KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
As organizations undergo digital transformation to zero-trust architectures, identity-driven security becomes a critical aspect. Beyond new authentication technologies, organizations must have strong authorization controls. Today, if and when an identity is compromised, the attacker can make lateral movements with very few restrictions and access a wide range of critical systems and information. Much of this over-permissive environment can be attributed to manual permissions management processes that are hard to maintain over time. Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC), which underlie these manual processes, provide a good baseline for access security. However, their complexity grows over time and the management overhead they place oftentimes subvert the very goals of security and compliance they are deployed for. Just-In-Time Access Management (JITAM) represents a new robust and secure authorization strategy that can reduce the need for periodic access certifications and manual role administration, while providing auditability. Learn how the authorization space is rapidly changing from RBAC and ABAC to JITAM, and how it could benefit your organization.
As organizations undergo digital transformation to zero-trust architectures, identity-driven security becomes a critical aspect. Beyond new authentication technologies, organizations must have strong authorization controls. Today, if and when an identity is compromised, the attacker can make lateral movements with very few restrictions and access a wide range of critical systems and information. Much of this over-permissive environment can be attributed to manual permissions management processes that are hard to maintain over time. Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC), which underlie these manual processes, provide a good baseline for access security. However, their complexity grows over time and the management overhead they place oftentimes subvert the very goals of security and compliance they are deployed for. Just-In-Time Access Management (JITAM) represents a new robust and secure authorization strategy that can reduce the need for periodic access certifications and manual role administration, while providing auditability. Learn how the authorization space is rapidly changing from RBAC and ABAC to JITAM, and how it could benefit your organization.
Okay. Hi everyone.
I'll get, give people a minute to settle down, but my name is, I am a CT of a relatively new company called Signal. That's how we say the name. It's Signal, although it's spelled S G L, right? We are about, you know, you can say 18 months old company with completely, you know, focused on authorization or access management. As you will see. Let's start with a couple of things you have never heard before, right?
That, yeah, this will come as a complete revelation to you, right? We love live in a zero trust world and that our data is the most important thing, right?
But, you know, obviously I'm kidding, and you all obviously knew all this before, but then what are the new things that, that I'm gonna talk about is that most of the attacks, what's happened as a result of this transformation from firewalls and, you know, protected networks to zero trust, is that the nature of attacks have changed. And now most of the attacks actually are based on identity compromise.
And that, you know, that is a significant development. And, and you'll see how that sort of means a lot of change to how we protect our systems. Because earlier it would be that you would have to make a lot of rules around your firewalls, make sure that they're hardened. You know, there's a lot of emphasis on layers of security and stuff like that. Now it's completely different, right? So now you need to be taking a continuous approach. You need to be able to make sure that nobody can just access data just because they're somebody, because that identity could be compromised, right?
And you, you need to be able to enforce access at the point of, you know, when the user is actually at the door, right? So you, it's no longer sufficient to basically say, oh, this user belongs to this department.
And so, you know, they can access everything, but, you know, should they be accessing something, is the question that you really need to be answering, right? And that is something that is sort of the new paradigm or that, that, you know, we need to adopt if we don't do this. And we are, we are seeing a lot of problems appear as a result of this that so many organizations are getting compromised. Each one of those breaches are actually extremely expensive.
And, you know, the worst thing is not just a business disruption, it's not just sort of throwing everything aside and working on some urgency and things like that. The problem is that, you know, most users that lose trust with the organization that they are working with will never come back to your organization, right?
As a, as a customer. And this is especially true of the younger demographic.
So, and these are sort of reports, I think the last statistic is from the Adobe Trust report, which is a very comprehensive survey of a lot of companies. And so, you know, we really need to be very careful about handling user data. And we really need to do this in a way that, you know, prevents breaches, even if it is meant done by identities that you recognize as your own identities, because they could be compromised, right? And so this realization is not new. A lot of the com bigger companies are actually doing this internally.
We don't, you know, probably you won't find a person from one of those companies standing here and talking about it, because all this is happening sort of inside those companies. But we are seeing some things appear in the press, right? Or appear on their blogs, like for example, the Google blog about, you know, the continuous access evaluation protocol. I know a little bit about it because I kind of wrote that blog when I was in Google.
So, and then Microsoft has announced their continuous access evaluation sort of strategy within, within their set of services. And then Cisco recently sort of also published, I mean, recently two years ago also published that there is, you know, zero trust requires continuous access enforcement. And so what is the new way of thinking, right? So it's no longer sufficient for you to propagate information that is needed to make access decisions to every party because it's a mess, right? There's all kinds of user constituencies, your employees, your contractors, your vendors.
