By Kurt Roemer, Citrix Chief Security Strategist, and Christian Reilly, Citrix Chief Technology Officer for Workspace Services
Your identity is so much more than your credentials.
The problem with the concept of identity is that it’s often limited to its most basic usages. In casual conversations, say the word identity and people think in predictable directions. Most individuals think of recognition, identification cards and identity theft. Far too many IT departments automatically think in terms of credentials, logins and IAM (Identity and Access Management). While all of these include aspects of identification, identity encompasses so much more. Identity is the key to entitlement, which transcends access events and ties identification to usage.
Identity is so much more than credentials
A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information – PCI Security Standards Council Chief Technology Officer Troy Leach on the launch of PCI DSS 3.2
Identity and proper identification is central to our recognition of individuals, roles, personas and system components. Increasingly, identification is being expanded to include processes, services and bots that act independently or on our behalf. Identity is core to a root of trust and in maintaining an unbroken chain of trust. Ultimately, identity must also directly integrate with data.
We express and consume multiple identities in our work and personal lives that are deeply interrelated, but often completely disconnected. And the identity interoperability and validation problem gets even more complex when we consider the identities that must be managed across multiple roles, projects and relationships.
An evolving view of identity provides the key to the contextual entitlement of rights and capabilities for prescribed application and data usage. Dynamic entitlements of application, service and data access enable access that’s specific to purpose.
Access is not just a login event
Access today is way too centered around login events – the only time identity is verified in most enterprise networks. Access that’s specific to purpose is built around roles, projects and activities that are constantly changing, but that need strong identification to ensure only those who are duly authorized can perform tasks. This becomes a real challenge when identity is managed through independent sources across multiple enterprises, application providers, cloud providers and other third-party identity providers. The current response to managing identities in this context includes IAM (Identity and Access Management), CASB (Cloud Access Security Brokers), brokering and federation, which need to be further augmented to manage dynamic entitlements.
Use cases highlighting an entitled view of identity
- Project-based entitlements (complex multi-party identities and relationships): Who is authorized to work on the project? How can an owner allocate/deallocate resources across organizations? Who worked on the project today? How long did they work on it? What data was accessed, updated? Having co-managed entitlements allows project, task, business and technology teams to each own and manage their components. Non-employee access can be vetted by providing basis of identity personally, vetted by the contracting firm and verified through reputation. A non-employee that leaves the contracting firm or situation, changes roles, or attempts a policy violation must be quickly identified and thwarted. Note that this use case also applies directly to the use of cloud apps and for fine-grained administrative access controls for highly privileged users.
- Entitlements for the Identity of Things: As the use of technologies and services expands to include a mesh of autonomous things coupled with machine learning, identification of assets, services and relationships will be expanded well beyond our current means of managing identity. The Internet of Things requires application, service and data identities combined with dynamic credentialing and provisioning of services. As deployments and devices migrate in/out of service and across service boundaries, entitlements are expressed and consumed to reflect desired behaviors. These behaviors include privacy management, location-based controls and other desired aspects of process and bot entitlements.
- Embedded data entitlements: Today, access to data provides for full use of the data – and that situation is not always desirable. Excessive access creates excessive risk. Consider a miscreant who as access to data because of attack or mistake, but should not be entitled to view or use this data. Controlling access to and usage of data through validation of identify and specific entitlement is needed to protect sensitive data that must be widely distributed, such as healthcare data.
Identity is the key to entitlement
Entitlements provide specific authorizations for identity-based computing and the enablement of dynamic contextual access policies.
Predictions for the evolution of Identity and entitlements:
- The concept of “Identity” is moving to the data for the enterprise and to personas in the Internet of Things.
- Blockchains will be used to express and consume the multiple identities and myriad entitlements associated with projects and other highly dynamic complex relationships.
- Development of containment strategies for security will lead to data and relationship-specific enclaves. Organizations will develop multi-container strategies to control data within managed containers and between federated containers.
- Information Rights Management will become deeply integrated with data-level entitlements for sensitive data.
- Multiple identities will be utilized to simultaneously increase trust between parties while managing privacy risks.
- Identity providers will be scored based on reputation and levels of trust will be vetted through a combination of reputational scores, attribution and attestation.
- Expressions of identity will allow users and applications to choose their point-in-time role, specific to risk and required strength of identification.
- Embedded identities across both the Identity of Things and an individual’s genome will continue to challenge the privacy, anonymity and identity triad.
- Federation will play an increasing role in automating the future of identity and entitlements.