Seattle, WA February 13, 2020 — Cloudentity today announced a partnership with Signal Sciences , the world’s fastest growing web application security company, to provide a holistic approach for enterprise companies looking to secure their web applications and APIs. By combining Signal Sciences’ award-winning next-gen Web Application Firewall (WAF) with Cloudentity’s expertise in API Identity and Authorization, enterprise customers can protect themselves from major cyber security risks, including all 10 of the most critical risks in API security as published by the Open Web Application Security Project (OWASP).

Visit Cloudentity and Signal Sciences (Booth #461) at RSA on February 24–28, 2020 in San Francisco to learn more. For more information, visit https://www.signalsciences.com/blog/rsa-conference-2020-human-element/

A recent report published by Gartner* found that “by 2023, over 50% of B2B transactions will be performed through real-time APIs versus traditional approaches, which today make up over 80% of B2B transactions.” We believe this increased reliance on APIs has not only allowed for greater efficiencies but has added complexity and risk to most organizations.

“We saw a massive increase in API attacks during 2019 and know that as customers adopt the API economy as part of their Digital Transformation efforts API abuse will be the most common attack vector for data breaches and hacks,” said Nathanael Coffing, Co-Founder and Chief Strategist of Cloudentity, “by partnering with best-in-class companies like Signal Sciences our customers are prepared for this future.”

“As a key component of business innovation and software development, the importance of incorporating API security into any strategic security plan cannot be overstated,” said Zane Lackey, CSO and Co-Founder of Signal Sciences. “The combination of Signal Sciences and Cloudentity provides a powerful end-to-end solution to help companies effectively protect their APIs and mitigate the latest attacks.”

About Cloudentity

Cloudentity’s Authorization Control Plane and MicroPerimeter™ provide unparalleled API visibility and protection at scale, complementing Signal Sciences next-gen WAF in cloud-native and traditional application architecture; providing an integrated risk based approach to API security and governance.

* Gartner, “Critical Capabilities for Full Life Cycle API Management”, Mark O’Neill, Paolo Malinverno, Aashish Gupta, 21 October 2019

About Signal Sciences

Cloudentity is a privacy-first Customer Identity and Access Management (CIAM) platform focused on providing the right people the right data at the right time and place. This is done through powerful, cloud-native identity and access control microservices that integrate quickly, seamlessly, and efficiently into an organization’s existing hybrid, or cloud architecture. Cloudentity’s API MicoPerimeter™ provides in-depth visibility, protection, and policy enforcement at the API level, securing web applications from malicious attacks.

For more information visit Cloudentity.com or connect on LinkedIn at www.linkedin.com/company/cloudentityteam/

Signal Sciences is the fastest growing web application security company in the world. With its award-winning next-gen WAF and solution, Signal Sciences protects more than 32,000 applications and over a trillion production requests per month. Signal Sciences patented architecture provides organizations working in a modern development environment with comprehensive and scalable threat protection and security visibility. The company works with some of the world’s most recognizable companies , like Under Armour, Aflac and WeWork, across industries, including five of the top ecommerce companies, five of the largest software companies, in addition to many others in the financial services, retail, healthcare, media and entertainment, and government sectors. Signal Sciences is also the recipient of InfoWorld’s Technology of the Year and Computing’s DevOps Excellence Award for Best DevOps Security Tool . For more information, visit Signal Sciences or follow @SignalSciences .

SOURCE: Cloudentity Inc.

To learn more, read how it works here: https://cloudentity.com/signal-sciences/

Originally published at https://cloudentity.com on February 13, 2020.

Press Release: Cloudentity and Signal Sciences Join Forces to Provide a Comprehensive Approach to… was originally published in Cloudentity on Medium, where people are continuing the conversation by highlighting and responding to this story.

Of course, it’s almost impossible for consumers to understand what they have granted access to — data sharing agreements are nested within current agreements that are already impossible to interpret. These issues are driving consumer data privacy to the forefront of every business conversation.

In fact, Garnter says that the concept of “Privacy-First” is becoming as important as other socially responsible labels such as organic or animal cruelty labeling.

Regulations such as GDPR, Open Banking and CPAA all require a level of dynamic data sharing critical to companies use. That is, a single click (like friending someone on Facebook) can no longer grant broad access to other people and organizations in perpetuity. Consumers, and the regulations that enforce these consumer desires, need to be able to know explicitly who gets to see their data, how it will be used, and for how long.

