Symantec Identity – The Missing Link

Zero Trust is founded on the belief that organizations should not automatically trust anything inside or outside its perimeters, and must verify everything trying to connect to its resources before granting access – based on identity, context, and trustworthiness.  At Symantec, as a division of Broadcom, we know this framework has been around for a while, but it gaining more attention recently as it helps to address recent shifts and trends, including the remote workforce, cloud migration, and the automated world of DevOps.  And while there are many different technologies that help to establish Zero Trust, Identity and Access Management (IAM) is the cornerstone because it represents the final perimeter. 

The Grand Illusion: Perimeters equals walls

There have been a lot of discussions about the disappearing perimeter as organizations move applications into the cloud.  In fact, when most all of your environment is running in someone else's infrastructure, the only real asset that will be owned by enterprises is the identities, the access rights that they are given and the information that they interact with.  This has led to the realization that Identity is the last (and sometimes the only) defensible perimeter.  When you can positively verify the identity of every user and device requesting access, then and only then, can you enforce policies to grant or deny that access request. The process for verifying the identity of a user or device is called authentication, but this is not as simple or straightforward as you would think because not all authentication credentials are created equal.  

Social element continues to be the weakest link with cyber attacks focusing on "internal" weak spots through which to orchestrate attacks. The only way to deal with that is to remove the human element and require use of "something you have" (biometrics, hardware authenticators) in addition to, or instead of "something you know/remember".  But these extra layers of protection often introduce friction into the digital experience – friction that may not always be necessary. 

This spotlights the need for Identity Assurance (level of authentication) to be consistent with the level of Risk posed by the desired access.  Hence a lot of advanced technology and thinking is going into the art and science of Risk Management – ranging from advanced biometrics tracking people’s reaction time to advanced AI/ML analytics trying to make sense of historical behaviors combined with real-time sensors to use with advanced personal authenticators leveraging crypto capabilities, such as FIDO2 security keys and devices.  And we are similarly seeing significant interest from customers for advanced biometrics, predictive analytics, and use of FIDO2/WebAuthN authentication standards. 

From Symantec's point of view, all authentication needs to be based on the level of risk measured by how risky an asset is, or how risky a compromised identity is.  Dynamic, analytical, AI/ML-enabled Risk Management is the only path forward to mitigate security issues. 

Working for a Living: The “always on” world    

"Anytime, anywhere, any device" - has been a mantra for several years, but the realization that in the age of always-on, super-connected distributed services and systems acting on their own behalf, as well as on the behalf of people, the machine identity is just as important as the user's identity. The Internet of Things (IoT) ecosystem is growing exponentially with smart things making decisions on our behalf, and the IoT devices are just as vulnerable to compromise as humans, and the dawn of 5G dramatically accelerates this, creating the need for significant scalability of identity/security processes to deal with the volume of "connected things" and "security decisions to make". 

This will drive adoption of Cloud Computing by enterprises (especially global ones) that take advantage of new digital processes and innovations as they implement Digital Transformation projects to drive customer engagement, improve customer service, and integrate supply chains. Going forward, majority of enterprises simply will not have the necessary skills to securely integrate, operate, and oversee end to end digital processes spanning multiple providers. 

Heat of the Moment: The juxtaposition of privacy and access  

As the use of human and machine identities continues to grow exponentially, it is becoming exceedingly difficult, if not impossible, to understand how the applications and services we consume are interconnected and how our data is being used. This has created (and continues to create) a political environment to regulate use of personal data – to protect citizens from being exploited by businesses looking to monetize their personal data and to try to enable “individual consent” to make it seem "fare", although, in many cases, the genie is already out of the bottle so to speak. 

Within this highly charged environment, the cost of avoidance for service providers is starting to exceed the cost of compliance, and this is driving two critical technology trends – for service consumers, it’s the right  to have "privacy" and for the service providers, it’s the obligation to build and operate applications and systems using "least privileged" access methodology.  Both trends are an architectural "must have" in order to maintain control over personal data while ensuring availability of services.

Along the same lines, we are also seeing emergence of risk-sharing signaling technology that enables Identity Providers to publish notifications about threat levels tied to specific user or machine identity.  This is especially important in environment where a large amount of data and access is being maintained, such as Cloud Providers who have begun to share session / risk signals using technology called Continuous Access Evaluation Protocol (CAEP).   This pro-active observe --> detect --> prevent approach enables enterprises to be a lot more agile in preventing risky identities from causing significant damage.

Wheel in the Sky: DevOps keeps on turning

Software is the key driver of growth, innovation, efficiency and productivity, but how you deliver it says a lot about how you’ll be able to compete in this world.  Business leaders have recognized this new reality, with most investing in the technologies and adopting the processes required to transform and embrace the app economy. But as new apps and services are rushed to market, security is left as an afterthought or ignored completely, creating new targets for hackers to compromise and exploit.

Pipelines are at the heart of DevOps, but simple continuous delivery pipelines are not enough anymore. You need both intelligent and secure pipelines to help you release higher quality software at a greater velocity and reduced risk. We continue to see Secure Dev Ops practices to gain momentum integrating security and identity processes into application development and delivery pipelines. Considering that good security is very hard to implement and must always be evolving, developers are NOT security people and must NOT be solely counted on to build secure applications.  Security must be externalized from people running development and operations, and instead be automated via integration with the daily processes.  Technologies such as Privileged Account Management to eliminate the need for long-lived shared credentials, Secrets Management to give out short-lived connection credentials only when such connection is needed, and Risk-based Single-Sign-On and Session Management all serve as significant help to reduce operational risk and eliminate human element as the weakest link.

Time for Me to Fly: Summary

In summary, Identity and Access Management, which gained notoriety about 15-20 years ago as a business enabler is seeing a resurgence because many now understand that Identity is the last perimeter, and can, when done correctly, solve many of the emerging challenges facing businesses today.  But not the IAM of yesterday; the Risk [Management] aspect of the computing in general that is driving technical and operational advances in modern IAM.  Such risk is being evaluated in the context of different dimensions - business risk, brand risk, monetary risk, intellectual property risk, personal safety risk, etc - and this is driving advances in authentication biometrics, AI/ML analytics, and sharing of risk signals.  The "Zero Trust" methodology, architecture, and technology is what will make possible to accurately balance the need for security (always restrict) and the need for productivity (always allow).  As organizations deploy new technologies, such as Secure Access Service Edge (SASE), they will rely on a modern IAM solution to serve as the foundation, so they can grant the right access to the right people and devices at the right time because they have a high degree of confidence that they are whom they claim to be.