Chief Evangelist André Koot has been focusing on the field of Identity and Access management (IAM) for 20 years. In the beginning as one of the few, but now IAM has become a major focus of attention in organizations. Meanwhile, IAM is not an innovation in itself, but there are many innovation opportunities for organizations by setting up IAM optimally. In n this blog series, we ask critical questions about innovations that have a potential impact on IAM or even provide opportunities. In this blog, we’ll look at Zero Trust – a utopia or not?
What exactly is Zero Trust?
Zero Trust means allowing access only after continuous explicit validation of an access request against access policies. This would allow you, for example, to ensure that even unknown and perhaps even untrusted users can still be provided access to certain information under certain conditions and to a certain degree, based on the access policy. And with that, safety is also increased.
That’s a utopia, isn’t it?
In security, Zero Trust Architecture is a pretty dominant new security paradigm. And thinking about Zero Trust makes you wonder: if there is no trust, how can you get access?
Trust is an old security principle: you can access one of my resources if I trust you. So, no trust means no access. Only I can access my resources because they are mine, I am the owner, and I can grant access. Access is under my control. I can give you access if and for as long as I trust you.
But this is a very restricting way of managing access; it blocks access and thereby limits collaboration and data sharing. If I want others to collaborate, I either limit the group of potential partners or define trust in such a way that access is granted, just a little more trust than no trust, just enough trust to work together.
So, Zero Trust means zero access. How do you get access in a zero trust environment?
Does that also mean that you need full trust to get full access? Or is the access control decision a binary decision?
“Trust is confidence in or reliance on some person or quality, while assurance is the act of assuring; a declaration tending to inspire full confidence; that which is designed to give confidence.” (wikidiff.com/assurance/trust)
This implies that trust has a degree of uncertainty. And control relates badly to uncertainty. That’s why we need to have assurance of the reliability of the access request. And that’s why we need to be sure that access is only given if the access requester complies with the access policy of the resource owner. So, in a sense Zero Trust is a clever idea.
But how can we manage access in a less binary way?
In access management, a few basic concepts are available for controlling access. Basic models are:
- Access Control Lists (ACL, think of file systems or SharePoint),
- Role-Based Access Control (RBAC, giving access to specific application functions to people with a specific role)
- Attribute-Based Access Control (ABAC, granting access if a specific parameter is provided by the access requester).
But all of these controls give access or not, it’s kind of a binary decision. One doesn’t give a little access because the infrastructure used (application, middleware, operating systems) consists of binary thinking systems. You either get access, or you don’t. In RBAC if you have a role, you get access that’s part of that role.
Is this achievable or is this a utopia?
Back to Zero Trust: no trust means no access, and full trust implies full access. Or does it?
In my opinion, trust, even full trust, is not enough. We need assurance. Assurance is not just a stronger form of trust but the backbone of business continuity management. Every access request must be more than trusted, it must be reliable. It must comply with the applicable access policies so that the data owner, process owner, and system owner can always assure other stakeholders that every access is not trusted but proven reliable. Zero Trust is about proof, about fully enforced compliance with access policies.
Utopia, surely? No way, we’re designing and building it, adding Zero Trust capabilities to existing environments. Designing architectures and using tools to support them. Utopia is just around the corner; just look forward!
Background blog series
Identity and Access management (IAM) is in the spotlight. There are many opportunities for operational excellence (efficiency, strength, cost savings) and the need is high. On the one hand, digitalization has led to more systems and users and therefore new needs to keep it workable. On the other hand, regulations such as GDPR have created an increasing need for IAM solutions. It is simply required.
But there is more. With IAM, you can ensure that chain partners can collaborate digitally. IAM is not an innovation in itself, but there are many innovation opportunities for organizations by optimally setting up IAM. Consider, for example, new forms of organizational management, such as holistic working. New concepts, such as Zero Trust. And new technologies such as blockchain. To what extent does this impact or even offer synergy opportunities for access management? This blog series explores this.