IAM: The Guardian Angel of Zero Trust

Thank you very much everyone. So first of all, I would like to say thank you to whole kp Bingo co team for organizing this beautiful event and we always wait for such events to happen because it's like a variable. And so I'm AB and I'm working as an I am lead for delivery hero. So topic for today is we know this is a zero trust track, so I'm not going to spell the topic.

Rather, let's jump straight away. We often come across situations where the most simplest thing to do is look around and ask, and most of the times the answer to our problems lies in front of us, but we don't realize this. So a few weeks back I was having discussion with my colleague on numerous different topics and one of the topic was organization. So they started speaking, you know how the organization is doing well, it's going through transformation, you know, doing the expansion and an exponential rates of providing so much services. So to be honest, I was impressed.

But like the Roses bring tons, such transformations and expansions also bring challenges. The challenge is to keep workforce onboarded. The challenge is to have internal, not only internal but external employees like vendors, contractor, freelancer, giving the access to your mission critical systems and assets of the organization. The challenge to meet compliance needs, the challenge to keep the customer data secure and the most, another important challenge is how we can assist the organization to run towards this goal without worrying about such experts, you know?

So I was listening pretty quietly and then I said to you know about guardian angels and then he looked at me, he said, yeah, go on. So you know, the good thing about guardian angels, they always protect us from threats and they're always around us.

So he, he just immediately said to me, are you really serious? So I was like, yeah, I'm serious. The only thing you need to do is take a step back and look at the solutions what you have. There are a lot of organizations going through such transformation and same challenges and even in today's world where we have a heap of services on-premise cloud SaaS. So you just name it and there are so much services available in the market, the best thing really to do in such aspects is to embrace your I Am solution as a guardian angel and zero trust. Then he was like, okay, let's go on.

So now let's go on the zero trust. So zero trust is actually a security model. It's a strategy, it's a framework that trust nothing by default. When we go about the zero trust, we journalists see a lot of different definitions of zero trust, but the core essence of zero trust always remain the same. Is that trust nothing by default and talking about zero trust, it always have some core value, some core principle that core flavors that it brings. The first one is never trust, always verify. Trust is quite strong word.

And what we require to do is to remove trust from the equation and rather focus on verifying the incoming request. And then we need to change our mindset. We need to have a assumed breach mindset in order to design better security services and provide the value to the organization in terms of their security posture. And then we need to verify each and every request literally explicitly to make sure it's really an authenticated request.

And then we need to leverage the principles like you know, we often hear a lot of lease privilege and just in time, but those are the principles we really need to leverage in order to reduce the privilege creep because privilege creep, trust me, is quite common even in today's world where we see a lot of people accumulating a lot of access and this is really required to reduce the blast radius in case something happens. And then last but not the least is resource segmentation. So we need to individually protect our resources.

So those resources needs to be really segmented and they need, it needs to be protected individually. And whenever I think of a zero trust, I always think of this juicy fruit. By the way, I love this fruit. As you can see all the seeds, they are perfectly segmented. So these are segments and if you notice these are individually protection, they have their own protection layers as well. So if you need to reach out to this seed, it needs to open it up and then peel away this. So this is all the security layer. This is what is meant by resource segmentation.

Unlike banana, we are just peel off the outer layer and then you have access to the whole fruit. So now the speaking of banana, we are having a security parameter approach. So it's It's the same, yeah, you can imagine, just peel it off and it works. So this approach was quite common and it was quite widely adopted by a lot of organizations until the new challenges came. So here we define a security parameter and then each and every resource we put inside, again banana, right outer layer inside whole fruit and the users, they're trusted by default.

So once the users inside that they can access all the assets and resources uninterruptedly. And then anything outside this area is considered that as untrusted like an internet or you are in the office building office internet and this whole very small thing called firewall, very familiar name, which was protecting the trusted from the untrusted network. And over the years we realized that it takes only one penetration as you can see in this whole long parameter from any site just to be inside and get access to all the assets without doing anything at all.

Then which leads to our pomegranate approach, which is zero trust. And now what we did, so if you notice in this, instead of having just uninterrupted access, we segmented the resource. So now think of again these as the pomegranate seed with their own layers. And then we simply move the user from here to here. So it means user is not trusted by default. Instead it moves to the untrusted zone. And instead of firewall, we are going to have an excess policy.

So this excess policy is the one in the end who is going to analyze the users, any kind of user or subject who wants to access a resource and will take a decision on the fly whether you are allowed to access this or you're not allowed to access this. Now a simple example is there is an unknown user trying to access one of the resource and the access policy. It's not able to determine who this user is and then it simply decline the request.

No, you're not allowed. And then when an authorized user or a user working in the company who wants to access the resource, it's goes through the access policy and it's able to determine okay, this is a valid user and I can provide access to this user. So this is really the pom grate approach or zero trust approach. But here we can already see our guardian angel. So as I was saying, it's always around. So look around this area and I'll talk about our guardian angel. So I am is our guardian angel.

So imm is a discipline which basically allows the right people to do right things at the right time for the right reasons in an effective, efficient, compliant, and secure manner and keeping everyone else out of the picture to reduce the threat surface. So in a nutshell, IM is the one who's responsible for making sure that only the authorized users can able to access my mission critical systems or within my organization as per my defined policy. So if you're not following this, I'm sorry, you're not allowed to access. So this is what our guardian angel is doing.

But now let's talk about more about guardian angel. So let's talk about more the role of I am in enforcing zero trust principles. So we will go ahead now into our same architecture.

So here, if we already segmented all our resources, they're individually protected and then we move to user to the untrusted zone, we have the access policy. And then access policy is checking whether you are able to allow the access or not. And if yes, then over there. But if you'll notice over this whole thing, there is a dynamic access loop which is continuously authenticating the users. So it's continuously authenticating the user across the whole session to make sure the authorized users who requested the access initially is really the authorized user who is accessing the resource.

