he concept of computer Identity can be likened to an onion, ubiquitous and layered. If not handled properly, it can bring tears to the eyes. The outer layer - authentication is one of the most sought-after problems the software industry has long tried to solve. Initially, password-based authentication was used, but it was discovered that it was quite easy to guess someone's password and gain unauthorized access. We did not stop there, we studied usage patterns and started using them to reinforce the authentication systems. When enterprise users complained of keeping too many passwords for too many applications the Single-Sign-On (SSO) emerged.
The inner layer of computer Identity is authorization, which has also evolved over time. Initially, a simple access control list (ACL) was used, but with the advent of new complex systems, roles were introduced to dictate what any user can do. It was easy when started, with fewer users and fewer systems to manage roles. Even though the number of users increased in the pre-cloud era, it was still manageable because the number of systems was pretty under control.
Convenience and Security
Many people believe that convenience and security are inversely proportional. For instance, passwords and multi-factor authentication systems are effective methods of security. However, to optimize their effectiveness, passwords must be complex, rotated frequently, and multi-factor authentication must be properly configured. This is where convenience comes into play. Creating complex passwords and rotating them frequently can be tedious and frustrating, and many individuals avoid doing so because of the inconvenience. Instead, it's more convenient to use the same password for multiple logins and change it only once or twice a year. But this comes with a cost - security. Reusing the same password across multiple logins drastically reduces security, and if the password is compromised, then all the accounts it's associated with can be easily accessed.
Similarly, authorization presents its own challenges. People prefer 'Always On' access, and traditional access control systems have been static - once permission is granted, it remains in place indefinitely. Although this is convenient, it's not secure. In modern systems, there are hundreds of apps that work together seamlessly, and the network perimeter that was once well-defined has disappeared with the rise of Cloud and SaaS. With interconnected systems, lateral movements become easy for unwanted guests who manage to get in. This is not limited to only outsider attacks - insiders can also take advantage of the situation.
It has been observed that access to critical systems is required for only about 2% of the working time. However, in many cases, long-term access is granted for convenience. The process of manual access request, approval, and provision is quite a hassle. It is tedious to ask for access and wait for it to be granted and made available. It is even more difficult to manually review each access request and provide the users with the required access. As a result, oversized permissions, which are mostly one-size-fits-all, stay in place indefinitely. This would be a security issue even in pre-cloud times, but in today's era, the security issues that arise from it are amplified. Public cloud and SaaS apps are increasingly being used, and often these apps are interconnected. Allowing the wrong person to have the wrong access permission for an extended period of time is an invitation to a security disaster.
Security can be convenient
Remembering passwords can be difficult and inconvenient, but that is quickly becoming a thing of the past. New authentication schemes, such as magic links, behavior-based authentication systems, and biometric systems, are making authentication both enjoyable and convenient. And authorization can also be made convenient through an automated access or permission control process. It is possible to create systems that are both secure and user-friendly.
Access or Permissions Control
Controlling the digital perimeter through identity has become essential in today's world. As more cloud or SaaS applications are introduced, the perimeter expands, making "identity is the new perimeter" a cliché with some truth to it. However, the authorization process needs an overhaul in two aspects. The first is obvious. No one should ever have permissions more than required for the job at hand. This is the principle of least privileges. Given that the major cloud providers alone offer more than 40,000 permissions, it's a colossal task. Although roles can be configured to have the least privileges, there's always room for error. Building least privileges permissions and keeping them such require continuous efforts, and thus require automation to adjust the permissions as per changing needs.
In such cases, the Zero Trust principle is incredibly useful in reducing the attack surface. The "trust no one, verify always" mantra should be adopted. Critical system access should only be available for the required duration. This model follows the Just-In-Time (JIT) access approach, which allows access to be requested, granted, provisioned, used, and de-provisioned as needed.
The old manual process makes it impossible to keep up with this approach, but an automated access management process with context information can help achieve Zero Trust systems. The JIT access limits the window of opportunity for any malicious actor. Furthermore, the automated process keeps an audit of all accesses to critical systems in one place, reducing manual efforts required for user access reviews. The burden on cloud or IT teams to process manual requests is also eliminated.
This automated system is convenient for requesting and granting access while still keeping the system secure. So, it's possible to make authorization both convenient and secure at the same time.