Dynamic privacy involves consent and enforcement — a third-party application needs to be granted consent by the consumer managed by the CIAM system and that consent needs to be consumed and enforced.

Let’s say the consumer wants to share data from their bank with our fictional “Financroo” finance application. The consumer grants this permission in the trusted CIAM system — it’s not simply a matter of handing over all access to the consumer’s account, but letting the consumer choose what data will be made available to the application and for how long.

Note that the consumer is given options for fine-grained access, the app can see the profile and account information for a credit card, for example, but it cannot initiate payments. Even more importantly, the consent has an expiration date — access shouldn’t be granted forever (as we often forget we even granted it), and the consumer should be able to specify when that access will be revoked automatically.

Then even finer grained consent for individual accounts can be applied, creating finer and finer grained access based on the intent of the consumer’s interaction with the application.

The Banking API administrator should be able to interact with the available permissions, not only adding required and optional data that can be shared but adding and describing the risk in certain kinds of grants to help the consumer understand the risks before granting access to third parties.

Now the app gets a new token and is able to connect to the banking API within the constraints provided by the CIAM Privacy service. Rather than giving an app broad access, this separation of responsibilities (the 3 rdparty application, CIAM service, and secure banking services) limits exposure to specific data that the consumer has explicitly granted access, limits for how long that access is granted and consolidates control in the consumer’s hands.

And it’s not just that the consumer has granted access — we also have to take into account when consumers revoke consent. Because the enforcement is aware of the changes in realtime, the revocation is as simple and seamless as granting access.

At the end of the day, consent isn’t just a yes/no gate, it’s a series of interactions that consider the intent of the application, the privacy of the consumer, and the changing nature of the relationship that can be easily enforced in distributed environments and multi-cloud ecosystems. We live in a dynamic, changing world and the tools we use to interact with that world need to be able to keep up with that change.

Originally published at https://cloudentity.com on November 26, 2019.

Dynamic Data Sharing Agreements and Progressive Consent was originally published in Cloudentity on Medium, where people are continuing the conversation by highlighting and responding to this story.

OAuth and OIDC have become the center point of any API and Identity infrastructure. OAuth2 created a framework allowing every user, device, person, service and thing to support their own distributed means of delegated authorization using a combination of scopes and grants. From smart speakers to connected cars, OAuth and APIs connect everything in the modern world providing a common sinew for interconnectivity and must be secured.

In doing so the industry has put developers into the middle of the security discussion exposing a major shortcoming of legacy IAM providers and API Gateways even while they promote their latest version(s) shouting “future-proof “and “modernization” from the rooftops.

Due to the adoption of the standard and the availability of OAuth clients, the requirements for OAuth servers has changed drastically. No longer are a few simple flows, long lived sessions or opaque tokens sufficient.

Instead, OAuth servers must: Scale massively.
At Cloudentity we’ve had a dozen new customers approach us with OAuth token minting needs ranging from 100,000 flows per second all the way up to a half million and that’s for today’s loads. (Black Friday anyone?)

The monolithic vendors release specs (when they’re willing to) that show that, under the most ideal conditions, on their extra-large platforms, under the most ideal scenarios and not running any other functions, 4000 flows per second with significant customer loss generating latency (caused by LDAP, garbage collection and inefficient API calls.)

Provide Multi-Tenancy
Businesses are setup to leverage common services with common security mechanisms and standardized methods of approaching authorization and privacy data. Delegated Administration is no longer a nice-to0-have but a must as companies create new platforms for engaging with their partners, customers and even internal business units

Engage Developers to enable DevSecOps
Providing a multi-tenant developer portal is Step One for OAuth service/client onboarding. Other key aspects include a robust set of extensible APIs and microservices to support the services they are building. Then it’s important to make their jobs easier by reducing the amount of code they need to create. Offloading authorization, privacy and consent management, sensitive data usage and providing everything in a very succinct “authorization as code” interface gives developers the functions they need to bring products to market faster and more securely without having to learn the intricacies of OAuth, LDAP, SCIM, SAML or compliance requirements like CCPA and GDPR.