You have all kinds of services that in, that are interdependent on each other. And then they in, in turn depend on other data sources that, that may have their own sort of data protection concerns, right? So it's no longer sufficient for each one of these components to make their own decisions because it could lead to a very inconsistent and insecure kind of outcomes. So what you really need to have is a, is a layer that manages the access ma control or authorization across your enterprise, right? And that is what we are calling sort of the continuous protected system, right?
And so if you want to get to this paradigm, it actually changes everything that, how you will arrive at that security model, right? Because you can no longer depend upon static roles, right?
Because, and access from a user who, you know, five months ago was inside a customer service department, now works for finance and is trying to access a customer billing information. Why, why does that user need to do have that kind of capability, right? So you can no longer depend on the static kind of rules or, you know, you can no longer depend on ambient privileges just because you worked for some department at some point of time and it needs to be secure by default.
What that means is that if, if some information doesn't compute you, you need to be able to turn off the access because your attackers are gonna be smart about who they're going to compromise in your organization. And I know, I'm sure you've, you've heard about the term veiling where you know, where the attackers will compromise the right identities that will give them the most amount of access, right? And so that, that is why you need to be secure by default, and it needs to be simple.
At the same time, you cannot have enforcement at every little point of in your application where everybody's making their own decisions and it needs to be continuous. So it cannot be based on roles that don't change, you know, very frequently. So let's talk about how this centralized system kind of works, right? So it's not typically what you've, you've seen today is in today's system is that it's based on sort of the policy is not actually coded inside the system, right? It's like you have a business policy.
Let's say you have a business policy that says customer service representatives who are qualified to access VIP customer records should get access to those records. Let's say that's the policy.
That is, that is the business policy. What that translates into is a, is a role that is get getting created in, in your system and membership's getting added to those roles. And then the code inside the application is actually checking whether that membership relationship is there, right? So you're not actually codifying your policy, you're creating a separate policy, which is this role membership.
So if you can avoid that, that is what you need for dynamic enforcement because you need to make your policies that are interpreted by the system to be as close to the business as possible so that when you have to make a change, the change has to be very localized and you know, it cannot sort of have to demand a lot of coding or a lot of, you know, development process. And for that, for example, you know, I know about a large company that had a lot of users globally.
There was a situation where Hong Kong was considered to be an independent country, but because of political alignment, they were no longer considered to be an independent country. And this company had to make sure that users in, in Hong Kong can only access data about, or sorry, employees in Hong Kong can only access data about users that are in Hong Kong. Right?
Now, imagine this change across thousands and thousands of applications that the company had, right? Everybody had to stop what they were doing and work on this in order to protect their user data, right? Because if you don't do that, you're gonna end up with a loss of trust, you have a loss of trust, people are gonna go away, right? They're never gonna come back.
And so in order to be able to respond to all these things you need to be, be, you need to have a very good data driven system that does not require coding or does not depend on each application sort of making their own decisions about access management. So you need to have this dynamic enforcement, you need to be able to depend on, you know, automation and continuous enforcement, right? So if I were to leave you with like three thoughts here, you know, this, it needs to be continuous, needs to be contextual, and it it, it needs to be consistent.
So across all your applications, you need to have the same decision because the data ultimately is what the attacker is after. It doesn't matter which application they're using, it needs to be contextual because, you know, the same user may be requesting the data for different reasons, and their access properties may be different as a result of that. And it needs to be continuous because things change all the time. And so you, you should not apply old rules for new accesses. And so that sort of brings me to the last thing is this is why we built Signal.
And with Signal you can basically eliminate ambi ambient access. Nobody needs to have privileges just because they belong in a certain organization, right? That access needs to be justified because of something that they are doing that they're sanctioned to do, right?
It, there's dynamic enforcement. You know, you don't depend on any kind of static data for the enforcement. There's context-based policies. So depending upon why the user is accessing and what are the parameters of the access, you can determine what kind of access that user should be given. You get real time insights because every decision is made in the central platform, which gets audited. And the reason for that access is granting or denying that access is, is actually evident in that audit.
And so, you know, it becomes very simple for you to get insights of the access. So we can implement this as a SaaS service or as a, you know, on-premise service.
And it's, like I said, it's already built by default, right? So that's, that's us. Love for us to be able to show you a demo and if you, if you want, you can scan that code and it'll send you to a page that where you can schedule a demo for yourself. Super. Thanks Atal. Questions? Questions.
Baral, who agrees with what he's put forward as the future for iam? Okay. Did you wanna tell us a little bit about what we would get at the demo? Like are you gonna be demo demoing your SaaS solution? Do you have a demo of that?
Yeah, so we try to make the demo custom to your requirements. So the first call will be sort of a discovery of what your environment looks like and we'll try to model that same thing in a SaaS environment in order for us to demo it. Okay? Yeah. So the welcome to come up to your booth Yeah. And then It's on the top floor. Yeah.
And, and see that. Okay. Right. Thank you. Let's give a hand in for a toll and we get a cup.
