gains in IGA, for authentication and fraud detection, and for authorization. In his keynote, Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will take a broader perspective and look at why the future of IAM and cybersecurity must and will be policy-based. This involves policies in IGA, policies in cybersecurity, hierarchies of policies, policies for application developers and IaaS administrators, policies in Zero Trust, overcoming static entitlements, policies in the context of DID (decentralized identities), and other topics. He also will discuss what needs to be done where, such as Policy Governance, Data Governance, and Policy Lifecycle Management, and why the shift to policy-based approaches requires a multi-speed approach, with policies in new digital services coming faster than policies for modernizing legacy IAM.

Show description

Speaker

Principal Analyst
KuppingerCole

Martin Kuppinger

Martin Kuppinger is Founder and Principal Analyst at KuppingerCole, a leading analyst company for identity focused information security, both in classical and in cloud environments. Prior to KuppingerCole, Martin wrote more than 50 IT-related books and is known as a widely-read columnist...

View profile

Show Transcript

And I'll talk about the future of identity and cybersecurity is policy based, and I think a bit of different approach this morning, which is whiteboard, so to speak. So, so when I, when I started thinking about topics than I very frequently use a whiteboard. So sometimes on paper, sometimes I use the whiteboard app. And so I, I wanna walk a bit through, through my, my thinking on, on a whiteboard about policies and why I believe they are important and how to make them work, et cetera. So it looks a bit like PowerPoint, but you'll see PowerPoint is the, the minor part of what is about to come in the next minute. So we had a lot of talk about policies. We had a lot of, lot of talk about authorization and authorization, really, yes, there's a lot of talk about tasks, et cetera. But I think when we go a bit more towards the future than authorization is the hot topic finally, or again, we had it a couple of years ago and in that space, but beyond that, policies play a very, very important role. And the, the nice thing with policies is they have a standard structure that is very simple to understand. So this is about the subject action object and maybe constrained or, or, or context. And yes, the constraint, the context that could be complex, that allows in some way also for nesting, saying, okay, this relates to another policy.
Policies can have these relationships where you say, okay, one policy or a chain of policies are required to, to in fact allow something. So take Martin, I, I took the slim version by the way of Martin here. As you can see, yeah, there might be a policy that controls the access to a building. There might be a policy that controls the access to computer. There might be a firewall policy and so on. So many, many more and more complex relationships. But policies, and I think this is something which already becomes clear here, policies are something that is ubiquitous to identity through cybersecurity and well beyond. It's something we find in our daily life, a lot, a lot of things we express as a policy trialed better, don't touch the hot oven, subject, action, object, et cetera. So it's something everyone understands, and as I've said, they are widely used, they're ubiquitous.
So when we look at these ubiquitous policies, then we have firewall policies, you know, we have authentication policies. So when you look at the typical access management solution that we are using policies for decades, we not necessarily name just policies, but at the end it is, we have s o d policies, we have policies and birthright provisioning, we have whatever the building access. So physical building access policies. Yeah, we have some cybersecurity policies, but not always. We use policies as widely as we can. So maybe it's not the very best example yet. Authorization, yeah, exec was policy based, but unfortunately it was XML based as well. So in that combination, it didn't succeed as as expected. We have zero draft. When you look at the big zero trust picture of nist, then their policies seem as very much at the center. We have ESGs or environmental social governance, we have export control policies.
So policies are all over the place. And I think policy have, have, can have a very huge impact on what we are doing. So, so when we go into to I G A, so the identity governance and administration, user life cycles, identity provisioning, access governance piece, the areas where we have policies, I believe are the ones which are rather simple to use, but they are, that's maybe the problem. Too many areas without policies. So policies in iga when we look at this, so first let's start with the bad thing in iga, bad standing privileges or static entitlements. This is what is, as I I, I think I said it a couple of times during the conference, this is the root cause of all that in identity management.
So this is what really creates challenges. So the complex role management things, they are here because we have to deal with standing privileges across a lot of applications. Recertification is so, well, let's say name it ugly because it is about the standing privileges and the good thing, our dynamic policy based trust and time and shit is not shit access the automated part, this is really the good thing here. And there are things which are simple and brun. So birthright provisioning, which we can do, where we use a maybe an organizational role, a business role, an organizational. So which department is someone in the location, other attributes that is something that can work and that can work well. We can also use this by the way, if, if something changes, this could impact the mover process. Even by the way I have, I have a rule here, and I believe, I'm con convinced also from, from my experience, that this can be matched, this value.
