CIS 2016 Reflections


I had the opportunity to participate and mingle with the Identity and Access Management (IAM) community at the Cloud Identity Summit held a couple weeks ago in New Orleans (#CISNOLA) and wanted to share my observations and reflections in this blog.

Before I get to the topic I have to recommend the beignets at Café Du Monde on Decatur St especially if you have a sweet tooth like I do. They are out of this world and I owe it to my colleague John Schmidt for taking me there. But remember to take cash, as they do not accept cards!  Now here is the rest of the story.

Netskope was probably the only vendor not squarely in the IAM space but more in the adjacent cloud access security broker space at the summit. We are in a rapidly evolving environment. A decade ago IAM was focused on access control and authorization to apps that were hosted in private data centers. Importantly the device, network and app were under the enterprise IT control and this provided flexible enforcement points for controlling access. We had NAC solutions for in-network access, VPN solutions for remote access and server and endpoint solutions for exerting fine-grained control.

Now when we fast forward to the present – the landscape has radically changed. Today, we don’t always have endpoint control with the emergence of BYOD. We are losing server-side control with the rapid adoption of public cloud hosted applications (see latest Netskope Cloud Report). It is not efficient or economical to backhaul remote traffic to a centralized enforcement point to maintain control at the network level and hence VPNs are becoming less relevant.

These changes force us to rethink our strategy on achieving our goals of visibility, control and protection of our assets. The factors in play that we have to be aware of are the users, the devices, the applications and the data. Let us look at each one of these actors and their roles.

Users – All cloud applications require user credentials in order to access the applications. Coincidentally one of the prized data that is compromised in data breaches that are on the rise is user credentials. Most users reuse same or similar passwords across different applications. The combination of the above facts makes it easy for data thieves to gain access to enterprise data that are stored in cloud applications.

Devices – are constantly targeted by threats like malware and ransomware and are compromised when these attacks are successful. We are also seeing an increase in the use of mobile devices to access cloud applications. Nearly half the transactions to cloud apps either originate from mobile devices. Compromised devices can act as a valid insider for exfiltration of sensitive data.

Applications – We are seeing a rapid adoption of publicly hosted cloud applications by enterprises. Only a small fraction (< 10%) is enterprise ready. Hence it is important to account for the risk introduced by using cloud applications when transacting enterprise data.

Data – This is the most overlooked aspect of existing solutions in the IAM space. Data is no longer under the lock and key of enterprise IT as they were in the days of custom apps in private data centers. It is important to classify the data that is part of the transaction and use that for policy enforcement.

The above factors provide the context that becomes very important for authentication and authorization of users accessing cloud applications. We are seeing increased adoption of single sign on (SSO) solutions where there is an Identity Provider (IdP) that controls the initial access to applications. The IdP has the ideal vantage point to control the user access. In this initial sign on other solutions like threat intelligence providers, device posture providers like MDMs can be consulted to allow access to the application.

But the buck doesn’t stop there, what about subsequent transactions after the initial sign on? We know that most applications keep a session alive for day(s) over which several transactions occur. In addition the IdP is unaware of the data going to be transacted in that session as it gets out of the path of the user-application interaction. We need to monitor every transaction to identify the activities that involve data so that the data can be classified and the appropriate authorization controls can be enforced. This is achieved by introducing a cloud access security broker (CASB) solution inline after the initial authorization. The CASB must monitor every transaction to identify the activity and classify the data and take an action based on the entire context of the transaction. The context must include the user (risk, OU, group affiliation), device (risk, managed/unmanaged), location (trusted/untrusted), application (enterprise readiness), activity (upload, download, share, post) and data classification (regulated, sensitive data). All these inputs are the essence of a good application policy that would eventually determine the disposition of the transaction (allow, deny, re-auth, encrypt, quarantine etc). Examples of such contextual policies are “Deny sharing of financial data outside the finance AD-Group in the corporate sanctioned O365 OneDrive instance”, “Re-authenticate a download of the entire customer table from Salesforce from a device that has a high risk profile” I am sure you can come up with more interesting examples given this background!

If I were to sum this up the paradigm for IAM and policy enforcement to address the emerging access patterns and adoption of cloud applications is one of “continuous contextual authorization at a transactional level with conditional re-authentication”. This is the essence of the Identity Defined Security platform that was demonstrated at the CIS 2016 in New Orleans.