I meet with organizations around the world and one of the top topics that always comes up as a desire for improving existing security capabilities is modernizing identity management. The common themes around this topic include desires to move from passwords to passwordless, aligning with Zero Trust guidelines and modernizing access to resources for anybody anywhere at anytime, including visibility of such access. Many organizations have not invested in identity technology for years leading to a ton of “technical debt” meaning there is a growing gap between what they want and where they are today. This post will outline things to think about regarding how to take steps to modernize your identity practice.
There are some fundamental steps that should be taken in order to achieve a modern identity management practice. Here is a simple short list.
- Migrate identity to the cloud aka fix the plumbing: Why is this first? Simply put, on premises identity management can’t support modern features such as passwordless. Imagine a worker at Starbucks trying to log into their computer using facial recognition. If the identity storage is on premises behind a DMZ firewall, such remote users will have trouble with going through the authentication process. Having AD in the cloud means authentication is simplified since it can be accessed from anywhere not to mention there are many more security features available via the cloud.
- Gain visibility of identities accessing resources: Step two is figuring out who or what is accessing what. This will allow you to develop policies based on “least privilege access”. To do this, you need to think about four areas to monitor which are the following:
On premises Access: Map out who are what is accessing on premises resources. This can be done with various tools and probably the easiest of the four.
Three cloud access (Google, Azure and AWS): Many organizations run a hybrid data center meaning some data is on premises while other data lives in one or more cloud. This mean a method is needed to monitor access within each cloud. One popular tool is a Cloud Infrastructure Entitlement Management (CIEM), which can give visibility into all three clouds.
Workload Access: One topic that can’t be overlooked is non-human access aka DevOps or things talking to things. Workloads can be difficult to track since user identities are not be leveraged. A workload monitoring solution is typically needed to understand how DevOps access is being used.
SaaS Access: Lastly is software as a service aka everything else that is cloud but not in the three clouds aka not PaaS or IaaS. For this, a cloud access security broker (CASB) is typically used to gain visibility and controls.
3. Develop and Enforce Policies: This topic can be accomplished a handful of ways. The traditional method has been using technology on a DMZ or other proxy point and running traffic through such point. This works for a 100% on premises datacenter but once cloud and remote work is introduced, the traditional enforcement methods become obsolete.
The more modern approach can be accomplished a few ways. One way is moving the proxy point to the cloud, which has been coined secure access service edge (SASE) or secure service edge (SSE). This approach works by creating policies in a cloud proxy and forcing user traffic through the proxy levering SDWAN, host clients, DNS or other means. The pros to this approach is it works for systems that run through the proxy. The cons are scaling to systems that are not forced to run through the SASE/SSE proxy, high costs to force all systems regardless of location through the proxy and workloads or other nonhuman traffic.
Another modern approach is enforcing policies at the application entry point. This way a proxy isn’t needed. Instead, workloads or people can access the resource from anywhere and upon access will have policies enforced. A similar approach could be accomplished from the host level through an agent or DNS setting however, this approach has the same challenges as an SSE/SASE approach. All three major clouds have policy control features so for many organizations running a hybrid environment, this approach can be accomplished by leveraging traditional security for on premises data centers while migrations occur to the cloud.
4. Move towards a decentralized identity management approach: This approach works by using verifiable credentials that are trusted between the issuer and verifier leading to a user focused identity model. Think of this approach as having a digital ID card stored on an asset such as a mobile phone like how you carry around a physical driver license. You don’t go to a bar and ask the bartender to call the DMV and verify your identity. The same concept would apply to user authentication making the entire process much faster.
There are other steps that may occur in between each of these steps. Organizations may need to clean up existing identity stores prior to migrating to the cloud. Existing identity systems may need to be hardened. Access roles may need to be cleaned up to reduce the risk of “attack paths” aka the risk of an attacker compromising an account and using it to log into multiple systems. Key management and other identity technologies may need to be improved. Certificate management may be needed vs certificates that expire every January. This is not an easy topic for most organizations to address, yet I continue to hear requests to “help us modernize our identity management practices”. Hopefully this post helps give a general understanding of what to think about as the journey begins.
Here is an interesting post on the same subject from two identity experts HERE.