Authentication and authorization are broken. As an industry we’ve known this for a long time and the notion routinely emerges as “death of the password.” One might blame it on the definitions of the words:
Authentication: the process of verifying the identity of a user by obtaining some sort of credentials and using those credentials to verify the user’s identity.
Authorization: the process of allowing authenticated users to access the resources by checking whether the user has access rights to the system. Authorization helps you to control access rights by granting or denying specific permissions to an authenticated user.
Historically authentication has been a point-in-time event, evaluated on a user perimeter-based authentication (can a user unlock the front door to the house?) but distributed services, hybrid-cloud and the resulting rise of inter-service traffic has merged authentication and authorization into “continuous authorization” (can an individual access the dining room or the safe room?). This integration is required to meet business needs of adaptively adjusting to emerging threats and the corresponding business risk in real-time. It’s known as CARTA according to Gartner Research or Zero Trust in Forrester’s nomenclature.
Underneath the covers, it’s a two-step problem:
- Identity and cybersecurity have historically been isolated ecosystems
- Moving from perimeter based to transactional based authorization
Digital Innovation Through Continuous Context
Step 1: Integrate cybersecurity signals directly into authorization and authentication decisions.
In other words, alerts coming from existing WAF, SIEM and/or User Entity Behavior Analytics (UEBA) are integrated to the Cloudentity-generated machine learning behavior and auth events during a user’s authentication and authorization processes. This adds real-time transactional context that links what’s transpiring at a protected services edge to normal usage patterns. Additionally, this allows organizations to define flexible user journeys where increasing risk levels can be addressed during the user experience. Creating friction when things look insecure (e.g., is the entity attempting authorization a potential bot?) and reducing friction when a strongly authenticated user is using a known device to access a well-patched service.
This pattern is one of the foundational elements for the recent product partnership announcement with Signal Sciences.
Real-time ingestion of cybersecurity signals allows a complete transformation of the experience of customers, developers and security analysts, transforming their ability to work together towards a common goal: DevSecOps.
It also revamps the cybersecurity and identity marketplaces ushering in revolutionary technology that’s evaluated at the service perimeter. Gartner Research has labeled this integrated security platform as “WAAP” or “web application and API protection,” showcasing the future of identity and application security and further deprecating the perimeter-centric monolith legacy WAF and identity access management (IAM) platforms.
Gartner Inc., Defining Cloud Web Application and API Protection Services – Jeremy D’Hoinne, Adam Hills, Feb. 26, 2019. Emphasis added
Step 2: Moving to the service edge
The traditional method of integrating of cybersecurity signals at just a perimeter-based authentication is inadequate. Instead, the signals need to impact every step of a transaction.
Consider Bob, a fictional user. Bob would like to utilize his bank’s financial portal. So Bob opens up the client app on his mobile device and authenticates and logs into the portal. Behind the scenes the financial portal and client apps development team have created a sequence of mini and micro services that aggregate account data and leverage other internal and external services to complete the request.
So this singular event would actually create four or more downstream transactions. What if during the course of this high-value transaction cybersecurity signals determine Bob is a bot or has a compromised account? How can a business react quickly enough to protect each branch of the transaction?
How it works
It starts by adding identity and policy enforcement points on the all of the service perimeter(s). Not the data center perimeter like the appliances and identity gateways of yesteryear, but instead embedded within the three-tier application, microservice, miniservice and/or function. In effect, this creates a data- and context-aware microperimeter around that service.
Organizations with a cloud-first, hybrid-cloud or cloud-native strategy point to one certainty: the traditional perimeter that guided many security plans is dead and awaiting burial.
The important part of protecting cloud-native micro/mini services is moving the contextual data around. This is a requirement to leverage cloud-native distributed data grids, avoiding legacy technologies like LDAP for identity signals and session information while allowing intelligent application protection services like Signal Sciences to evaluate web requests in application transactions for real-time visibility and defense.