Chief Evangelist André Koot has been focusing on the field of Identity and Access management (IAM) for 20 years. In the beginning as one of the few, but now IAM has become a major focus of attention in organizations. Meanwhile, IAM is not an innovation in itself, but there are many innovation opportunities for organizations by setting up IAM optimally. In n this blog series, we ask critical questions about innovations that have a potential impact on IAM or even provide opportunities. In this first blog, we’ll look at Zero Trust.
What exactly is Zero Trust?
Zero Trust means allowing access only after continuous explicit validation of a access requests against access policies. This would allow you, for example, to ensure that even unknown and perhaps even untrusted users can still be given access to certain information under certain conditions and to a certain degree, based on the access policy. And with that, safety is also increased.
That’s a utopia, isn’t it?
In security Zero Trust Architecture is a pretty dominant new security paradigm. And thinking about Zero Trust makes you wonder: if there is no trust, how can you get access?
Trust is an old security principle: you can access one of my resources if I trust you. So, no trust means no access. Only I can access my resources, because they are mine, I am the owner and I can grant access. Access is under my control. I can give you access if and for as long as I trust you.
But this is a very restriting way of managing access, in fact it blocks access and thereby limits collaboration and data sharing. If I want others to collaborate, I either limit the group of potential partners, or define trust in such a way that access is granted, just a little more trust than no trust, just enough trust to work together.
So, Zero Trust means zero access. How do you get access in a zero trust environment?
Does that also mean that you need full trust to get full access? Or is the access control decision a binary decision?
“Trust is confidence in or reliance on some person or quality while assurance is the act of assuring; a declaration tending to inspire full confidence; that which is designed to give confidence.” (wikidiff.com/assurance/trust)
This implies that trust has a degree of uncertainty. And control relates badly to uncertainty. That’s why we need to have assurance of the reliability of the access request. And that’s why we need to be sure that access is only given if the access requester is compliant with the access policy of the owner of the resource. So, in a sense Zero Trust is a clever idea.
But how can we manage access in a less binary way?
In access management, a few basic concepts are available for controlling access. Basic models are Access Control Lists (ACL, think of file systems or sharepoint), Role Based Access Control (RBAC, giving access to specific application functions to people with a specific role) and Attribute Based Access Control (ABAC, granting access if a specific parameter is provided by the access requester). But all of these controls give access or not, it’s kind of a binary decision. One doesn’t give a little access, because the infrastructure used (application, middelware, operating systems) consists of binary thinking systems. You get access or not. In RBAC if you have a role, you get access that’s part of that role.
Is this achievable or is this a utopia?
Back to Zero Trust: no trust means no access and full trust implies full access. Or does it?
In my opinion trust, even full trust is not enough. We need assurance. Assurance is not just a stronger form of trust, it is the backbone for business continuity management. Every access request must be more than trusted, it must be reliable. It must be compliant with the appliccable access policies, so that the data owner, process owner and system owner can always assure other stakeholders that every access is not trusted, but proven to be reliable. Zero Trust is about proof, about fully enforced compliance with access policies.
Utopia, surely? No way, we’re designing and building it, adding Zero Trust capabilities to existing environments. Designing architectures and using tools to support it. Utopia is just around the corner, just look forward!
Background blog series
Identity and Access management (IAM) is in the spotlight. There are many opportunities for operational excellence (efficiency, strength, cost savings) and the need is high. On the one hand, digitalization has led to more systems and users and therefore new needs to keep it workable. On the other hand, regulations such as GDPR have created an increasing need for IAM solutions. It is simply required.
But there is more. With IAM, you can ensure that chain partners can collaborate digitally. IAM is not an innovation in itself, but there are many innovation opportunities for organizations by optimally setting up IAM. Consider, for example, new forms of organizational management, such as holistic working. New concepts, such as Zero Trust. And new technologies such as blockchain. To what extent does this impact or even offer synergy opportunities for access management? This blog series explores this.