From MFA to Granular Access Controls: Duo, Okta and Apono discuss the new IAM landscape
Ofir Stein
September 11, 2023
Table of Contents
Meet the Speakers
Challenges of the Modern IT Environment
In this webinar, we discuss the evolving nature of IT environments, the need for a security culture shift, the challenges and opportunities in modern IT security and the balance between security and user friendliness.
“Three main changes have occurred in the modern IT environment. The first is that it’s not just an IT department. The modern IT department encapsulates engineering as well because once we’ve shifted to the cloud, we’ve actually shifted the environment and infrastructure to not only belong to what was considered IT but to actually be in the hands of the engineering team, whether they like it or not. Two other pieces: It’s a larger environment, it’s a more complex environment and at the same time, it’s so much easier to make it larger and complex, because today, a click of a button, you can quadruple the size of your environment. The third thing here is stricter regulations we’re seeing in the market today when it comes to managing access.”
“The modern IT environment is this great engine of next-gen anything—AI everything, and microservices everything. What we’re seeing right now is an inflection point where enough people are starting to do multi-factor. We’ve said for a long time that a lot of attacks would go away if we did multi-factor, and we’ve reached that inflection point and the attackers aren’t stopping. I thought once everyone was running multi-vectory, you should stop, go home, game over we’ve won. But funny enough, the criminals are working around that. We’re starting to see phishing attacks, flood attacks, proxy attacks.”
“Two biggest challenges are baggage and culture. Baggage is legacy, meaning we build something and tend to leave it alone. If it ain’t broke, don’t fix it, then we just layer things on top of it, so we end up with layers and layers of baggage that we have to deal with and unwind. If you’re looking at zero-trust as one more layer, then you’re looking at it wrong. I think you need to look at zero trust as an opportunity to simplify. It’s also a cultural exploration, too, because it’s a change in the way we think about security.”
“When everyone started with the Cloud, it really changed things in containers and how we think about permissions to those environments. It’s radically different from how we used to treat a network.”
Security Versus User Experience
Access management requires a careful balancing act between access control and productivity. On one hand, privileged access exposes the organization to risks. On the other hand, if we restrict it too much, we end up with bottlenecks resulting in a lack of productivity.
“Today customers are expecting very fast value, so your teams are required to perform their work quickly with as least friction as possible. I think most companies today are in a lose-lose situation. Most companies today are somewhat over privileged in their environment or maybe a lot over privileged.”
“For the longest time, we’ve thought about where the user is going. When we think about just-in-time, if you don’t have a good infrastructure component to do it, you’re going to prioritize very rigorously, you’re going to look at your most privileged systems, you’re going to look at your most privileged sensitive data, and you’re going to look at the things that lure in adversaries, but I would argue, just like with any other control, the more easy it is to deploy it, the better the user experience.”
“We’re in a really neat place when it comes to juxtaposing security with user experience. And we as security people, have always made it harder for users. That’s just what we do. We’ve had password requirements and then we just layer on additional password requirements, which just force users to do unnatural things. We’re at a point now where I think we can provide better user experiences with actually up-leveling that security. Part of that is the workflows around the automation and figuring out which applications are touching which data.”
“I keep hearing that the need for ease of use for users and simplicity is becoming a critical attribute of a security system, and if you’re not starting with that in mind and making sure that whatever control you’re putting in place takes that user experience or administration in mind, then it’s probably not going to scale for this new, modern world, which is very agile.”
Roadmap to Zero Trust
Zero trust is a concept focused on limiting access to specific resources based on the principle of “never trust, always verify.” It involves dynamically adjusting trust boundaries, adopting a policy-driven approach, and relying on trust signals and telemetry to enforce security.
There’s been a shift away from traditional network-centric security to user and identity-centric security. Zero trust is seen as a way to achieve a more secure and adaptable security posture in today’s diverse and dynamic IT environments. Zero trust is not just a framework but a mindset shift that needs to be integrated into processes and DNA. It’s an ongoing process rather than a one-time implementation.
“I think the network has somewhat shifted into the management of the cloud itself. At some level, it’s now a policy that’s being managed in the cloud, so the network itself is just another resource. Somewhat similar to how zero trust moves the controls into the resources, now we’re managing these policies across multiple clouds and multiple applications, and that’s actually managing access today . . . Having all the roles very granularly defined is something that’s very hard to accomplish. That’s when you need to build your strategy around what’s most important. What are the crown jewels? Let’s start off from there and then slowly build it rather than trying to achieve zero trust over the whole environment.”
“We shouldn’t be able to do authorization and get our least privileged access (whatever those entitlements and privileges are) all the time. Why should those be standing? If the context and conditions change or if I’m doing something inappropriate, I should be able to revoke that trust. I’m trusting the person to authenticate. I’m trusting the person within my application and that policy enforcement, the idea of I’m going to do just-in-time access or I’m going to do risk-based authentication I think is the critical differentiator between zero trust and what we used to do.”
“This is the natural inevitability of the world we find ourselves in. We’re all clowned, we’re all mobile, we need the same security constructs across everything that we do. I always look at zero trust as a lifestyle choice. It’s a change of behaviors. It’s an evolution of how we think about security and moving security to the edge, moving security to the endpoints that end up being the user on the access device accessing the application where the data lives.”
“Zero trust means we are no longer trusting someone just because they have an IP on the network. We are going to map users to applications, workloads, servers, etc. It’s about starting with user identity and mapping to what they need. Not the network. You don’t give access to the network, you give access to the specific thing you need.”