Head of Standards for Strata Identity, former Burton Group analyst and technology executive at Chase Manhattan Bank (now JPMorgan Chase).
Cloud computing has been a great enabler to enterprises, speeding up operations and allowing organizations to move up the digital maturity journey faster and more effectively. However, multiple clouds—especially when they have to intersect with on-premise systems and one another—can produce some challenges I’ve discussed before.
Many organizations can end up with an “identity gridlock” of competing identity systems and protocols since each cloud platform cannot exchange access policy data with other cloud providers. Identity orchestration offers some relief to this balkanization of access management, but in the end, an enterprise wants a unified, policy-based framework to manage access to its assets and enforce access controls.
Zero trust, least privilege and just-in-time access are all solid strategies and approaches to creating a secure environment that can be greatly enabled by a philosophy of fine-grained access control.
This idea of fine-grained access is similar to accessing an office building: Swiping an ID card at the entrance to the elevators confirms a user is authorized to enter the premises. It can give a user access to enter the building—all floors, all conference rooms and all offices, from the break room to the money vaults and server rooms. On the other hand, the card may only give employees access to those floors where they work, to their own offices or to the lab or workshop where they are authorized to be. A chemist can walk into the lab, while an entry-level office worker may only have access to the cafeteria and the cubicle pool on their floor.
In the digital world, fine-grained access limits an identity to those applications and assets the user requires for their job function. However, unlike coarse-grained control, which uses only one marker to grant or revoke access—such as the user’s job function—fine-grained authorization is ruled by multiple factors in tandem, such as the right user accessing the network from the right IP address in the right geographic location.
Fine-grained access can also adapt to conditions based on certain attributes—for example, a user logging on from outside of their usual network or IP address may be authorized to open a file on read-only mode with no permission to make edits.
Fine-Grained Access Needs Standards
This sounds like an ideal state of affairs, but it faces some hurdles—starting with the lack of interoperability. There are industry standards such as the Extensible Access Control Markup Language (XACML) (de facto) or Open Policy Agent (OPA) (de jure) as well as open-source options like the Amazon Cedar policy language that was announced in May 2023. Many proprietary models also exist, whether within cloud platforms themselves or in stand-alone authorization products.
However, large enterprises are frequently deploying applications across multiple clouds, and they’re using several incompatible identity systems. The marketplace is missing an approach that allows for policy interoperability. Standards such as SAML and OIDC have helped with federating identity and enabling single sign-on across security domains, but policy interoperability will require a new approach to address this long-standing need.
A newer initiative with the CNCF, called IDQL/Hexa, aims to function as a master key that can get users where they need to be by creating an approach whereby a common access policy can be translated into the runtime format used by standards-based, open-source or even proprietary access systems. This approach aims to eliminate the manual work and duplicated effort required to manage policies in each distinct identity system.
The Road Ahead For Standards Like IDQL/Hexa
Building and introducing a new standard in the identity or security industry follows a typical pattern where 1) the problem area is recognized, 2) a group forms to begin scoping and specifying a new approach, 3) additional groups (vendors and enterprises) join the effort, 4) the effort is taken up by a standards organization, and 5) a new standard ultimately is ratified.
There can be challenges along the way, of course, where incumbent players are satisfied with the status quo, and it can sometimes be difficult to make compromises with your real or perceived competitors. However, the industry has a pretty good track record of standards that have been published by the likes of ITEF, OASIS, OpenID Foundation and others.
Overcoming issues, challenges and disagreements during the standards-making process requires a lot of open dialog and debate. Ultimately, vendors and enterprise customers work toward building a consensus and doing what’s best for the industry.
A declarative and interoperable format that serves as a common language for implementing and orchestrating policies needs to emerge. Thanks to a number of open-source and standards-based initiatives, there are candidates to be the standard-bearer in this endeavor, which makes it an exciting time to be part of this industry-shaping effort.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here