Event Recording

Orchestrating Zero Trust - "Detect, Decide, Direct"

Name: Orchestrating Zero Trust - "Detect, Decide, Direct"
Uploaded: 2023-05-10T12:00:00+02:00
Duration: 10 min 56 s

Posted on May 10, 2023

The Zero Trust paradigm, the approach of eliminating inherent trust in an IT architecture and always verifying, has been discussed for over a decade. It is well known that Zero Trust is a team sport, with Identity in the center. The many components, from IGA to Device Management, Network-segmentation to contextual awareness and beyond can be fulfilled by as many vendors, bearing the question about how to integrate these for a secure and convenient user experience. While there may be integrations available for some components, they will most likely be disjointed and/or require custom development, making it a challenge to be agile and innovative.

An alternative to the described problem would be Orchestrating Zero Trust, applying the approach of "Detect, Decide, Direct". Through Orchestration the task of gathering all signals and relevant information (Detect) for an appropriate authorization decision (Decide), and continuing with the proper next step(s) (Direct) can be fulfilled in a flexible manner, facilitating customization in a future proof manner.

In this session we will describe the "Detect, Decide, Direct" approach and see how Orchestration can be a key enabler of Zero Trust.

Show description

Speaker

Principal Solutions Architect
Ping Identity

Mehmet Yaliman

After studying Bioinformatics, Mehmet found himself as a developer, and shortly thereafter he changed his focus to the Identity space, where has been working for over a decade now, spending time in various roles on the customer, integrator and vendor sides. In his current role at Ping Identity...

View profile

Show Transcript

Yeah, the solutions architect at Ping Identity and I'll be talking about orchestrating zero trust and the paradigm we like to call, detect, decide, and direct. First, I will start with some ground info around my, the buzzwords I have in my title, a bit about zero trust, a bit about orchestration, and eventually tying everything together to a detect, decide and direct model. I'm sure most of the people in the room are aware of what zero trust is, how it comes, and I know I am between you and lunch right now, so I'll try to, to move forward quickly. As we'll know, there used to be a traditional, traditional way of securing everything back in the days where everybody went to an office, worked in an office, used on-prem applications, corporate devices, et cetera. This has changed over time, especially over the last couple of years. I think when it comes to remote access, working from anywhere, working from from home, from a Starbucks, from the plane. If you can afford plain internet applications have moved towards the cloud, not just infrastructure wise, not just using someone else's computer for your data center, but also applications. SaaS applications have become a thing.
APIs have been opened to everyone, both in both directions. Many organizations make use of external APIs. They expose APIs. It's a show me your API's world right now and of course the device pro with all the smartphones, IOT devices working on your behalf where you have to authenticate, where they have to access something on your behalf and so on. So they, there was the need for a new security model for a new paradigm around that, which we like to call zero trust, which where iden, where the identity is the actual perimeter and identity is very central when it comes to establishing security, the trust which we need. The key principles of zero trust. Yeah, enterprise networks don't determine trust anymore. So the, they are part of a trust equation. However, there is no implicit trust due to the network from which a user might be coming. There's always the assumption that malicious actors are also on the same network and network by itself is not sufficient to determine trust,
I dunno where I need to point this. Okay, that way how to determine trust. It's about authenticating and authorizing every user, every device being dynamic when it comes to the policies around authentication and authorization. Making use of multiple, multiple sources of data while making, while making those decisions. So in short that way the alt world of where are you coming from has kind of switched to a world of who are you? And there are many other questions com combined with that as well. We as of course as identity prac practitioners like to put identity into the middle of the zero trust framework, but it's not just identity. There are other aspects to it as well. From networks to applications, the data, the context, the devices, et cetera, which by themselves try to answer different sets of questions from. Do we trust who you are? Do we trust where you're coming from, your device?
Do we trust you to we, we will change the data? Do we trust your behavior or do we trust you to use a specific application or service in order to answer those questions? The identity, not just the identity space, the security space in general has come up with quite a number of different solutions, applications from identity proofing to device reputation, from risk evaluation to labeling data in order to make those different or in order to be able to answer those different questions. The thing is, zero trust is a team sport, so you are likely to pick a number of these different solutions. Some vendors may might claim to have a zero trust in a box kind of solution. That's usually so that you have to pick and choose from different vendors. Depending, depending on the industry in which you are, depending on your use cases, you'll likely have a number of these different pieces in your environment.
So zero trust is a team sport. When we talk team sport, I'd like to make a soccer reference here or football as we Europeans prefer to call it. And again, every organization has their own lineup here from IGA as the goalie to maybe having multiple risk solutions as as your ERs having single silent MFA as your forwards and maybe policy-based access control as your game maker was game maker, I think. So the question becomes here, yeah, you have all the, all these different players in your team, but how you, how do you make sure that they also play together? This is where I'd like to put a stop with regards to zero trust and introduce. You might have guessed that the art of orchestration, as mentioned orchestration does enable you to, you might have multiple different solutions in place, getting all of these different solutions together, bridging the gaps, integrating those without having to heavily rely on development.
And one of the sessions before was about buying and building. This is a bit buy and orchestrate perhaps orchestration does ease the task of integration. The goal is to to ease the task of integration, to enable automation due to the lower amount of coding which may be required. Also stay supportable, being able to upgrade, being able to call the vendor when something goes wrong without the vendor telling it's in your custom code. Similarly, it does allow for, oh, creating user journeys which will look different for all, all organizations for the different types of users may entail an authentication or a different type of authentication. Risk evaluation, going back to an earlier note, taking a different path, doing a multifactor authentication or a step up authentication and so on. The goal is, the goal of orchestration is to create those pixel perfect journeys exactly as you envision them, as you want them to, to look like without being encapsulated in whatever your vendor is offering you without having to do heavy, heavy custom development. It increases UX and security. Both of them are very important. Unhappy users are major security concern as you know, and it helps to be nimble, to be more flexible, to be more innovative. Making changes on this level is easier than ripping out a piece, replacing it and trying to change your custom code. Now bringing the two together is where we talk about the detect, decide and direct paradigm.
Click a couple times. The goal here is to, on the detect side, gather all the information, all the signals which might be coming from the different components of the zero trust team as mentioned before, from risk to network to data classification device, et cetera. Then handing them over to the next step, the decision step where an external authorization engine, a feedback solution or similar, will evaluate the information and feedback their decision and then directing the user accordingly, which may be an authentication step up identity verification in certain cases, deny and depending on the outcome of that direct, do it again, go back to detection, reevaluate, and until you eventually are satisfied with the trust level and allow the user access. This is kind of a circle, so they detect the site direct is something which can be done continuously, which enables a continuous authentication, continuous authorization, as well as continuous zero trust. And with that, I'm in time. I would like to thank you for listening to me and yeah, if you are interested, I'm at Dipping Identity booth. Just a small plug in here. Awesome.
Anyone has any last questions before we move on to the lunch break?
Netherlands? How, how do you see Mame the journey from the modern cloud identity to the legacy on-premise applications but still exist and will remain in the coming years and how this translation will be implemented within Azure Trust set?
The the, there is the, the authentication will most likely be outsourced from a legacy application point of view, which might be a cloud ENT provider, which might be some on-premise ENT provider web access management solution or similar, the key, the zero trust, the enforcement of zero trust would be at that outsourced authentication level, which then can make use of the different signals in order to make the right decisions before handing over the user to the application if the application is flexible or if, if there is the possibility of making changes. This can also be applied to authorization where again, calling up, calling up an orchestration solution to do that circle and authorize the user before giving them some access, certain data or to certain functions would be the the way to go. Great. Thank you.

