Identities: Where InfoSec meets Philosophy — and why you care
Or, Some questions that both Philosopher’s and Infosec Professionals Love and why you care.
Within the realm of InfoSec, Philosophy is no stranger. Many discussions and subjects within the field touch on themes that go beyond zeros and ones, and dive deep into what’s real, what exists and the nature of (Security) knowledge itself.
More prominently, I reckon, in recent times — how topics such as Personal Privacy, Data management (the Rights of being forgotten), the “Digital self” within Metaverse(!!) are areas of intersection of these two, otherwise, distinct fields.
In the centre of such matters, lies a common denominator — always an intelligent being, capable of defining what is Digital and what is Physical, what I mean is — there’s always someONE.
The question that lies behind the intersection is finally — WHO ?
An information that puzzles philosophers for generations, and InfoSec defenders.
- Who am I?
- Who are you?
Such questions are key to Philosophy, and by serendipity, can be commands utilized to define an Identity:
$whoami
So then, WHO is behind things? WHO are you trying to access my network, application, data — and “WHO am I” attempting to run a script, a powershell command, to copy, delete or modify any data somehow?
To answer such questions:
Philosophers spend lifetimes, ask wise people, madidate, go live on mountains looking for themselves — their “self”. Some end up writing books — all in an attempt to help themselves and others understand it.
InfoSec on the other hand, uses tools to define who is behind a network access request. And at the core of all this discussion is the capacity to assess a requestor’s real Identity and whether they should or should not have Access to the data they’re attempting to access.
In this article I wish to explore, briefly, modern concepts around Identity and why it is core to modern, Zero Trust-based architectures.
This Subject is part of multiple Microsoft certification exams, including (but not limited to):
- SC-300 (Identity and Access Administrator Associate)
- SC-900 (Identity and Access Fundamentals)
./identity
For the longest time in technology, Identification wasn’t a problem — it was always someone physically at a location and the data. Back then, the perimeter was physical access to the data.
Until 1969, when the internet came along. Then, it became a matter of an electric pulse to another.
Fast forward 50 years and here we are, dealing with cyber attacks left and right, many that exploit improper or insufficiently secure handling of a Digital Identity. It is why, now we say that Identity is the new perimeter of the Data — Microsoft exemplifies this in the image below:
In knowing of this massive issue, the industry must address it. And that is why we have Identity and Access Management (IAM) solutions!
What is IAM? Fortinet explains it well:
IAM is a framework of policies, processes, and technologies that enable organizations to manage digital identities and control user access to critical corporate information. By assigning users with specific roles and ensuring they have the right level of access to corporate resources and networks, IAM improves security and user experience, enables better business outcomes, and increases the viability of mobile and remote working and cloud adoption.
IAM solutions include capabilities to:
- Provide Identity (meaning to maintain a user Identity database)
- Authenticate
- Authorize
- Log user activity
./idP
Identity Provider (idP in short) is, according to Cloudflare:
a service that stores and verifies user identity. IdPs are typically cloud-hosted services, and they often work with single sign-on (SSO) providers to authenticate users.
There are dedicated IdP solutions — that only store and log user information, while IAM solutions offer Authentication, Authorization, for example.
./authN
Authentication, also referred to as “AuthN” is where Identity requests are challenged and verified. Microsoft defines it as:
how much does an IT system need to know about an identity to have sufficient proof that they really are who they say they are? It involves the act of challenging a party for legitimate credentials.
./authZ
Authorization, also referred to as “AuthZ” is the act of granting access to Data following the Authenticated user.
(the processing of) incoming identity data to determine the level of access an authenticated person or service has within the application or service that it wants to access.
./IAMsolutions
When it comes to IAM solutions out there, the most popular are:
- Azure Active Directory
- Auth0
- CyberArk
./conclusion
Validating Identities is essential to ensuring a secure environment. And only by employing, robust and modern Authentication methods that this can be achieved. IAM solutions come to help with this, daunting, task.
Bear in mind that IAM is the tip of a larger, Zero Trust solution set. Once Identity is validated and access granted, it becomes part of a different solution to enforce the relevant security controls to device, data and traffic.
It’s worth keeping in mind the strategy you want to take on this, with a platform and integrated approach, only being offered by Microsoft — with its wider portfolio capable of enforcing Zero Trust End-to-End.
Follow me on twitter: Camillo (@iamcamillo) / Twitter
Learn more about my Cloud and Security Projects:
Web: www.cloudnsec.com
Listen: bit.ly/cloudnsecspotify
Watch: bit.ly/cloudnsecyoutube
Thank you for reading and leave your thoughts/comments!
./references
Scattered throughout the document.
Define Identity as the primary security perimeter — Learn | Microsoft Docs