Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Advisor and Analyst with KuppingerCole Analysts. My guest today is for the very first time here, although she is longer with KuppingerCole already. She is a Senior Advisor. Her name is Charlene Spasic. Hi, Charlie. Good to have you in this episode of the podcast.
Hi Hi Matthias, thanks for having me. I'm very happy to be here.
Finally, we've made it. And as you are an IAM expert, and we have to cover a topic that is in many organizations very high on the agenda, very highly prioritized, you are the perfect guest to talk about this topic. Actually, this is the first part of a mini-series. We want to talk about the role of identity management in the context of Zero Trust. So this is something that you are working on and on your daily basis, you are a Senior Advisor with KuppingerCole. So you are talking to our end user organizations, the customers that we're dealing with. So when we look at that topic, what defines a digital identity within the context of Zero Trust? So where's the overlap between identity and Zero Trust?
Yeah, so I think first of all, we should start by thinking about, what is the difference between, let's say, more traditional security approaches and Zero Trust. So what happened in the past was that employees that were working for organizations had this like physical building where they went to work, they maybe had a badge that they could enter into the office building. Then they went to their working station or their desktop, logged in, that's it, they were in. And this was the approach that was done by some organizations. Now, when we think about what changed and why we need to move to a Zero Trust focused security approach, it is that the users or the employees are not necessarily located within this static perimeter that defines the organization. People work from remote. They can work from a different country. They use different devices to work with. Maybe they bring their own devices. They have their own laptops that they use for accessing the company data. So we see a shift happening there. And what does define the identity within Zero Trust is that we have different signals that we have to consider now. There is no implicit trust, so we can't just assume that once we verified the identity that that's it, because we have some different aspects to consider now.
Right. And when you say that the way we are working has changed, I think also the way how we now provide, deploy infrastructures has changed dramatically with the cloud, with software as a service, with just no longer there being something like home, a home organization, a big data center where everything is connected to and there's a building around that and you are safe and secure when you're in that perimeter. This has changed as well. So infrastructure has changed, the way we are working has changed. And you've mentioned that already. So you need to look at many more details, many more signals, aspects, context information when verifying digital identity. How do we approach that? How do we deal with that? How do we make sure that we really know on a continual basis that the identity that claims to be Charlie, Matthias, still is Charlie and or Matthias and has the right to access these systems that they are accessing right now?
Yeah, so what has changed is that we need to verify the identity explicitly, meaning that every access request that the identity is trying to perform within the company network has to be verified. The verification is a fundamental aspect of Zero Trust. So before we grant access to resources, the organization must verify that the user or the device that is making the access request is who they claim to be. And this involves authenticating the user's identity, might be done by using credentials such as usernames, passwords, biometrics, or other tokens.
Right, so multifactor authentication and a strong way of authorizing identities is the way to move forward here. And that is something I consider to be the most important aspect when we look at identities for Zero Trust to not only onboard an identity in a secure and a reliable manner, but to continuously make sure, yes, it's still Matthias, I know that he has been verified, he has authenticated. He has authenticated with strong factors with, I don't know, an authenticator app or a physical key that has been presented. And on the other hand, it's clearly understood that once he is Matthias, that he has the right access rights. So how important is MFA and biometrics when it comes to verifying identities as you've put it?
MFA, or let's say the authentication, is very important in the Zero Trust model. There are different ways to do it, which might go more into the multi-factor authentication that you mentioned, or we also see adaptive authentication mechanisms. So this means that users are required to provide multiple factors to verify the identity, which can be, I mean, I mentioned it before, passwords, biometrics, or combination of both. Then we have contextual information going into the location of the user or the time when they try to access the company data and also behavioral patterns, meaning, let's say, I'm usually working between 8 and 5 PM and it might be suspicious when I try to access data at, I don't know, 11 PM in the evening.
Right. And I think these context information, these are getting more and more important because as you said, you can no longer ask a person because she's not probably in the same building or even in the same country. So you need to make sure that you understand this behavior that people are usually exposing. You need to understand what is considered to be normal, A to five, as you've mentioned, and what is considered to be an outlier, what is not normal, what needs to be flagged as something that requires at least some more confirmation. That is where identity comes into play again, to say, okay, I have this identity in a shape or form that allows me to get to this additional layer of authentication to really understand, yes, even if I ask a more detailed question, for example, provide more context, another factor, we are in a situation, from an IAM perspective, provide this information to really make sure that this communication still is valid and wanted and something that needs to happen to complete the business purpose. We are getting closer to EIC and there will be people that will ask us what can we do when we start and when we are embarking on a Zero Trust journey and it's 2024 maybe they have already embarked. From an IAM perspective, what are the typical challenges that an organization faces when moving to Zero Trust? When we look at the IAM aspect, at the identity management aspect, what are the challenges that need to be overcome to be ready for Zero Trust?