Playlist

European Identity and Cloud Conference 2023

Event Recording

CIAM-as-a-Service for 50 Million Customers at OLX Group Europe

May 12, 2023

Still developing CIAM in-house? Discover the realities of serving 50 million customers using Hosted Customer Identity and Access Management (CIAM) as a service (SaaS) from a vendor.

Customer Identity and Access Management is one of the most critical platform components. How big of a risk would it be for the large enterprise to delegate it to the vendor solution? And how much risk would it be to not do it?

In 2019 our Eastern Europe business was struggling with Accounts Takeovers where botnets of 1 million IPs total size were involved in massive credential stuffing attacks. And we decided to replace all our legacy auth with a vendor solution.

In this session we will go through the key moments of such transition and the key learnings from the past 4 years. We won’t miss the aspect of value proposition, customer experience, real cost and return on such an investment.

Watch

Event Recording

Prompt Engineering for Identity Security Professionals | Workshop

May 09, 2023

ChatGPT mainly is what you make out of it. If you are an author it will help you writing. If you are a tech analyst it will help you create a list of critical capabilities for a certain species of software tools. And if you want to hack into a network it will help you writing code that can be used maliciously.

A prompt guides language models like ChatGPT to create meaningful and useful output. This workshop will teach you the best practices for crafting prompts that result in meaningful and accurate responses. You'll learn how to structure your prompts to elicit specific information, as well as techniques for fine-tuning the model to suit your needs. Whether you're a developer, researcher, or just a curious individual, this workshop is designed to give you the skills you need to unlock the full potential of ChatGPT. Join us and take the first step towards creating truly intelligent conversational systems..

When we asked ChatGPT to create a workshop abstract for Identity Security Professionals, this was the output it provided:

"Prompt Engineering is a powerful tool that can enhance the abilities of identity security professionals to perform their job more effectively. The workshop will equip attendees with the skills they need to engineer AI prompts and leverage AI tools to research, communicate, understand new technologies and threats, understand malicious code, detect or scan for vulnerabilities, generate countermeasures, and summarize their findings and communicate status and results effectively.