The rule is that at least 90% of the entitlements someone has should be assigned automated by rules. So the manual access entitlements, manually requested access entitlements should be below 10%. So this is the threshold I define here. You should compare where with where you are. And I strongly believe this can be achieved. There are s o d rules. Yes. So we have areas, but managing all the static entitlements and legacy software AD s a ad, SAP homegrown software Salesforce, that is a challenge. This morning when I was standing in front of the mural shaving, one thought passed my mind. So we, we see all this upcoming regulations around sort of security by this sign one. This, honestly, I believe a part of everything around security by design should be no static entitlements anymore. Software that is built with static entitlements is not to my understanding in compliance with security by design because it's secure, insecure by design. So in fact, we must change this, okay? It's a bold statement, but I think I I, I'm pretty sure that I'm more on the right than on the wrong side of the statement. We'll come back to this, this IGA aing later, by the way, so can policies simplify legacy IGA approaches? This is always the point. And I remember, so there's one person in the room, I I had a conversation probably some 6, 7, 8 years ago about trust and time access and, and the hope of getting away from, from these standing privileges .
And I think there's always the, the point that comes up not from him, that is so complex to do so, so policies for legacy. So what we have today, we have users, we put their users in groups or roles, groups with entitlements. And these entitlements in fact are subjects in action that are assigned to a user or group, for instance, for files. So this is this static mapping in a bit of a simplified manner, but it's basically this, what we could do is we could say we have the users, we put them into groups, and we have sets of entitlements still. And what we can do is we can for a session, so if we use the authentication of the information from the access management system or not perfect, but doable for a certain time, do sort of a dynamic bin binding where we say the subtract, which could be an individual or a group.
This, we bind it to that specific sort of set of entitlements. So that might, may require, like we had in, when we go back to Sam, so where we frequently had this, okay, we map that user from the other organization to technical account. Not, not the most beautiful solution, but better than setting entitlements at the end of the day because we, we don't have this permanent binding anymore. So there are ways to overcome this and I I really ask the, the, the people from the IGA vendors in the room to think about it. How can we at least add a bit of trust and time and policy-based assignments, policy-based dynamic bindings to iga. This is not rocket science, this is doable. So do it and make the world a bit better because that will also reduce the number of re-certifications that need to be done.
And you will really make your customers happy. Authentication policies. That's where, where everything's here, we're doing it. What we mainly do is we do a bit of cost screen saying, okay, Martin is allowed to, to do that and that, but we have there, so we have the authentication policy there, well established a bit too fast. So adaptive authentication, we have the context we use. So device behavior, location, I think I wrote yesterday maybe we called behavior better identity threat because identity threat, everyone says, oh, scary, we must do something. When you say user behavior, some, some will say, oh, they are tracking the users. So the connotation of these terms is a bit different, even while there's a lot of similarity in, and we match this to risk and then we decide about step syndication, et cetera. We have OS scopes, which are a bit of a cost grain access control could make them a bit more granular, which is happening in several areas.
We see upcoming extensions to os we see what happens in the, in the, the, in the banking, open banking space. So it's all here. And we have, that's something I have really to say. We have a lot of cool, cool orchestration tools out there right now to say, okay, we implement these policies in the access flow in the journey. So there's a lot of things there. And this is maybe a good blueprint also for some other areas because we, at the end, the industry knows how to do things. We have the authorization policies with the PX P triangle, more the old-fashioned way. It's a proven model. It's definitely not wrong. Even while I call it old-fashioned here, that might be a bit unfair. It's specifically it's way too rarely used. So these authorization policies in the old style, they are a user goes to an application.
The application connects with a p p, I'll bring up the terms in a minute. There's a pdp, the policy searching point which receives information from pi, like like a database or an L directory. There is the repository point with the policies in, there's the policy see administration point where the admin then is working on the policies. And as I've said, there are a lot of p piece with something in between like the enforcement decision, information representative administration, et cetera. So this is something we have seen around for, for for a while. When you look at exact, it's basically this. Some of that you'll find when you look at the N zero trust policy thing, et cetera.
When we look at it a bit more in the modern way. So OPA not being perfect, no doubt, but being widely used by developers of digital services. Interestingly, because what you see this OPA is people like if, if they don't need to care about the authorization piece when developing software, so better u let's use something that cares for that instead of reinventing the five etched wheel again and again. So the digital service developers like it, they, they also like using identity services. They like to build against APIs instead of reinventing everything. So in, in that way, so we have the users and then they are, they, that could be also users could be. So maybe I should have put in some, some none. So they are not that human when I paint them, sure, they not even look really like humans. But I maybe should have put in some, some silicon identities here as well because a lot of these sort of accounts or identities are factually services accessing resources. But on the other hand, very frequently on behalf of, of humans. So I could have also created the big painting around identity relationships, which by the way sometimes happen when I do these whiteboard things and I start painting and then I add something and then after a few minutes no one can read it anymore because it's, it becomes too complex. So I try to keep these things a bit leaner and apologize for my handwriting. By the way, Yoko always said I could have become a doctor with my handwriting.
