Beyond the castle: zero trust and the future of IAM

Identity and access management (IAM) is a big deal. When we turn on our laptops and enter our passwords, validation processes get to work behind the scenes, busily enabling the services that are needed to do our jobs, watch a movie, book a holiday – the list goes on. IAM facilitates commerce, governments, and lets trustworthy and responsible interactions happen. Users don’t need to know how it works, but they rely on systems being fully functional and – ideally – frictionless. And that, as it turns out, isn’t trivial.

There’s always been a tension between safeguarding information systems, on the one hand, and user convenience on the other. Get it wrong and you have a product that’s easy to access, but poorly protected, or vice versa. “It used to be that security was a castle and users had to come and get the key, which was time-consuming,” Wade Ellery, Field Chief Technology Officer at Radiant Logic and a veteran of the IAM industry, told TechHQ.

Zero trust

Another issue was that the key could come with a lot of power and unlock everything, which is a scenario that’s far from ideal. It was time for a change – enter the ‘zero trust’ security model. “Instead of giving users everything upfront, which makes them vulnerable, modern systems provide incremental access, and only when it’s required,” said Ellery. To do this, today’s products lean more on technology to verify that users are whom they claim to be. “It’s not just about an id and a password, we’ll also examine whether users are in a location that appears reasonable; are they in the same place that they were half-an-hour ago? For example,” he explained. “The ability to be both very granular and very dynamic is a useful way of limiting the attack surface.”

That’s not to say that passwords no longer have a role. They do. And for low-level access they can be ok. But there’s a rising need for systems to incorporate two-factor authentication such as the use of one time passcodes or face detection. Products may also look at how users type, examine the cadence on the keyboard and recognize other patterns that can help to identify whether actions are legitimate or potentially fraudulent. Identity underpins communications. Machines and non-person interactions such as automated agents or bots, need to be verified too.

And the problem here is that information typically exists in different silos. Fortunately, IAM providers have found a way of bringing all of that verification data into a common format or abstraction layer. Systems can digest the various fields and build views that suit the requests being made at the time. They can cope with messy data too – for example, where you have duplicate entries or inconsistent formatting – which would otherwise confuse the software on the other end. “Applications aren’t typically built to deal with this, but thanks to our intelligent platform we’re able to hand them clean, effective data,” said Ellery. “And the broader the set of information, the better those engines are able to learn.”

Good governance

Routines can be programmed to help manage data protection and to service good governance throughout organizations. IAM systems can also be useful following acquisitions, allowing administrators to merge information records seamlessly into the access control scheme, which saves time, and money too – marrying products that would otherwise struggle to talk to each other. They can also pull in data from companies that have administrative links, but are otherwise run as separate entities. And today, IAM is an essential element of the enterprise space. Radiant Logic’s client list, for example, includes Disney, Vodafone, Visa, Verizon media, and more.

“Systems can gather the information, recognize where it is true and authoritative and then tailor it,” Ellery points out. Today’s identity management and access tools need to cope with not just changes in organizational structure, but also shifts in IT architecture. This includes navigating records in a hybrid cloud environment where, again, the information required can be siloed. Solutions must be able to deal with the two worlds. There are other examples too. “With edge computing, you’ve solved one problem, but you’ve separated that data,” said Ellery. “Systems have to adapt to the circumstances.”

That adaptation is handy in a variety of locations, including out at sea. Cruise operators are big users of IAM services. Here systems have to be able to manage complex manifests where data is being requested offline and online, depending on the availability of the internet. And all of those changes – such as modifications in the assignment of access rights and other identity maintenance – have to be reconciled. Also systems need to be aware of users’ various data connections (are they on a corporate VPN, or do the signals point to communication over public Wi-Fi, for example?) and bring the best tool for the job along the way.