Provide Scope and Policy Governance

Given the sensitivity of data APIs are moving between businesses, customers and partners and the global regulatory environment, its no longer permissible to allow every development team to build its own solutions. This leads to scope propagation, no understanding how sensitive data flows between APIs or what/when authorization policies are protecting them. Providing real time security and governance updates to the CISO and Data privacy Officer has become a hard requirement and commonizing that across internal and external development teams is the exact reason CIAM.next was built.

The days of compromise in your OAuth and security solutions is over. It’s no longer a decision of whether to shut off security controls, increasing token duration or utilize one-off approaches for managing sensitive data with scopes and grants.

Deploy on our cloud or yours
CIAM.next approached it differently using stateless microservices and APIs to build a multi-cloud authorization control plane. Our goal from its inception was planet scale, simplifying the developer experience, making externalizing authorization and adding governance in a manner that provides distributable identity microservices that work in concert with your distributed apps, APIs, microservices and functions

Originally published at https://cloudentity.com on November 21, 2019.

OAuth at 100, 200…500k flows per second and Beyond was originally published in Cloudentity on Medium, where people are continuing the conversation by highlighting and responding to this story.

Organizations are developing and deploying distributed services across the hybrid cloud and are facing four major issues which we will be addressing in this two-part series.

1. Bridging traditional and cloud-native API services with an identity-centric security and request routing
2. Standardized approach for authorization and sensitive privacy data security in cloud-first organizations
3. Meeting compliance standards for authorization and privacy during the transition to cloud-first services
4. Declarative API access control, DevSecOps model for simplifying the developer usage of identity, authorization and delivery

Identity-centric security and request routing for hybrid cloud services
The first step for addressing security, authorization and privacy in hybrid cloud infrastructures is updating the notion of identity. Forward-looking organizations are moving past the “futureproof & modernization” marketing strategies of legacy identity providers and realizing the underlying data model of user-centric identity platforms wasn’t designed for the cloud-native world. Thus, step one is to envelop the traditional user-centric IAM products into a model that creates identities for every entity: user, service, device & data.

The new baseline provides the ability for every service, user, persona and device to assume its own unique identity and manage access for those identities in a singular Identity & Authorization Control Plane. Accomplishing this drastically simplifies and standardizes other infrastructure issues like service discovery, service registry and secret storage for organizations leveraging platform agnostic multi-cloud architecture.

Most companies approach the process of modernizing legacy application and Identity platforms with cloud-native microservices in a gradual lift and shift process

The following diagram details how the Authorization Control Plane applies consistent identity, authorization and audit across traditional and microservice based services; immutably maintaining API security, data level permissions/consent and GDPR/CCPA/NYDFS compliance on any workload during the application decomposition and microservice adoption process.

Authorization Control Plane: Hashicorp Consul & CIAM.next
The journey starts by creating service identities for microservices and legacy-apps using Consul and CIAM.next MicroPerimeter™ security. This prepares apps to join the Authorization Control Plane by adding service identity, instrumentation, inspection and declarative authorization to the workload.

Creating a declarative security layer that provides granular endpoint level access control by externalizing authorization for networking, securing communication channel via TLS, delivering standards based (FIDO/OAuth/OIDC) Authentication and privacy based data attribute authorization in a very lightweight package (<10Mb) with sub millisecond latency.

Step One Vault & MicroPerimeter™ — Bootstrap the service identity
In order to properly apply identity and microservice specific authorization/audit policies the MicroPerimeter™ generates a secure identity through Vault for the application. To avoid code changes, the service itself is not involved in the process of obtaining identity nor is it required to be aware of its identity. The MicroPerimeter™/Vault work together to assign the SPIFFE compliant identity to a protected service and manages its certificate request and storage.

The identity assignment process differs slightly depending on the service architecture, although the high-level flow is virtually the same. The diagram below illustrates the process.

More details on the Vault & Cloudentity integration can be found here: https://docs.microperimeter.cloudentity.com/concepts/microperimeter_security/functionality/identity_bootstrapping/

The key generated per application instance provided by Vault is used for several aspects of MicroPerimeter™ functionality including:

• Cryptographically enforce identity of the service based on SPIFFE ID
• Secure mTLS communication utilizing TLS v1.3
• Digital Signature of the audit/access logs
• Signing of the service and identity context fingerprints used for declarative authorization and PII permissions/consent evaluation

Step Two: Consul and Declarative Authorization provide the interconnect

Once a service (micro or traditional) has a Vault assigned SPIFFE identity, its far easier to properly configure that service with the relevant networking, authorization, authentication and audit policies from Consul. This is a fundamental reconsideration of how to address coarse and fine grained authorization with a design that allows for both policies and policy decision points to be distributed to the edge of the service enhancing performance, security and latency.

