It is not every day you can wake up and start your morning with exciting news that reinforces your belief in the correctness of your vision and of the professional path you have chosen.
Today was such a day.
Yesterday, at the end of the Google Cloud Next annual event, Google made a very significant leap forward in their already high commitment to delivering Zero Trust Network architecture to their customers. They did so by announcing Early Availability of Context-Aware Access, a functionality that will extend Google Cloud Identity and Access Management (IAM) from being based just on identity and credentials to a process that takes into consideration several different context parameters, such as the user’s location, the time of day, and so on…
Is this a unique offering?
Although I am excited with this news, being true to the principle of giving credit where it belongs, I have to say that the offering is not unique or even new. While Google is a pioneer in adopting Zero Trust across their organization with their BeyondCorp project, in the area of contextual / conditional access Google’s competitors, such as Amazon Web Services, Okta and (last, but definitely not least) Microsoft have already introduced such capabilities some time ago.
For reference, when looking at an IAM policy in Amazon Web Services, one can easily see how the same approach has already been implemented:
(Screenshot from AWS Policy Generator showing a list of contextual conditions available for the policy definition today)
While we can hold long discussions on whether the flexibility of the offered conditions and parameters is sufficient for the challenges faced by the operations department’s managing Infrastructure-as-a-Service, the message is clear – access to resources should be granted based on more factors than just the identity of the accessing party.
Okta, a trendsetter in Identity and Access Management (and a very significant player in a non-Microsoft universe in general), has introduced contextual access rules to their IAM, allowing central management of access to organizational cloud services. While the current mechanism is not very flexible, as a foundation, it was introduced quite some time ago and provides contextual Sign-On policies to be enforced on a broad scale.
(Screenshot from Okta Sign On rules UI)
Microsoft has been transformed from a very traditional IT products company into a real innovator in the modern world. Again, giving credit where it is deserved, Active Directory Azure Conditional Access is the leading mechanism on the market today, providing great flexibility combined with proven enterprise-grade scale and durability.
(Diagram from Microsoft’s article explaining the benefits of their conditional access approach)
Additional Identity-as-a-Service (IDaaS) vendors are offering similar capabilities at various stages of maturity.
What am I excited about?
As we have established, Google’s context-aware access offering is not very unique and, despite Google being a huge pioneer in the Zero Trust arena, they are “late bloomers” in this particular aspect (being a late bloomer among early pioneers is still very innovative in my eyes).
What excites me about this particular announcement is that it is a reaffirmation of an alignment that all forces in the IT Security /Cybersecurity market are undergoing. Alignment to principles and components that build the Zero Trust notion. This process confirms the assumptions that visionaries, such as John Kindervag and Dr. Chase Cunningham from Forrester Research, as well as Neil MacDonald and Steve Riley from Gartner, have defined in their Zero Trust Extended and CARTA frameworks, respectively.
The future of security and access control is very dynamic, when compared to traditional static access policies. It takes into consideration multiple parameters and adapts itself to context parameters dependent on:
- Sensitivity of the resource / data being accessed
- Level of confidence in the identity of the accessing party
- Risk level associated with the device used by the accessing party
Google’s announcement is yet another nail in the coffin of static access policies, that are heavily dependent on the organizational network topology and are manually updated by security operations departments.
I am excited that another strong voice is joining the choir of security theoreticians and practitioners that are evangelizing the approaches described above. Starting to think in a way that is different from what we are used to is never easy. The support of commercial vendors, non-profit organizations, leading practitioners and other role-players in the industry, will definitely have an impact and inspire confidence among IT security professionals opening their minds to the advantages of the approach.
How does this help organizations shift to Zero Trust?
Even when IT security professionals understand the advantages of the Zero Trust approach, they can’t necessarily implement it in their organizations. Transitioning from the existing state to a new one is never easy, especially when you consider the fact that significant efforts were invested in building the traditional multi-layered security of organizational IT networks. Organizations, such as Forrester Research are offering workshops on how to move to Zero Trust gradually.
Among the first components (pillars) in establishing Zero Trust Architecture in the organization are the following elements:
- Identity Provider – Single source of truth for organizational role-players
- Multi-Factor Authentication – Ability to increase confidence in the identity of the accessing party
- Endpoint / Mobile Devices Management (or Security Posture Verification) – Ability to assess the risk level of the devices being used to access corporate applications and services
The above components can help the organization get started with implementing Zero Trust in its IT environments, while context aware / conditional IAM technology can tie them all into an effective enforcement layer that will bring the potential benefits to fruition in a timely fashion.
What do I have to do with this all?
I am a Chief Technology Officer of Luminate Security. Our company is offering a flexible, scalable and extensible service called Luminate Secure Access Cloud™. We allow leveraging of an organization’s investment in Identity Providers, MFA, Endpoint/Mobile Management, SIEM and Configuration Automation tools to build a robust future-proof Zero Trust Access Platform. This field is gaining increasing attention. Sometimes called Next-Generation Access or Software-Defined Access, it is the glue that ties all the components together, taking off where Identity and Access Management systems complete their function.
In recent years we have gained significant experience from implementing Zero Trust access in global organizations, ranging from mid-size enterprises to Fortune 500 companies. We are happy to share our experience and help our customers move towards a future-proof network security architecture in their hybrid environments, consisting of cloud-based and on-premises assets.
How do we integrate with Google Cloud Platform to create the complete Zero Trust Access solution? Read here.