So we have the resources, the components, the applications, databases, et cetera. They have APIs and then there's a service service mesh. Again, access APIs. We have to open policy agent chasing queries for, for asking for the decisions. Again, we have a policy store, we have a language to describe policies, and we have data stores which are factually policy information points like the whatever Azure active directory. Not sure what the name is today of the Azure active directory, but probably tomorrow it's another one. The database and, and a lot of other things. So this is the scenario we have, but basically it's, it's a very similar scenario because in the end we have a policy enforcement, you have policy decisions, you have policy repositories, you have everything there as well.
We need these, we need policies for automation, for dynamic workloads because we can't keep in control of this complexity when we have DevOps where applications are constantly changing delivered to the execution environment, which is for itself, again, very complex. There's a lot of components we use, we need this. So this is also the key more D challenge here. So we have nowadays compared for instance to traditional privileged access management, we have many services compared to few human users. We have many services compared to a few Windows Linux servers and applications. We have a dynamic world. We have an from infrastructure as a service, an elastic world with workloads going up and down. So we need policy based automation, otherwise we will fail. We can't handle a dynamic agile environment with static and principles. This will not work. And honestly, we always talking about the complexity of identity management.
So we need to apply it everywhere because everything is complex and dynamic and so on. Take, take organizational changes. So you have your IHA and then the organization changes. You, you built your own model and until you're done after three years, you had two fundamental organizational changes already. That's not so dynamic. But even two dynamic for what we are doing, the policies are at the core of the zero trust architecture. So I repainted the picture from the NIST here, basically something where we also have a pap and PDP and pap and so on. Basically very similar picture, broader than identity, but basically the same thing. So you have a lot of systems helping in verification. So you need to turn your head a bit to read it like I am Siemens, sir. And you have more systems helping there. So you get a lot of data, a lot of signals here that help you in in, in doing that that can be consumed for making decisions.
What else? Policies and decent identity are perfect match. Absolutely. So we have the wallet with the proofs. I, as, as you all have learned, I tend to use that term decentralized identity because I've believe it describes everything. Well take the, whichever term you want, I'll stick to that one. And I don't want to discuss about what is the exactly correct term for what. It doesn't help us to, to, to really move forward. We have a service, we need authentication and authorization in that service. So Martin opens the wallet with a strong authentication, doesn't rub us his fingerprint cause have a blaster here. So fingerprint doesn't work well with, with that sum. So number two is, I, i so to speak, open the wallet. I the access to the proofs is there, I already have some, some proof that I had a strong authentication and I can authorize wire proof.
So if I have certain proofs, I can use them in a policy, I can use them for that. So it's, it's a really logical match here. What do we need to do? We need to make this entire thing work. And this will require a multi-speed approach in organizations. That's something we should be very clear. We can use policies all over the place, but some things are easier to do now and others will take a bit longer. So think in a multi-speed approach, but start with your conceptual work now look at the standards and to the community work, continue working on the standards, continue improving them. We need better software, so to speak, security by design, privacy by design. We need policy life cycles. So policy without a life cycle, that's not a good idea. We need life cycles for creating, changing, et cetera. Ownership. We need policy governance.
And with policy governance, we need data governance because the point is we have a policy. And so recer policy is simple. They are easy to understand. They're not too many. But the point is data is used to start from the p i p to make the decision. And this is what we need to bring together. We need the data governance piece as well. So we as identity people need to care more about data governance and start talking with data people, not only for that, for many other reasons as well. And we need to do this in different speeds for OPA digital services. We can start now, but we should, should build the framework, the governance framework and the the management framework now for everything when we proceed and move forward. I'm perfectly on time. Thank you for listening to me. Okay, if I can switch this on, I'll check quickly whether wrong session here, whether there are questions in here. It looks like he has, he doesn't show me the questions currently, unfortunately. May maybe I can manage this. Here we go. Q and a. Okay, there are questions. So let's look, maybe we take one.
Oh, what to do with clients organizations dealing with more than 5,000 different roles, still not recognizing they have a problem. I think this is one, one interesting question to pick. So, so, so the point is, you know, I think many of of you right now will say, Hey, only 5,000, where's the problem? I've seen way, way, way, way bigger numbers of roles. I, I think honestly I think everyone knows that roles are challenging because once you've gone through a role management project, you've learned something about it. And I think also recertification, I still haven't met a single organization worldwide which said, hey, my departmentals managers are, are really waiting for the next certifi or re-certification campaign because it's the biggest fund in their life. I haven't heard about that yet.
So I I I, I think the, the point is that that's probably more the, the lack of an answer on how could we solve it, what can we do to address this? And I think this is what we need to look at. How can we solve it? I hope I gave you some ideas around that. How can we get better, which needs the help of the industry, the help of all the software renders and of us as identity professionals to make it work. So I thank you. I'm the one standing between you and the coffee. So I'll let you go to the coffee break now and see you later. Again. Thank you.