Authorization policies are crafted in a centralized policy administration point with delegated administration to provide inheritable drag-and-drop Policy creation. The User Interface allows linking of different policy types together while creating authorization as code. Consul acts as the storage and distribution mechanism for these policies ensuring they are multi-cloud available. This promotes the move from the static approve/deny authorization paradigm of the last few decades and into a very dynamic and fluid authorization flows utilizing run-time attributes and temporal relationships for authorization decisions externalized from the service.

Declarative Authorization: Immutable Policies as Code
The key to authorization in a multi-cloud world, comes directly out of the immutable services playbook. Authorization in a microservices world could no longer be modeled after the traditional monolithic Web access management (WAM) or API Gateway approach of applying authorization at defined ingress points. Authorization has been forced to mature in two major ways. First, authorization must be performed at both the ingress AND egress of the service itself. Secondly, authorization must be provided as Immutable code in the same way Infrastructure is in a cloud-native world.

The example below is a real-world example of the Consul distributed polices for the distributed policy decision points. The example shows how Networking, Oauth and Identity, fine grained attribute based and consent evaluation, for PII data access policies provide the security nexus; allowing transactions to be evaluated at the distributed edge of the service instead of in a centralized gateway.

Consul stores all of these authorization policy types as code, allowing developers to utilize the same security policies during development, sample the app using canary routing and then deploy into production — all distributed via the Consul control plane to the workload. Immutable distributed security attached to the distributed API endpoint.

Policies Attached to the service’s API endpoint

Policies Defined in Consul

When authorization policies are tied to workloads and endpoints, Identity and API access control remains consistent from development to the final push into production. The security teams are able to define and create policies centrally through the UI and then development teams inherit those policies during the DevOps process. In doing so, security teams gain visibility and centralized management and Developers automatically adhere to corporate policies for PII privacy data management, Authentication, Authorization and Audit.

With Distributed enforcement, API endpoints are protected by the policies regardless of the application type (legacy vs microservices), hosting location (public cloud, private cloud, datacenter) or where they are instantiated.

Figure 1: Visual design.

Figure 2: JSON representation

Combining the service identity with consul based declarative configuration for authorization and access policies enables the creation of the next generation of DevSecOps pipeline. That can be utilized to fully automate authentication, authorization, access control, as well as API publishing rules in your IT infrastructure.

Join us next week for the second part in this blog series. Using Vault and CIAM.next to analyze Privacy Data, Secret management and API governance into the Hybrid-cloud ecosystem.

Originally published at https://cloudentity.com on November 13, 2019.

Securely Modernizing traditional applications into multi-cloud aware services using CIAM.next was originally published in Cloudentity on Medium, where people are continuing the conversation by highlighting and responding to this story.

Cloudentity Releases CIAM.next, a Microservices Based Consumer Identity Access Management Platform for Privacy, Consent, and Security

CIAM.next is designed for zero-trust security by integrating Identity Access Management with consumer-focused progressive consent enforcement for legacy and hybrid cloud applications

FOR IMMEDIATE RELEASE

SEATTLE, November 05, 2019 — Cloudentity’s new CIAM.next platform provides a generational shift in the consumer identity and access management market. Featuring a privacy-first platform built specifically for enterprises to enable strong data security while reducing the time IT development staff spend on managing security systems.

Intelligent and continuous authentication and authorization allows organizations to build secure Hybrid-Cloud applications leveraging Open Standards and microservices that enforce security policies on a transactional basis. The cloud-native CIAM.next platform helps customers protect billions of transactions with a focus on authorization as the security control plane.

“Privacy and data security technologies have not kept pace with the growing demands of consumers to control their own data,” said Cloudentity CEO Jasen Meece. “Cloudentity is solving the authorization problem in hybrid cloud environments with progressive consent tied to consumer choice.”

