Identity Orchestration: Stepping Off the Identity Treadmill
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Topher Marie of Strata Identity examines how identity orchestration could help us finally step off the treadmill of access trends.
Despite moving to the cloud to achieve higher resiliency and massive increases in scale, the goal of modern enterprise access control remains the same– make sure the right people have the right access to systems and data while keeping the bad guys out. Over time, the underlying implementation methods for enforcing access control have evolved repeatedly. Consider WS-Fed, SAML OpenID Connect (OIDC), security questions, SMS codes, MFA, one-time passcodes (OTP), Universal 2nd Factor (U2F), WebAuthn… and the list keeps getting longer.
Each new access control protocol, standard, and approach is supposed to address the failings of the previous iteration. It’s a war of evolving attacks and defenses. Teams have no choice but to keep up; otherwise, they will be exploited. It becomes a treadmill. We can’t consider any particular product “done” because we will need to revisit it when the next exploit is found or when a more robust technology is released. We have to keep moving forward just to stay still.
This treadmill problem isn’t because of any particular tool, company, or solution. It’s the nature of a living landscape of threats and the resulting need to protect against them. As such – and despite many claims to the contrary – there is no next and ultimate solution. There is no end to the war against attackers– there is only constant vigilance.
Widget not in any sidebars
Identity Orchestration: Stepping Off the Identity Treadmill
Continuous Evolution of Threats
Unfortunately, cyber thieves and other bad actors frequently have the advantage because it takes only one slip-up — an employee clicking a bad link on an email, for example — to breach an enterprise’s security. Multiply that by the hundreds or thousands of distinct applications and attack surfaces the typical corporation has, and this vigilance can be exhausting. Every app must be kept up to date on best practices.
Consequently, the identity and authentication infrastructure that supports an enterprise is in a constant state of change. For instance, over the years, more advanced passwords have emerged, hashing has become standard, multi-factor authentication (MFA) has taken shape, and standards such as OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) have gained widespread adoption. Yet these standards, once greenfield and considered a best practice, now display cracks. They simply aren’t up to the task of managing identities across diverse software, systems, and multi-cloud environments.
And the problem doesn’t stop there. A mishmash of tools, standards, and frameworks forces organizations to rewrite code to take advantage of security best practices constantly. In an enterprise that runs thousands of applications, the accumulated technical debt and costs add up quickly. What’s more, there’s the likelihood that along the way, software developers will introduce bugs and errors that further complicate matters or unleash more severe problems.
CSMA and Orchestration
In 2022 Gartner introduced the concept of a Cyber-Security Mesh Architecture (CSMA), which helps to mitigate these issues. The CSMA is meant to be a new robust, evolving paradigm for long-term infrastructure protection. Part of the power of this approach lies in the concept of decoupling identity from all the software residing within an enterprise. When identity data is abstracted from applications, it’s possible to implement a far more elegant approach that revolves around identity orchestration. The result is a more streamlined and secure identity framework. This can help organizations step off the treadmill and eliminate stopgap solutions,
Take, for instance, recent developments in the OIDC space. The latest practices are pushing for Continuous Access Evaluation (CAE), a way for applications to be notified if any changes have been made to a session that was initiated via OIDC. This means that even if an organization has very recently updated its identity practices to use the latest and greatest OIDC, they are now facing another rewrite to implement CAE, which includes potentially huge impacts on its architecture. Abstracting the identity control away from applications will mitigate this ongoing rewrite issue.
Identity orchestration is prompting companies large and small to step off the treadmill and migrate to a more advanced and holistic framework. As identity becomes more embedded in the fabric of business — and the complexity of managing identity and authentication grows — businesses are recognizing that this approach lights a pathway to a more simplified yet improved form of identity management.
Widget not in any sidebars