Yeah, so from my experience, I think that organizations need to have a good governance on their identities. So they must be very sure which identities do belong to their organization, whether it be people, whether it be devices, and if they have the necessary business purpose to perform these actions that they are trying to do. This also plays into, at the end of the day, people are trying to access information and data. So this also plays into data classification, but organizations really must find or define measures to have a great overview about who is even qualified for accessing their resources.
Exactly. And if we look at what we sometimes do, we sometimes do something that is not a nice name, a maturity assessment when it comes to how mature is an identity and access management. Sometimes we get to the point that we find that organizations are very well in some parts of their lifecycle management for identities. So that is the joiner because people need to start working very quickly. So joiner works very well, usually. The same is true sometimes mostly for the leaver because when people no longer need access to systems that might be already well covered. But we find in some organizations, not to say many, that the mover process when people change position, change their job description, change location, change country, maybe even change organization within a group of organizations, that these processes are not to be considered well covered. And I think that is also an important point to start when getting to better identity management processes and thus to stronger, to more trustworthy identities, because when their role changes, identities of course will change with their attributes, their roles, their assigned access. Is this something that you see in the projects that you're working at as well?
Yeah, this is something that we see. So I totally agree on this and also the way you outlined the different identity processes that organizations are facing. When it comes to Zero Trust, one of the key principles that organizations need to enforce is the principle of least privilege. And this can be very challenging when we think about the mover process. So the employees are within the organization, maybe for many years, they switch from one position to another, and they collect a very, probably a big set of access rights, which might give challenges when we think about attackers and how they try to exploit identities. And if after an identity is compromised, the larger the blast radius, so to say, of an compromised identity can get the more harm it can do to the organization. So that's why I agree that great processes are a big benefit when moving towards Zero Trust and the enforcement of these privileges is also very relevant there.
Yeah, I absolutely agree because if we consider this concept of Zero Trust being the combination of identity plus device plus network plus system to access and maybe data. So this five aspects I'm describing an access without a proper verification of an identity and all the processes behind that, a strong authentication. But then also understanding what this identity represented through an account, through a device that acts on behalf of the identity. If this is not well understood, then you cannot enforce the principle of least privilege. So either you get to no access, which is not really fulfilling the business purposes, or you get to most probably too much access to systems, and that needs to be prevented by strong identity lifecycle management processes. Another aspect in this context that I just mentioned, so these five aspects from user to device to network to system and data, one aspect that is getting more and more importance and visibility is the aspect of continuous authentication and the focus is on continuous authentication. How does that play into these real-time security demands of Zero Trust and what does it mean?
So in a Zero Trust model, trust can never be just assumed. So the access decisions have to be continuously evaluated. And this is done by using various factors. We talked about it before. We have the user behavior, we have device health, and we have other contextual information. So continuous authentication enables organizations to verify the identity of users or devices while they are trying to interact with the network. So we cannot simply say when an identity authenticated once, then everything is fine. There might be influences that could lead to a potential malicious act that the identity is trying to do. So this also plays into the concept of always verify, never trust. And I think it's a really great fundamental here.
So exactly, so if you consider that you have no longer any physical control over people, that might mean that somebody is using a device within a context, say a Starbucks during vacation in a network that is untrusted. And nevertheless, they authenticate safely and securely. They are understood as being Matthias and the action that I'm executing actually is valid and wanted and we should grant this access. But during this transaction, my iPad gets stolen or I just leave it on the bench and I leave my table at the Starbucks and I leave my iPad. Account takeover in the simplest of cases just by forgetting something might lead to the situation that I'm... that the person, the account that is acting is no longer me. And this needs to be well identified. So continuous authentication needs to verify whether this is still Matthias. The technologies that are actually providing this functionality sometimes are very intrusive to understand, is this really Matthias? But nevertheless, this is this continuous authentication. This is this never trust or no implicit trust always verify. So, there's a lot to do when it comes to managing identities for Zero Trust. That sounds like we are doing all this identity management only for Zero Trust. And I think this is the topic that we will cover in the second episode of this series when we look at once we've done that, does it make sense for other purposes as well? So for this time, thank you very much, Charlie, that you have been my guest. We will meet again soon to continue that conversation. And then we will look at the bigger picture of doing identity and access management for Zero Trust plus beyond. For the time being, thank you very much for being my guest today, Charlie.