CIAM.next combines secure identity interactions between users, services and things with Cloudentity’s policy enforcement tools at the API level. With centralized policy management and distributed security enforcement, the platform meets the hyper-scale and performance capabilities of today’s global enterprises.

Features of the CIAM.next platform include:

• Customizable User Journey: Cloudentity provides the first dynamic user journey with fully Configurable UI and CIAM.next’s microservice architecture, building registration and privacy data flows with a drag and drop process to easily enhance the user experience.
• “Bring your Own IDP” Identity management: The platform allows a user to combine identities from multiple upstream providers, such as legacy IDPs or modern social logins, generating a uniform source of truth to inform security policies.
• Multi Organizations/Delegated Admin: Modern organizations require the ability to quickly roll out new business processes via B2C, B2B2C and B2B2P relationships. next allows segmentation of administrative responsibility, security policies, privacy management and risk governance, all to mitigate the risk of data overexposure.
• Passwordless Login and MFA: next supports a range of MFA tools out of the box, including two types of passwordless and a “bring your own MFA” model, which are tightly integrated with Cloudentity’s API security. This simultaneously allows for more security and convenience for the consumer.
• Enhanced Identity and Enforcement: The platform supports industry standards such SAML, OAuth and OIDC and when coupled with Cloudentity’s API security tools, it provides out-of-the box support for granular security policies that protect application entitlements and individual customer.
• 360° Audit: Combining CIAM data with policy enforcement data allows for end-to-end transaction logging, providing a clearer view to help refine security before a breach occurs and provide more visibility and a tamper-proof audit trail when evaluating a breach.

What our partners are saying:
“This is the most advanced CIAM solution for the cloud, with a true microservices enabled CIAM platform that delivers incredible value and powerful protection with a cost-effective secure solution,” said Jeremy Rohrs, vice president at SecZetta. “We are excited to offer our customers this industry-leading platform for effective and efficient external authorization.”

Toby Emden, Managing Director at Edgile said, “Over the past couple of years, we have seen exponential growth in client adoption of microservice-based applications, zero-trust architectures and CIAM. These trends are forcing identity professionals to view IAM very differently than in the past and devise radical new strategies to serving an increasingly complex client base.”

He goes on to say, “Cloudentity has anticipated this paradigm shift and developed an innovative approach to help organizations navigate today’s rapidly evolving identity landscape. Their API-centric, consumer focused approach to securing APIs, sensitive data assets, Internet-connected devices and PII is unique in how they view the need a of next-gen identity architectures.”

A complimentary demo of Cloudentity’s CIAM.next solution is available at cloudentity.com The company will also showcase the platform’s latest features in the Cloudentity hospitality suite on November 12 at TechVision Research Chrysalis, techvisionresearch.com.

About CloudentityCloudentity is a privacy-first Customer Identity and Access Management platform. We secure, identify, and authorize users, services and things that need access to personally identifiable data and keep out those who should not have access. We do this with powerful, cloud-native identity and access control microservices that integrate quickly, seamlessly, and efficiently into an organization’s existing hybrid, or cloud architecture. We provide in-depth visibility, protection and policy enforcement at the API level.

For more information visit Cloudentity.com or connect on LinkedIn at www.linkedin.com/company/cloudentityteam/

About SecZetta
SecZetta leading provider of non-employee identity risk and lifecycle management software solutions. Companies work with SecZetta to gain full visibility and control of all their people, employees and non-employees alike. We make sure companies have an Identity Governance & Administration program that delivers business value while protecting data and applications.

For more information visit seczetta.com.

About Edgile
Edgile is the trusted cyber risk and regulatory compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content. Our strategy-first model optimizes on-premises and cloud programs, IAM, GRC, and cybersecurity. By transforming risk into opportunity, we secure the modern enterprise through solutions that increase business agility and create a competitive advantage for our clients.

For more information visit www.edgile.com

Social Media Links:

Media Contact:
Amie Johnson for Cloudentity
(206) 299–1112
press@cloudentity.com

https://www.linkedin.com/company/cloudentityteam
https://www.instagram.com/cloudentityTEAM/
https://www.youtube.com/channel/UCZZDuJKmqSHGi29KJcX-_fA/

Originally published at https://cloudentity.com on November 6, 2019.

Cloudentity Releases CIAM.next, was originally published in Cloudentity on Medium, where people are continuing the conversation by highlighting and responding to this story.

