Identity management has a long history, almost as long as computing itself. The first password was implemented by Fernando Corbato in the early 1960s, and this familiar concept passed into Multics and then Unix. However, passwords are no longer suitable on their own for identity management – Corbato himself called them “a kind of nightmare” in 2014.
Keeping user identities, their passwords, and the resources they need to access secure has been made even harder this year with Covid-19 leading to more remote work for the vast majority of companies. These challenges triggered new investments in security, privacy, and identity management tools. According to McKinsey, identity and access management was one of the three areas for increased spend by both enterprises and small businesses in 2020.
Behind this immediate need, identity and access control challenges have been a problem for many companies over the past few years. Covid-19 forced many companies to confront this issue as there was no way they could compromise on security, but full remote working was too challenging.
About the author
Greg Keller is CTO at JumpCloud
Managing access control from within traditional perimeter-based networks, like those found in most brick-and-mortar offices, is a known commodity and playbook for IT professionals. Suddenly not having a ‘perimeter’ introduces challenges related to identity. Is the person attempting to authenticate to some resource from some unknown location really that person, or an imposter? How can this attempt be verified and subsequently trusted? This is precisely where principals of Zero Trust security become effective. Trusting nothing, verifying everything and ultimately ensuring the right person, with the right access control from the right location and device can securely access what they need.
Let’s break that down into some meaningful parts.
Identity – from simple to complex
Identity is the core of authentication and authorisation needs for businesses. Managing user identities has become more difficult over time. In the past, identity was more simple – everyone was on the network and connected from their specific computer. Controlling that access through a directory – in the vast majority of cases, Microsoft Active Directory centrally authenticating Microsoft-specific workstations, servers and applications – meant that each user account could be managed centrally.
Today, that model is no longer relevant. Companies use resources and computers from a variety of different vendors in a lot of different locations: Google, Apple, Amazon, Atlassian, Slack, etc. Complicating this is ‘how’ employees are working. As we have directly experienced in our lives, Covid-19 forced a majority of the workforce to stay at home and be as productive as possible as if they were in the office. Ensuring all of these resources mentioned above can be accessed while doing so across networks and on devices that the company ‘knows’ is critical. For example, jumping on your home computer to quickly access email or some other resources may be convenient, but can the business ensure that machine isn’t compromised? Can they really trust it?
As enumerated above, the technology that we use is more heterogeneous as well. Rather than relying on Microsoft for operating systems, applications, and services, there are many more providers involved in supporting users. A common stack for tech startups and small businesses is AWS for cloud, Google for apps and Apple for laptops, for example. All these services have to be joined together and effectively managed, and it’s only when companies reach a certain size that they consider using a directory at all, lest each of those resources have their own unique identity and login.
As companies grow, they need to manage user identities effectively to solve these challenges around unifying heterogeneous resources.. And as we now know, outdated, homogeneous systems centrally managing vendor-specific resources is not fit for the needs of the modern workforce. Instead, we have to look at how to support the mix of different technologies, providers and work patterns that exist today.
Conditional access policies
Today, identity remains the one constant that we should consider for security. If we can’t be sure that someone is who they say they are, then they should not have access to applications. However, even then it is not that simple. Instead, we have to look at conditional access based on authentication and authorisation policies.
Conditional access describes how to set rules for access based on contexts like the user’s identity and credentials, the location where the authentication is being attempted, and the device that is making the authentication request. In the past, we had forms of conditional access but took this for granted. We relied on physical access control as a condition, as if you are allowed access to the building then you can provide your password and access your PC. Today, we have to look at location differently, again given how different the world’s workforce is now working.
Setting up policies which blend various forms of context involves looking at four areas:
The identity – managing all of your user identities should be the starting point. This includes all credential control and revocation, two factor verification, and contextual data to ensure appropriate levels of permission when accessing resources.
The network – authentication requests will be based on the IP address and/or a geographic location that a user is attempting an authentication from. As an example, concentrating on specific IP addresses or ranges of addresses can restrict traffic to resources only from locations that you know or otherwise ‘trust’.
The device – depending on your approach, you may want to restrict access to devices that your organisation knows and trusts rather than relying on users being able to compute from any device. Trusting known devices, such as those that have the appropriate security settings and tools employed to protect it, allows you to be more granular in your approach and prevent or allow authentication based on policy and context.
The policy – once you start looking at identity, network, and device, you can start to set policies. These policies can blend combinations of the first three areas as the company sees fit. However large your organisation, there will be different groups of users requiring different levels of access and taking a ‘one size fits all’ approach is not suitable. In these circumstances, you can set policies to add further security or second factors of verification (MFA) when required.
Setting up policies around conditions is where we can exert the most control over identity and access, but we should look at this as a way to support smarter working rather than stopping access. As an example, we can look at the access requirements that a user might have. For some roles and users, we can confirm the locations where users might access company applications from and we can stop access outside those locations.
For other roles that are more mobile, we can use location data alongside other steps like multi-factor authentication and device specifications to ensure users are who they say they are. Some staff may be more unpredictable in where they might have to work from in the future, so access control can be more flexible for them. By putting in multi-factor authentication as part of policy, we can ensure that users can be productive while implementing strong Zero Trust security.
Implementing Zero Trust
Zero Trust is a model that follows the approach that everything you and your users may touch is insecure. Rather than relying on your IT to automatically be secure, you should verify everything. This includes areas like identity, networks, devices, and applications. By looking at identity and putting policies in place around conditional access, you can implement Zero Trust more easily. This will be important due to some of the misconceptions around Zero Trust being more expensive to implement.
As Chase Cunningham of Forrester commented, “IT and business leaders often think that [Zero Trust] is too hard and too expensive or that it requires them to restructure everything they’ve built or deploy next-generation firewalls everywhere.” However, this is not the case. Instead, Zero Trust can be implemented efficiently and cost effectively, opening it up for smaller companies and organisations to use as well as enterprises. By looking at conditional access, you can implement a Zero Trust approach and make it easier for users to work remotely at the same time.
