Blind trust in identity is no longer a viable option for today's world—but that doesn't mean we can just jettison identity as a core asset—we just need to apply the “appropriate level of trust” to identity, and then apply that level of trust to how we access digital assets.
Identity has been the cornerstone of security operations since the beginning of information technology deployments. Before you are given access to services, systems and data, you need to be able to attest to “who you are” first. Unfortunately, this simple paradigm of “who are you” is no longer a “trustable source of truth” in today’s world.
Classic identity solutions such as username/password combinations are rapidly becoming Imminently Obsolete, and identity alone is not capable of producing the levels of trust we need to allow access to digital assets. Simple username and password solutions are far too vulnerable to compromise to be trusted in today’s IT environment—we all know this—but what can we do about it?
How do we move forward? What will alleviate the pain?
At the end of the day, this is less about “identity” and more about “TRUST”, and security architects need to think about the following questions:
- How much do I trust my users to have access to my resources?
- How much do I trust the endpoint devices and the digital channels from which my users are accessing my data and resources?
- Conversely, how well can my users trust that my resources are MY resources - and not some hacking/phishing attempt to trick them into giving up their identity?
In a world where trust is more and more obscure and harder to come by, we need to do two things:
- Allow our users to do their work with the latest tools, resources and devices—by alleviating them of the BURDEN of trust as much as feasibly possible, and
- Ensure that our systems and data provide our users with the assurances that the users are SAFE when using said assets.
Applying the Principle of Appropriate Trust: the Use of the “Zoned Architecture Model”
To enable companies with the ability to trust—and appropriately remove the trust where necessary—we can design our IT environments and ecosystems with the concept of “minimal-trust” or “zero-trust” zoned architecture model.
By designing around a zoned architecture concept for our IT environments, we can proactively allow users the appropriate level of access to resources and data they need on whatever device is best suited for their work—and provide that access at the appropriate time, method and privilege level. Does this require a complete re-design of our architectures? Usually no—and zoned architecture modeling can be incredibly useful when advancing the company’s IT capabilities in phased approaches.
In the process of deploying zoned architectures, we can also systematically provide advanced users and administrators (who need privileged, direct access to “sensitive” systems) access to “complex” identity methods. These users tend to be more tech savvy than the standard user, so enforcing advanced techniques like 2-factor or multifactor authentication is not a major deterrence to performing their work.
For the standard user, we can utilize techniques like virtualized systems, “bastion” zones, web portals, and Internet-access-only environments for their workspaces. Using zero-trust zone architectures allow the standard user access to the appropriate data and resources, and at the same time reduces the need to TRUST these users or their devices.
Are there solutions out there that can immediately help increase trust levels today?
Absolutely. We have long-standing concepts such as “least privilege” authorization to limit what an identity can provide access to, and we have 2-factor authentication controls and multi-factor access systems that abound in the industry that can enhance identity.
Unfortunately, in most cases, we still rely on “simple“ identity to allow access to systems and data. Why? The problem is that “complex” identity solutions are too difficult to deploy en masse and maintain—and in many cases they are still not 100% foolproof when deployed. What’s more, the more we try to deploy these solutions to increase our trust in identity, the more complex we need to make the process of identification for the user – and this leads to revolt when people are “just trying to do their job”.
In the end, adding complexity to identity costs a lot of money, time, and effort, and companies will default to “the easier, faster path” of “simple” identity for the general population of employees to avoid engineering, deployment, confusion, complaint and helpdesk costs. “Complex” identification is usually reserved for administrators with escalated privilege job requirements, and deployment to the general population of employees is often avoided because of all of these “hard” and “soft” costs.
Where do we need to go as an industry in the future?
Moving forward as an industry, we need to make identity RECIPROCALLY trustworthy. The users need to be able to trust the identity of the resources and services we access. At the same time, those sources and services need to be able to reduce the “process of trust” to allow users access because they can inherently prove who they are. How can we make it so that systems and resources can prove—beyond a doubt—that they are trustworthy to the users and vice versa? Today, PKI and certificates are the industry standard, and while we have had advancements, complete trust is still an allusive target. In the end, we are still blindly having to trust the root PKI source providers of certificates—and while most of our industry providers do an excellent job - we've seen too many times where such root trust sources can be compromised. Much work still needs to be done here.
What about new emerging technologies? As one example, we’ve seen promising advancements in new identification and encryption solutions like blockchain technology, but there is STILL an unavoidable trust issue here as well. Blockchain technology is still reliant on the sanctity of the public blockchain database systems it operates from —so how do we completely trust those blockchain database sources with complete certainty?
At the end of the day, we may need to deploy hardware technology that is truly capable of attesting to its veracity as the source—every time—with complete trustworthy assurance—in a self-reliant model. If we can trust the hardware source, we can then attest to the digital assets being sourced by that hardware. Such a model would need to provide a UNIQUE trustworthiness—a unique hardware based “source of trust&rdquo that would be independent from any need for 3rd party attestation. Such a hardware solution—and the trustworthiness it can provide—should be self-contained and reliable in and of itself—and deployable en masse as an industry standard platform. When we can achieve this kind of attestation, the world of identity will have made a profound leap forward.
Like this article? Join the conversation on LinkedIn: Identity Alone May Not Protect You: The Principle of Appropriate Trust
About the Author
Elliot Lewis | President and Chief Architect Follow @ElliotDLewis
Elliot is a thought leader with over 25 years in executive management. He's served as a leading Cybersecurity research analyst; Chief Security Architect at the office of the CTO at Dell; Director of Strategic Services, Security, and Identity at Cisco Systems; Chief Information Security Officer (CISO) of Merrill Lynch; and Senior Security Architect, Security Center of Excellence for Microsoft.