Integris Software Partners with Cloudentity to Launch Industry-First Automated Data Privacy and Security Solution For API-based Services

Combined Solution Provides Ability to Identify, Track and Secure Data At-Rest and In-Motion, to help Ensure the Integrity of Data Sharing Agreements

SEATTLE — October 30, 2019 — Cloudentity and Integris Software have formed a partnership to deliver the industry’s first solution to address the data privacy and security requirements for compliance, and modern API-based services. Together, the companies have set a new standard for visualizing where personal data is stored, which applications are accessing that data, and if the customer is granted consent.

The combined solution provides enterprises with the ability to identify, track and secure data at-rest and in-motion. Privacy and security need to be integrated to deliver complete data protection. Integris Data Privacy Automation discovers what data is important and why, enabling Cloudentity to be precise in its security and policy controls.

“The data that flows between business entities must be protected with better security and privacy controls,” said Nathanael Coffing, Founder, Cloudentity. “Our partnership with Integris allows organizations to intelligently protect personal identifiable information stored in any environment, including the cloud. Businesses use API-based transactions to exchange consumer data. We protect APIs, and transactions by authorizing the exchange of privacy information at a granular level. Our partnership is a next-generation consumer consent and privacy-aware microservice-firewall.”

Companies are constantly purchasing or exchanging data in order to build better customer profiles or complete a transaction. In a recent Integris Software Data Privacy Maturity Study of mid and large enterprises, 40 percent of respondents had 50 or more data sharing agreements (e.g., Cambridge Analytica) in place.

“Companies are being inundated with personal data. A single bank transaction might get replicated across a hundred data repositories and involve dozens of applications,” said Drew Schuil, vice president of Global Business Development and EMEA Operations for Integris Software. “In this environment, manual checks on privacy, security, and customer consent reach the breaking point. We are honored to partner with Cloudentity to help businesses solve this challenge, protect their data collections, and ensure compliance with privacy regulations.”

The joint solution provides the foundation for complying with California Consumer Privacy Act (CCPA) and other US state privacy laws and international laws including Europe’s General Data Protection Regulation (GDPR).

Key capabilities of the joint solution include the ability to:

• Discover, monitor, and protect personal information as it’s shared across an organization’s internal, partner, and consumer app ecosystems
• Ensure that data sharing contracts align with live data repositories and API application access, whether by a user, third-party app, or system
• Automate privacy and security checks on data at-rest, and in-motion when used in a business transaction
• Demonstrate the assurance of safe PII data, and access and authorization policies related to personal information for compliance

A webcast on How to Solve CCPA and GDPR’s Toughest Compliance Mandates is on November 20, 2019. Register here: https://integris.io/cloudentity-webinar/

Key takeaways for data, privacy and information systems professionals will include:

• How to solve CCPA and GDPRs toughest compliance issues (inferred data, right to deletion, right to opt-out, and disclosure obligations) within complex IT environments
• Key challenges and best practices on how to create, monitor, and enforce API contracts
• Why data privacy and fulfilling data subject requests is now a big data problem and how to solve it (4 recommendations plus the one thing you should never do)
• How to support the new realities of ‘continuous consent’ and the evolving nature of personal information privacy

In addition to its new partnership with Cloudentity to integrate privacy and security solutions, Integris Software also recently announced the Integris Partner Program to bring together key industry organizations to help enterprises automate and improve their data privacy practices. Cloudentity has now joined the program to align with other leading security, privacy and identity verification technologies to support global businesses.

About Cloudentity
Cloudentity is a privacy-first Customer Identity and Access Management platform. We secure, identify, and authorize: users, services and things that need access to personal identifiable data. We keep out those who should not have access We do this with powerful, cloud-native identity and access control microservices that integrate quickly, seamlessly, and efficiently into an organization’s existing hybrid, or cloud architecture. We provide in-depth: visibility, protection and policy enforcement at the API level.

Follow Cloudentity at www.cloudentity.com, https://www.linkedin.com/company/cloudentityteam/

About Integris Software
Integris Software, the global leader in data privacy automation, helps enterprises discover and control the use of sensitive data in a way that protects privacy and fuels innovation.

Privacy is now critical to an effective data protection strategy. By sitting upstream from security, Integris tells you what data is important and why so you can be precise in your InfoSec controls.

