Access management: Adapting for a vanishing enterprise perimeter
The traditional enterprise boundaries of a homogenous, on-premise network perimeter are vanishing before our eyes. More businesses are moving to the cloud and the lines of separation are becoming increasingly blurred. The cloud promises many benefits, but also presents some challenges that businesses must properly address – including access management challenges.
For example, most companies already struggle with managing access to their systems because users or entities require different access and permissions, including different access paths and endpoints. This complexity increases when the type of users grows from employees to contractors, third parties, service accounts and others. If your organization supports hundreds or thousands of user types already, the absence of a traditional perimeter in the cloud can make access management a daunting challenge.
As technology vendors race to provide the services and features companies require to secure ubiquitous access to their critical systems, it can be challenging to identify the right technology or set of technologies that will benefit your business. In this article, we examine traditional identity and access management (IAM) technology (also known as identity providers or IDPs), secure access service edge (SASE) tools, cloud access security brokers (CASBs) and zero-trust network access (ZTNA) tools—how they complement one another and where they differ.
Our objective is to shed light on how these different technologies can be applied to your goal of providing robust and effective adaptive access for your business.
Why does adaptive access matter in a changing business landscape?
Adaptive access has become critical as a result of the changing business landscape. Because of digital transformation initiatives, remote work and more extensive bring-your-own-device policies during the COVID-19 pandemic, organizations are adopting zero-trust models.
A zero-trust model treats every access attempt as if it originates from an untrusted network, and focuses on authenticating every user and device before granting access to any application. This model requires that devices and users be able to establish trust regardless of physical location, and no matter what kind of network they’re connecting from.
A traditional parameter-based security model is no longer the right choice, as organizations typically don’t have their data in a single place. Today, information is often spread across cloud vendors, which makes it more difficult to have a single security control for an entire network.
Access security technology can be thought of as a tool, and just as nobody would consider a hammer as the appropriate tool for sawing a piece of wood, each access tool has its place and purpose. As access becomes ubiquitous, a well-planned adaptive access strategy that includes identification of the right enabling technology for the job becomes imperative.
The following illustration emphasizes the various access paths and absence of a traditional perimeter at the heart of the adaptive access challenge.
Zero-trust solution design
A comprehensive access management solution is critical to enforce adaptive access controls in a zero-trust environment. The solution must be capable of supporting modern cloud-based workloads, legacy on-premise applications, and multiple user types (employees, contractors, partners and customers). It must also deliver an exceptional user experience, combined with strong authentication and password-less authentication capabilities to support your organization’s security requirements.
To enable adaptive zero-trust access, the design solution needs to incorporate multiple technologies: software-defined perimeter proxies, CASB, data loss prevention, master data management, data classification, identity governance, network segmentation, automation and analytics.
Traditional IAM – As businesses continue to move operations to the cloud, traditional IAM does not go away but must be adapted to meet the challenges of more complex access management. IDPs deliver workforce access management well, and their solutions provide robust features and services to manage role-based access (RBAC) across your company’s systems. This type of access management provides powerful access security controls for your employees who require access to critical internal systems such as financial reporting platforms.
Typically integrated with your human resources system, IDP services facilitate oversight of access among your employee population throughout the life cycle of their employment to protect your critical systems. IDP solutions can provide the important centralized access management required to govern and orchestrate access for your enterprise.
SASE – With the emergence of SASE tools, the focus on nontraditional access, such as shifting access security control to the point of service consumption, needs to be part of your access management strategy. This means authentication and authorization are provided through services in the cloud that are tied to specific services hosted outside your company.
While SASE tools can facilitate a level of RBAC access, they have been designed fundamentally for attribute-based access control. SASE tools emphasize the authorization part of access management that is suited to managing different types of access across a diverse portfolio of cloud services. These tools do not replace IDP capabilities such as single sign-on, multifactor authentication and role-based governance. SASE can, however, complement your IDP by providing additional access security for your portfolio of software-as-a-service products such as Box and Zoom.
CASB – CASB tools offer multiple access security services, yet their core emphasis is securing API access to a portfolio of unmanaged applications and/or services. With data security a key focus, these tools have a very specific purpose and should be factored into your adaptive access strategy when your business requires monitoring and security controls for data that moves between platforms hosted outside your company’s data centers. As with SASE, CASB tools do not replace your IDP, but complement it for specific cloud data-in-motion use cases.
ZTNA – ZTNA is more of a security concept than a set of tools, yet some tools on the market do brand themselves as ZTNA focused, and there is overlap with what IDP and SASE tools offer. In the simplest terms, ZTNA puts trust at the center of how access is provisioned and controlled, emphasizing a fairly granular set of access rules (e.g., fine-grained access control) that can be enforced at various levels of your company’s computing architecture. This principle is particularly useful for cloud and hybrid cloud environments with federated user identities. As is the case with SASE and CASB technology and concepts, ZTNA is not a panacea for addressing your adaptive access needs and must be carefully incorporated into your strategy for your business to benefit.
Adaptive access in zero-trust solutions
Adaptive access is a key design principle in zero-trust solutions. Zero-trust provides built-in, continuous risk assessment of users connecting from any location or device to cloud applications or on-premise applications, enabling contextual access and protecting the end-to-end user journey.
Leading practices for adaptive access
- Enforce strong conditional access policies. Know who users are, where they are, and what devices they are using before they access data.
- Implement enhanced authentication standards. Enforce password-less authentication (e.g., biometrics, certificates) and multifactor authentication.
- Enable least-privilege controls to allow users to access the data they need to do their job. This includes just-in-time controls that will revoke access automatically after it is no longer required.
Ultimately, we expect convergence of access security technologies as the synergies between IDP, SASE, CASB and ZTNA services are better understood. In the meantime, it is imperative for your company to implement a robust, fit-for-purpose, scalable (future-ready) and sustainable adaptive access capability—one that provides an outstanding user experience while also protecting critical assets and mitigating risk to business operations today and in the future.