Playlist

European Identity and Cloud Conference 2023

Event Recording

From A (ACLs) to Z (Zanzibar): Standardizing Access Policies with IDQL/Hexa

May 10, 2023

The adoption of multiple clouds is accelerating across all industries. While multi-cloud brings many benefits, it also results in new challenges. Organizations must manage platform-specific access policies in the bespoke policy syntax of each cloud.
Security and risk gaps arise between cloud identity systems due to the increased policy fragmentation and technical complexity that can obscure visibility and make it difficult to determine who has access to what.
These challenges grow exponentially when you consider the various access policies (and system languages) associated with each data, network, and platform layer (and vendor) in an organization’s tech stack.
This session will describe an open-source solution to multi-cloud access policy fragmentation: Identity Query Language (IDQL) and Hexa Orchestration. IDQL and Hexa are two sides of the same coin that together perform policy orchestration across incompatible cloud platforms.
IDQL is the universal declarative policy language that can be translated into a target system's proprietary or bespoke access policy format. Hexa is the open-source reference software that brings IDQL to life and makes it operational in the real world by connecting to target systems and performing the three main functions of discovery, translation, and orchestration.
Hexa Policy Orchestration was recently accepted as a Cloud Native Computing Foundation (CNCF) sandbox project. The session will include a technical review of Hexa plus a demonstration of current capabilities.

Watch

Event Recording

Security Offered as Components Empowering Enterprises to Gain Control

May 10, 2023

You often think service providers should build identity and API security infrastructure by themselves to have full control and flexibility so that it can fit into their business and technology stack. But it tends to be time consuming and costly due to lack of expertise to do so. Buying a heavy-weight solution is another considerable option, but it reluctantly leads dependency on the particular vendor of the solution, which may have redundant features and may not accommodate to customize in a cost-effective and timely manner. In this session, we will discuss a third option to “buy and build” that can combine the best of both worlds and give you control by building from scratch, as well as minimize the time and resource by leveraging “Identity Components as a Service.”

Watch

Event Recording

Hybrid IAM: Interoperable Verifiable Credentials for Workforce Identity

May 11, 2023

The past few years have seen a startling increase in decentralized technologies for Digital Identities. So far, much of their adoption has been limited to academic or proof-of-concept integrations (barring some shining examples) rather than consolidated production-ready use cases.

Generally, there isn't an enforced link between real-world and digital identities, and rightfully so. Still, enterprises' policies and regulations mandate companies to ensure restricted access to reserved data and undeniable attribution, which collides with general anonymity and distributed principles. Albeit SSI technologies aim at filling this gap with trusted-yet-privacy-preserving solutions, companies still need to consolidate digital identities and collapse them into a well-defined entity. We will talk about a hybrid approach to classic IAM for workforce management including W3C native credential integration with solidified and well-established SSO federations. In other words, delegate to the end users the choice of which identity technology to use as long as they can provide a trust chain that the companies can verify.

Watch

Event Recording

Market Overview: Secure Access Service Edge (SASE)

May 11, 2023

The term secure access service edge (SASE) has become popular in recent months and has been adopted by numerous vendors. SASE stands for a concept that integrates a range of cloud-native security services including cloud access security brokers (CASB), firewall as a service (FWaaS), secure web gateways (SWG), and zero-trust network access (ZTNA), with wide-area network (WAN) capabilities for delivering both directly to any edge computing location. In this session, KuppingerCole´s John Tolbert will give an overview of the market for SASE solutions and provide a compass to help buyers find the product that best meets their needs. KuppingerCole examines the market segment, vendor capabilities, relative market share, and innovative approaches to providing SASE solutions.

Watch

Event Recording

City of The Hague: Adding Access Control to Microservice Architectures for ZTA

May 10, 2023

The Common Ground movement of the Dutch municipalities is developing innovative solutions for greater interoperability. An important part of this is the data landscape, where functionality is accessed through microservice API’s. In the analysis of this architecture, one aspect is barely touched upon: The Access Control aspect in API’s is not appropriately co-developed.

