From castles to cities -- a modern approach to authorization [Q&A]
Corporate information security has traditionally used the 'castle' approach, using a strong boundary to keep everything secure.
But as we've moved to hybrid working and more sharing of information the castle is too restrictive and we've moved towards a 'city' model, allowing open routes to trade with assets widely distributed.
How can enterprises cope with this changing world and what challenges will they encounter along the way? We spoke to Oren Ohayon Harel, CEO of PlainID to find out.
BN: Why is the 'castle' approach to information security no longer viable?
OOH: One of the reasons is that the customer is no longer in one place. Nowadays, we find there are a lot of smaller organizations that can be in the cloud, for example, with Amazon, GCP or Microsoft Azure etc. Some of them are being distributed into our business partner’s systems, and some into big data lake platforms, such as Snowflake. So, the places that we need to protect, we'll refer to those as the 'castles' are being scattered all around. In the past, everything was in one central location as people and the services they accessed were based in one location. But now, employees, contractors and data are spread all over the place, and this problem will only continue to grow as all the services mentioned above are critical services to any organization. This means that they are using data, API's or other digital services and continue to generate new data across varied locations, as they are now critical to their day-to-day job. So now we have all these different places we need to protect.
BN: What challenges do modern businesses throw up for authorization?
OOH: First of all, I would say agility. As a business grows fast, launches new services, and introduces new capabilities rapidly, they need to continually maintain how people get access to their digital services. So, in the old days, there would have been someone that did this manually, and it would take days or weeks. But this is no longer acceptable to organizations as they're looking to provide value faster, and by utilizing an authorization as a service, it can coincide nicely from a business perspective with the new services you're launching -- that's agility.
The second challenge is about the customer experience. Eventually, most organizations want to provide a better and more finely grained customer experience, and that's going back into how people gain access to systems, and how organizations specify what they can see and what they can amend. This can obviously affect their user experience, so in order to do this, they are adopting tools to add additional layers of control.
The third challenge is getting the security part right. So, thinking back to the castle as a concept, important data has been scattered all over the place, and these are very important parts of our day to day that need to be protected. So now, the security part is deciding how people get access to those very sensitive areas of the business. Leveraging security can provide finer grained security, which also provides well defined and well monitored processes for how people interact with those critical services.
The final area is data. In the current world, everything is data, right? Eventually we are touching an application which invokes an API, and that API eventually exposes data. The data can be your customer base record, it can be your bank account statements -- it can be a lot of things. So how do we protect the access to the most sensitive data, and decide who can see what, and under what conditions? By looking at how you connect back to the basic foundation of security, you can then further protect how people get access to the secure data.
BN: What underpins the modern approach to zero trust authorization?
OOH: What we're currently seeing in the market is that there's a lot of buzz around zero trust. It's important to remember zero trust is a framework and not a single solution. But the concept of zero trust is to ensure that people don't have access to data until they meet the conditions in which they are justified to access it. This request needs to be evaluated in real time, and then the system will decide if you are eligible to see the data, get access to that specific app, or invoke that specific API or micro services. That's exactly what authorization is all about.
A real time authorization engine sits at the heart of the zero trust framework and can evaluate if you're eligible to get access in real time according to the situation of the environment, for example, this could depend on the data that you are trying to access, the time of the day, the location of the user, and other signals that we can actually gather from the environment. In doing so, we are much more likely to prevent bad actors accessing protected information.
BN: How can companies design and implement authorization suitable for the modern world?
OOH: We are seeing multiple trends of adoption in the authorization space. The main trend is about data and organizations having the visibility and the ability to monitor and enforce how people get access to their data platforms. We’re also concerned with how we can make this technology accessible to as many people as possible. This is particularly important on the IT developer side where we’re seeing a 'policy as code' trend that helps customers to adopt an authorization solution as part of their day-by-day development process.
The Policy as Code approach is a growing practice in code development to manage all aspects of authorization as part of the application lifecycle. It's the use of code to represent rules and conditions for access policies that determine when access is authorized. It enables development teams to manage and automate policies by integrating policy workflows into existing CI/CD pipeline and test processes more efficiently. Simultaneously, security teams can have greater visibility and control of access policies and their deployment when it’s done within a centralized management platform.
BN: What's the best way to manage access for partner organizations?
OOH: Authorization is not only about how your customer or consumer gains access to your service. In the last 12 months, companies have been doing more to protect their systems by putting in place more restrictions and protections on how third parties are accessing their services. For example, if we take a company in the retail space, like a major athletic shoe manufacturer, they're doing business with a lot of business partners and distributors. These distributors are going to need to access the manufacturer's services, but it will be manufacturer’s responsibility to protect these services. In order to do so, they will need to apply some policies in which people can get access to those services, whilst managing what they can access effectively. This might involve delegating some of this capability to your business partner, but this mutual relationship can lead to a shared responsibility model. This would allow you and your partner to agree and set the access policy and apply user access controls as the company that is using that product. The owning manufacturer remains in control, but the added input from their partners means they can invest less in managing access to services -- instead, you're delegating that to your business partner.
Photo credit: khd / Shutterstock