And it works on by working on some key data points. And when we say data points, data points like context, everything is a context. So context could be location. So from which location a user is trying to access a resource, it there could be some locations which are not allowed to access. Take an example, there is an admin and we have an admins routed through a specific PAM channel. And then we don't want the users to be able to access this apart from the Pam ips or PAM stuff. So it'll simply deny that or the user who act requested or the resource and is able to access this.

But now after some time, this user is accessing the resource from a different location. So this kind of geographical things that can also be checked in order to really see it's really the user or the session has taken away from that user. And then the device device is an amazing thing. That is another context. So we are also going to have a panel discussion afterwards. I'm sure this is going to be really amazing, trust me, you can mark my words. So when it comes to device, so device is from which device a user is logging, is this really a managed device on managed device?

And if it's a managed device, does this device is compliant as per the organization requirement? It is, it has, does it has encryption enabled?

Does this, has the host is has the minimum requirements which are required for the organization? And then what kind of user is this? Is it internal external, it's a system admin or it's a normal user? And then also about the application. What kind of application is this? Is this submission critical application? Is this a sensitive data or is just a normal ticketing system? So depending upon the type of application, the access can be relaxed or it can be strict or what kind of risk it can impose. So all those factors will be taken into account in order to give the access.

That is called dynamic access loop. Now as I was saying from the start, zero trust can have a lot of different definitions. Now here we are talking about giving the access to the resource, but what user did with that resource within that resource with that access, that also comes under zero trust. So it's not something like now we gave the access to the user of a resource as an as an admin, as a root user on a database and then user decided to just wipe out all the customer data or leak the customer data. So that's also part of what happens afterwards. It's also part of the zero trust.

And now let's see our guardian angel in action. So when we talk about Im, so IM is consist of three main core technologies. There will be a lot more, but these are the main three core technologies which is identity governance and administration, privileged access management, identity federation. So they collectively provide a lot of robust identity security. So they are complimenting each other in order to provide the greater security. And I remember a few time back people were thinking those could be a substitute.

No, those are not substitute, those are complementing technologies. Pam cannot do IGA stuff. IGA cannot do identity federation stuff. But collectively they can do a lot more. And when we talk about IGA, it is the one who's responsible for managing the whole identity lifecycle. So when user joins the organization to the leave until everything in between. And then this is the one who is responsible for providing users access to the resources on the basis of approvals.

And then everything related to auditing and reporting, all those typical W questions, which is, I know which is very hard to answer, but with IGF we can easily answer who requested what and at which point of time who approved the access. So we can easily by confidence go around and say these questions. And then access reviews, this is an amazing detective control where we can really review the access.

And I, I'm why I say it's an amazing thing because if we'll see access reviews, access reviews always an opportunity, it's a real opportunity not only to review the access of the user, but also it's an opportunity to review the access provided by your policies, the access provided by your rules. Is this now up to date or the application which is providing the access? Is it wide enough or do we need to tighten this? So this is really an opportunity when we go to the access reviews.

Don't always think about user access reviews, but also think about the top parenting, who's providing this access? And then we have the risk violation sods and roles and entitlements. And then the P, which is privileged access management responsible for managing the privileged access. And this is the component responsible for identifying and onboard the privileged accounts and then doing the credential management. When we say credential management, so those are critical systems.

So instead of user managing those credential, let the system manage the credential and periodically rotate them, rotate them depending upon the priority or the sensitivity of the data inside. And then it provides complete audit trails. Remember what I said, now you have access to the resource, but what you did inside that. So this is what we are going to have complete audit trails. And then we can define, make sure the session is authenticated, authorized and monitored all the times.

So even if you have the access, you are not allowed to perform certain operations because this is again is a part of zero trust. And then it removes the excessive privileges. And now we are using a lot of cloud and even alone in AWS, there are more than 1500 permissions. So you can see there is a permission bust only in AWS. And having tools like this or technology like this will help us to reduce those excessive information because this is just a box. And if you open up too much, people can see insight.

So be aware of all those cloud permission and then our lovely identity federation, who is going to validate your identity? Who is going to authenticate you, okay, this is what who you are. And then it's needs to be bundled up with multifactors and all those context aware things will be taken care by identity federation. But now if we talk about our recipe, how can, there's always a recipe and then there are always key ingredients. So if we don't put the main key ingredients in the recipe, recipe doesn't turn out to be, you know, beautiful and no one would like to have it.

So in order to prepare an amazing recipe, make sure you have those five key ingredients. We need to make sure that we have a clear and dynamic access policies really explaining who gets access to what, at which point of time. The more transparent it with, the more crisp it'll be, the easier it'll be for you as an organization to manage this. And then we need to make sure that we implement MFA as a baseline on all systems and on all applications that we have in our landscape.

And please make sure to have the strong factors unlike SMS email or voice call and go with the latest technologies, get away with all those legacy methods. And then we need to again perform periodic access reviews. This is important if we are talking about policies, take this as an opportunity and we need to leverage the continuous monitoring for user behavior and activities. This is again going to be a critical in order to remove all the insider threats. 'cause how would we able to find this? And if we don't monitor or active, if monitor the activities.

And last but not the least, we need to educate and aware our employees about the basic security hygiene and the security zero trust principles. The, I always, I think most of you often hear that users are the weakest link, but we need to change this mindset. So instead of, you know, demoting, some demotivating someone, you are the weakest link, we need to really empower them and let them be the front force. So we need to equip and enable them with all the required trainings and processes so that they can come up on the front and be a frontline warriors. And then the things can be made easier.

And now pretty important thing for today's is thank you very much. Thank you very much for listening and giving a valuable time.