The Municipality of The Hague has performed a Proof Of Architecture (the POA) to demonstrate that it is possible to unlock an existing API in which access is not explicitly modeled, or that still uses traditional Role Based Access Control methods internally, restricting interoperability across contexts.

The POA is done in an effective and efficient way through innovative 'zero trust architecture' concepts, such as Policy Based Access Control. Security and privacy are thus demonstrably realized in accordance with legal requirements. The POA proves that it is technically feasible to add input-filtering of access requests to ignore the restricting RBAC method and thereby open doors for municipalities for interoperability in an autonomous and secure way.

During the presentation the working principles of API access from a perspective of Identity & Access Management are explained, but also how these principles can be applied in practice in an existing application landscape.

The presentation will be a joint presentation between the lead architect of the City of The Hague, Jan Verbeek, and access strategist André Koot.

Watch

Event Recording

To Rotate or Not to Rotate (Privileged Accounts) - That is the Question

May 11, 2023

Rotating credentials of some privileged accounts is a risky task, which might lead to a business shutdown when things go wrong. But the alternative of not rotating them opens the door for attackers to take hold of your organization - thus leading to a business shutdown as well. This is a lose-lose situation.
So what should we do ? Rotate or not rotate credentials of privileged accounts ?
In this session we will discuss about the challenges and solutions.

Watch

Event Recording

The Killer Credential - Spotting Verifiable Credentials That are Absolute Must-Haves for Every Party in an Ecosystem

May 10, 2023

Watch

Event Recording

Market Overview: Privileged Access Management Solutions & the Pamocracy

May 11, 2023

In this session, KuppingerCole´s Paul Fisher will give an overview of the market for Privilege Access Management (PAM) platforms and provide a compass to help buyers find the product that best meets their needs. KuppingerCole examines the market segment, vendor capabilities, relative market share, and innovative approaches to providing PAM solutions. He will also explain how the new Pamocracy is affecting the market.

Watch

Event Recording

FIDO for the Enterprise - Challenges & Rewards

May 11, 2023

Watch

Event Recording

Why Policy-Based Authorization is Critical for Identity First Security

May 09, 2023

The enterprise perimeter is now its data objects, APIs, applications, and its users are now the workforce, customers, partners and in many cases, machines. In this new, decentralized, and highly segmented world, CISOs and IAM leaders find themselves struggling with multiple systems and interfaces that control the most basic question: Who has access to what and when?

In this session, we will present a new architecture for Identity First Security based on Centralized Access and Authorization Policy Management Platform, and discuss pro and cons, specific real-world implementations.

Watch

Event Recording

Panel: What Happens When Applications Don't Use the Identity Standards We Have Built

May 11, 2023

OAuth 2.0 is a widely adopted standard for authorization, but it can be complex to implement correctly. It's not uncommon for developers to have difficulty understanding the nuances of the OAuth 2.0 flow and instead rely on simpler approaches such as using API keys in "god mode."

OAuth 2.0 can be difficult to set up and configure, especially for developers who are new to the standard. It involves creating an OAuth 2.0 client, setting up redirect URIs, and managing access and refresh tokens, which can be confusing and time-consuming. Additionally, the standard requires developers to handle user authentication and authorization separately, which can be difficult to understand for those who are not familiar with the concepts.

Many developers may not understand the security benefits of OAuth 2.0 over API keys. OAuth 2.0 allows for fine-grained access control, enabling developers to limit access to specific resources and actions. In contrast, API keys provide more open access, allowing all actions on all resources. Developers may be inclined to use API keys instead of OAuth 2.0 because they are simpler and easier to implement, but they don't offer the same level of security.
Developers may find it hard to understand the standards, and may end up using an inconsistent approach.

The panel will discuss these reasons and other potential causes for why developers may not be using OAuth 2.0 correctly, and provide recommendations for how to overcome these challenges. We will highlight the benefits of OAuth 2.0, such as improved security and the ability to provide fine-grained access control, to encourage developers to adopt the standard. Additionally we will give examples of real-world attack scenarios that could have been avoided if the application was using OAuth 2.0.

Watch

Event Recording

Designing Your Future Identity Fabric Program

May 10, 2023

An Identity Fabric Program program moves beyond established tooling and focuses on outcomes and the elimination of technical debt or heavy customizations that hinder the organization’s ability to deploy at scale. Identity Fabrics shift the focus from tactical or manual operations to more strategic functions that are optimized to business objectives. Identity Fabrics are key to successful digital transformations and therefore a sustainable deployment strategy will deliver recognized business value and a significant competitive advantage.

Watch