Integris works securely, at scale, no matter where sensitive data resides. You get a live map of your sensitive data where you can apply policies, surface issues, fulfill DSAR requests, and automate remediations via your broader ticketing and InfoSec ecosystem.

Regulations like GDPR and the California Consumer Privacy Act (CCPA) are triggering knee-jerk reactions as companies lock down their data for fear of misuse. With Integris, there is finally a way to use your data without fear.

For more information on Integris, visit: www.integris.io or follow @Integrisio on Twitter.

###

Media Contacts:
RH Strategic for Integris Software
(206) 264–2400
IntegrisPR@rhstrategic.com

Amie Johnson for Cloudentity
(206) 299–1112
press@cloudentity.com

Originally published at https://cloudentity.com on October 31, 2019.

Press Release: Integris Software Partners with Cloudentity to Launch Industry-First Automated Data… was originally published in Cloudentity on Medium, where people are continuing the conversation by highlighting and responding to this story.

But even when we think of Authentication as Identity and Authorization as Enforcement, there’s still confusion about where AuthN leaves off and AuthZ begins. Let’s take a quick review.

Authentication is not security in itself — it allows a person or thing to prove they are who they say they are, and then returns details about that entity. Those details might include Personally Identifiable Information (PII), or it might be abstracted with a unique user ID (UUID).

Tools for authentication might be a username and password, a “magic code” in the form of a one-time token in a passwordless flow, biometric data like fingerprints or combinations of identifiers. But all of these mechanisms do not secure your application, they simply corroborate the identity of the entity in question.

Authorization is the actual act of enforcement. We’ve gone through our login and MFA process, and now we have some details that the application can use to grant or deny access to different kinds of data. It might limit access to an individual’s records based on roles or attributes assigned to one’s identity, it might look at scopes and give access to more detailed reports, or not. It’s up to the business logic and the enforcement in Authorization to apply those details to enforce access rules.

You can think of Authentication as the key and Authorization as the lock.

Only here’s the problem — there are lot of applications out there with lots of different locks. Some of them are custom code, some of them are gateways at the edge of the network using access tokens, some of them are server-side tools that enforce rules based on the original SAML response… And each one of those has a set of rules that are applied in different ways by different people with different monitoring and audit tools.

In practice, Authentication is often less of a key and more of a suggestion while Authorization is less of a lock and more of a latchkey — you might be able to open it with a pocketknife, and even if anyone looks at your credentials, they might just glance and wave you through.

Modern application security requires a combination of tools that work together; we can’t look at AuthN and AuthZ as two separate things, and we can no longer support the idea that applications can be trusted to secure themselves.

A Consumer Identity Access Management system allows individuals to identify themselves. It should support multiple factors to make sure the individual is who they say they are, and it should allow administrators, workflows and other authorized tools to provide increasing details about that individual for granular access control.

API and Application Security should be platform independent allowing the same basic set of tools to be used to secure legacy systems, cloud-hybrid, cloud native, and multi-cloud architectures. In other words, no matter where it’s deployed, it’s secured.

But Identity and Authorization need to be tied together with secure policy management. Polices define how that AuthN key fits into that AuthZ lock — that is, policies are aware of all of the data that describes the individual and how that data is applied to security enforcement.

Once you tie your Identity Access Management to your API and Application Authorization you start to have a complete ecosystem — now with everything can be logged because everything is tied together, and if it’s logged it can be visualized.

Policies should be able to be defined and refined as part of the application development process. Libraries of known policies should be able to be created and shared so developers don’t have to reinvent the wheel.

At the end of the day security is something we are all responsible for. The fact we, as an industry, do it so piecemeal, slows us down — trying to explain the security to a compliance officer when your security is wrapped up in code is like speaking Japanese to someone from Finland. We need common language, consistent identity, and clear documentation about how identity is applied to individual services and applications.

It shouldn’t be complicated but unravelling your current security and modernizing it might take a little finessing — feel free to contact us to learn how Cloudentity can help tie together your AuthN Identity and AuthZ security in a seamless way.

Originally published at https://cloudentity.com on October 28, 2019.

Where AuthN becomes AuthZ was originally published in Cloudentity on Medium, where people are continuing the conversation by highlighting and responding to this story.