Attendees will learn how to use natural language processing techniques and machine learning to improve the efficiency and accuracy of their work, and gain a deeper understanding of the most recent trends and developments in the field of identity security. Additionally, by providing an in-depth examination of the latest methodologies and tools used in prompt engineering, attendees will be well-equipped to stay ahead of emerging threats and secure their organizations' sensitive data."

Watch

Event Recording

Passwordless For the Masses

May 10, 2023

Watch

Event Recording

Identity Proofing as a Fundamental Element for Zero Trust

May 11, 2023

Watch

Event Recording

The Killer Credential - Spotting Verifiable Credentials That are Absolute Must-Haves for Every Party in an Ecosystem

May 10, 2023

Watch

Event Recording

The AML-Compliant ID-Wallet

May 10, 2023

AML-compliant customer identification in the finance and banking sector (KYC) in Germany is subject to the requirements of BaFin (the regulatory authority) and the Money Laundering Act. This involves the use of both on-site and online identification procedures, which are often provided by external service providers as “critical outsourcing" and as data order processing. In the age of ID wallets, this KYC process needs to be redeveloped from a regulatory, data protection and technical perspective - especially because the regulatory framework currently does not (yet) explicitly provide for the case of an ID wallet. The presentation describes the challenges for ID wallets and ID issuers in the AML context and shows an exemplary implementation.

Watch

Event Recording

Getting the Travel and Tourism Ecosystem Ready for a Digital Identity and Verifiable Credentials

May 10, 2023

The ICAO DTC Type 1 and de mDL standard are currently being used/prepared to be used in several pilots. What are lessons learned, what impact do the panellists see and or expect. Also the EU Digital Wallet will have an important role in these developments. The travel ecosystem connects public and private parties around a traveller. Using a digital identity in an ecosystem that crosses international borders and legal systems is complex, for passengers ànd stakeholders, and requires international standards for technology, data privacy and trust frameworks.

Watch

Event Recording

Assignment Based Access

May 10, 2023

In the current economical climate many companies are facing the need to restructure the operations to ensure efficieny and profitability.

This does in some cases result in layoffs but is also means that projects are cancelled and the staff that was assigned to these projects are freed up for other efforts. In IAM terms the results is a lot of movers in the organisation which traditionally has been a usecase that has been challenging to efficiently support.

How do we help the business and support the need for assignment based access to ensure efficient usage of staff? This talk will look at the lessons learned from implementing assigned based access at a global retailer. It may also include Swedish meatballs, flatpack furniture and moose hunting towers.

Watch

Event Recording

Leveraging Decentralized Identity Approaches in the Enterprise

May 11, 2023

In this session, Martin Kuppinger, Principal Analyst at KuppingerCole Analysts look at the potential of utilizing DID approaches within the enterprise. This session will look at the business benefits, the steps involved, important considerations, challenges, pitfalls, and recommendations for implementing decentralized identity. Martin will explain the potential and look at how this will impact existing technologies such as IGA, PAM, and Access Management, and how this relates to other trends such as WfA, BYOD, Policy-based Access, and more. He also will outline where interoperability and standards must further evolve to enable organizations in re-inventing their IAM, without ripping everything apart. He will discuss the steps involved, important considerations, challenges, pitfalls, and recommendations for implementing decentralized identity in the enterprise.

Watch

Event Recording

What’s Next In Enterprise Authorization

May 11, 2023

As organizations undergo digital transformation to zero-trust architectures, identity-driven security becomes a critical aspect. Beyond new authentication technologies, organizations must have strong authorization controls. Today, if and when an identity is compromised, the attacker can make lateral movements with very few restrictions and access a wide range of critical systems and information. Much of this over-permissive environment can be attributed to manual permissions management processes that are hard to maintain over time. Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC), which underlie these manual processes, provide a good baseline for access security. However, their complexity grows over time and the management overhead they place oftentimes subvert the very goals of security and compliance they are deployed for. Just-In-Time Access Management (JITAM) represents a new robust and secure authorization strategy that can reduce the need for periodic access certifications and manual role administration, while providing auditability. Learn how the authorization space is rapidly changing from RBAC and ABAC to JITAM, and how it could benefit your organization.

Watch

Event Recording

When SSI Meets IoT: Challenges and Opportunities

May 11, 2023

In this session, I will first talk about the design considerations and challenges when applying SSI to IoT, followed by the description of an initiative for creating an embedded SDK for SSI. Finally, I will discuss new opportunities for building decentralized identity and access management solutions for IoT.

Watch

Event Recording

Opening Session

May 09, 2023

Watch

Ask an Analyst

Orchestrating Zero Trust - "Detect, Decide, Direct"