Identity is the key to control. If you can manage identities—along with associated credentials, permissions, and attributes—can you effectively control any computing environment.
Identity management is the silent thread that enables management of hybrid, mesh, and other multicloud environments. At Identiverse 2019 this week in Washington DC, the identity management industry gathered to discuss the evolution of established standards and the need for newer specifications to control cloud-to-edge environments of growing complexity.
Identity standardization in a perimeterless multicloud
In fact, the notion of a multicloud “identity control plane” was front and center in the Day One keynote presented by Andre Durand, the founder, chairman and chief executive of identity management provider and conference organizer Ping Identity. At the heart of his talk was the need to build a trusted identity infrastructure on any device anywhere in a world that, said Durand, is “identified by default.”
As a pioneering figure in the commercialization of what’s often called “user-centric identity,” Durand’s keynote expressed several fundamental principles for building an identity control plane that spans any future cloud environment:
- Identity sovereignty: Individuals must be able to self-assert their identities, and reveal or conceal as much or little of their identity as they wish, at any time, for any reason, from any other party, for any duration, and also to defederate unilaterally from any domain that deliberately or inadvertently compromises or violates these rights.
- Identity universality: People must be able to rely on a global, distributed and universally trusted identity metasystem in which they can exchange digital credentials without the need for trusted third parties to vouch for and validate those identities.
- Identity quality: Users’ authentications, authorizations, and other identity-mediated experiences should be fast, personalized, mobile, multifactor, biometric, password-free, frictionless, robust and recoverable.
- Identity automation: Infrastructure should use AI to automate most processes in the identity and security pipeline while processing signals from edge environments — such as “internet of things” endpoints — to automate real-time acquisition of identity threat intelligence.
- Identity standardization: End-to-end identity management, permission and trust environments must be built on standard frameworks, protocols and interfaces, including mature, widely adopted standards such as Security Assertion Markup Language, OAuth and OpenID Connect, as well as emerging specifications such as FIDO and System for Cross-Domain Identity Management.
AI will drive end-to-end, zero-trust multicloud security
Identity control planes in a complex cloud-to-edge environment must constantly reverify users and revalidate access requests. In this regard, Durand discussed the identity management industry’s shift toward “zero trust” security, which is also known as “identity-defined security,” “adaptive identity security,” “dynamic authorization” and “post-perimeter security.”
As spelled out in this Wikibon report three months ago, this paradigm essentially moves the software-defined security “perimeter” to wherever the requested content happens to live anywhere in private, public, hybrid, mesh and other multicloud environments. Zero-trust security — which usually incorporates AI-driven adaptive access-risk mitigation — is a key element in Wikibon’s recently published hybrid cloud taxonomy. It is integral to the security, compliance and data planes, requiring strong multifactor authentication within a scalable trust environment grounded in public key infrastructure and open identity standards.
Under zero-trust security, every node at the edge always has access to the relevant identities, credentials, permissions, context variables, code-based policies and other security assets needed to authenticate strongly and authorize access to managed resources while also ensuring confidentiality, tamper-proofing, audit trails and other security controls. Access grants are narrowly scoped to specific content, contexts and timeframes in order to mitigate security risks. Essentially, all users are treated as “remote” for the purpose of authenticating and authorizing their access to requested resources.
One curious omission from Durand’s otherwise comprehensive discussion of identity-relevant standards was his failure to mention the Post-Perimeter Security Alliance. In the run-up to the most recent RSA Conference, mobile threat defense provider Lookout Inc. announced this initiative, under which prominent solution providers are collaborating on a vendor-agnostic framework for zero-trust security and associated identity infrastructure.
Distributing the identity control plane across complex cloud-to-edge environments
Another important topic that Durand didn’t touch on was the use of AI-driven zero-trust security in software-defined networks, which are increasingly the backbone of multiclouds. As I discussed in this Wikibon report from two months ago, AI is essential for automating the prevention, detection and remediation of application security issues throughout software-defined internetworks that bind together the multicloud.
In these internetworking backbones, AI drives dynamic security responses such as intent-based networking, application-aware firewalling, intrusion prevention, health monitoring, anti-malware, continuous exploit testing and closed-loop network self-healing. And it enables automated tooling to predict likely behaviors of code in the target, production environments, rather than simply scan builds for the signatures of known issues seen in the past.
Nevertheless, Durand and other speakers put a strong emphasis on reusability of identity controls throughout distributed multiclouds. This would enable developers to leverage open APIs for the reuse of existing authentication, permissioning and other services within more stringent multicloud identity management safeguards.
In this regard, a key news announcement at this week’s Identiverse was that ID DataWeb and NextLabs have joined the Identity Defined Security Alliance, an industry group that has developed reusable and vendor-agnostic patterns for reusing and composing multicloud identity controls. As discussed in the alliance’s whitepaper, their framework incorporates a catalog of discrete and composable identity and security controls such as profile-based multifactor authentication, privileged access management and cloud access security brokering, which may be supported by diverse vendor-provided or open-source software implementations.
At Identiverse, another important announcement for cloud-to-edge identity management was that the FIDO Alliance has launched new identity verification and certification programs for its freely licensed, vendor-agnostic, password-free authentication framework. The alliance’s new working groups will focus on “possession-based” multifactor authentication techniques — such as biometric “selfie” matching — to strengthen identity assurance for account onboarding and account recovery on the IoT.
In discussions with Wikibon, FIDO principal Rolf Lindemann of Nok Nok Labs discussed how the seven-year-old alliance enables simplified multifactor, multimodal credential provisioning in federated multicloud and cloud-to-edge environments. The core interface defined by the FIDO framework standardizes the on-demand cryptographic protocol between a device and the trusted execution environment its embedded authenticator hardware or an external security token, as well as between those devices and remote local servers. These capabilities will be essential for multifactor, zero-trust authentication of IoT devices in consumer domains such as smart homes and business domains such as smart factories.
Practitioner takeaways from Identiverse
For information technology professionals building hybrid and multiclouds, there is no avoiding the need for standards-based identity control planes.
Your identity control plane needs to be an integral component of the security and policy management plane that extends through all domains — on-premises, public cloud, mesh and edge — in your multicloud infrastructure. You should deploy an identity backplane that provides a unified environment for multifactor authentication, single sign-on, role-based access control, delegated permissioning and other security capabilities spanning all domains.
Universal identity infrastructure should be provisioned, monitored and administered centrally through your multicloud management tooling. Due to the fact that they can enable zero-trust perimeterless security through robust AI, this infrastructure should be deployed as a core component of your end-to-end AIOps environment for real-time, closed-loop IT and application management.
One cautionary note is that there is little consistency in how the various multicloud and AIOps vendors implement identity standards into their portfolios. It’s quite likely that trailblazing users will need to write a lot of glue code to get the cloud providers’ disparate identity and security backbones to interoperate and to manage it all in seamless fashion from end to end.