This article is part of a series (links below). I would recommend reading the articles in order, starting with “Greenfield Opportunity”, which provides the required framing.
- Greenfield Opportunity
- Modern IT Ecosystem
- Service Delivery
- Hybrid Multi-Cloud
Within this article, I will highlight our proposed Identity Access Management (IAM) architecture, describing our philosophy, key technology decisions, and positioning.
As previously highlighted, we plan to implement a Zero Trust IT security model. Zero Trust is a holistic approach to IT security, which goes beyond the traditional “trust but verify” and “moat/castle” strategies. Although these traditional strategies are still common within enterprise businesses, they primarily target environments where the business has end-to-end ownership, management, and control of all IT services.
In a modern IT ecosystem, it is very common for IT services to be dispersed (e.g. SaaS Services, Cloud Hosting. etc.) Therefore, the users, services, and data could be anywhere and everywhere, making the task of IT security increasingly complex.
The answer to this challenge is not to perpetuate the inadequate strategies (e.g. moat/castle), but instead look to implement a new strategy, where the network is always assumed to be hostile, meaning internal and external threats exist at all times.
With this in mind, Zero Trust implements new principles, techniques, and technologies to help localise and isolate threats. For example, the following principles provide the foundation for a Zero Trust architecture.
The network is always assumed to be hostile, meaning external and internal threats exist on the network at all times.
Network locality (moat/castle) is not sufficient for deciding trust. No user or device is automatically trusted.
Micro-segmentation concepts create secure enclaves, limiting network and application flows between workloads, reducing the “blast radius” of an attack.
Every device, user, and network flow is authenticated and authorised, preferably leveraging Multi-Factor Authentication (MFA).
A least-privilege access philosophy (need-to-known basis), where users are only granted the required access to complete their job (nothing more).
Policies must be dynamic and calculated from as many sources of data as possible, enabled via a central management control plane.
These principles are enabled through key technologies, such as Identity Access Management, Microcore, Segmentation, and Deep Visibility, which provide a structured approach to identify threats and limit the impact of any breach.
At the foundation, a Zero Trust architecture must be able to complete strict identity verification for every user and device trying to access a business resource, regardless of whether they are within or outside of the network perimeter.
Therefore, from an IT security perspective, Identity Access Management (IAM) becomes one of the most important and powerful technologies used to protect the business.
Identity Access Management (IAM) aims to define and manage the roles and access privileges of users (e.g. employees, contractors, customers) and the circumstances in which they are granted (or denied) specific privileges.
The primary goal of Identity Access Management (IAM) is to create a single digital identity per user. Once that digital identity has been established, it must be maintained, modified and monitored throughout the user’s access lifecycle.
The diagram below outlines our high-level Identity Access Management (IAM) architecture, including provisioning flows.
Key technology components include:
Workday, SAP: Source systems integrate via the RSA collector/connector to synchronise data.
RSA IGL: Lifecycles identities, facilitates the Joiner/Mover/Leaver (JML) processes and provides continuous compliance capabilities.
Global Identity Repository: Provides secure/scalable access to employee data via a RESTful API.
Active Directory: Directory services system, providing authentication and authorisation services for applications hosted in the Colocation DC and at the Edge (Local Sites).
Azure Active Directory: Directory services system, providing authentication and authorisation services for applications in the Public Cloud and Software-as-a-Service (SaaS).
RSA IGL focused on Access Certification, User Provisioning, Policy Automation, and Role Management, whilst providing self-service capabilities and enterprise visibility across the access lifecycle.
Active Directory and Azure Active Directory enable our key authentication patterns, including SAML, OAuth 2.0, OpenID Connect, MAPI, WS-Federation, Kerberos, LDAP, etc.
The diagram below outlines our approved/preferred authentication patterns.
As you can see from the diagram, the user will have a single digital identity, with application/service owners targeting modern authentication.
Due to the complexities of specialist applications (primarily within Manufacturing and R&D), we will still enable some “legacy” authentication patterns. In this scenario, the user may have a non-standard username, which conforms to the least common denominator (e.g. eight numbers). We anticipate these scenarios will reduce over time, as applications/services are modernised.
Local Authentication: Local (decentralised) databases used for identity are not allowed within our ecosystem.
Kerberos: Kerberos is an authentication protocol that works based on tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Kerberos is not preferred, but technically viable within our ecosystem.
LDAP: The Lightweight Directory Access Protocol (LDAP) is an open protocol for accessing and maintaining distributed directory information services over a network. LDAP is not preferred, but technically viable within our ecosystem.
Direct Connect: Specific services require a direct connection, occasionally via an insecure protocol. These services must never be directly accessible to the Internet and include an additional level of authentication before the connection is established.
Modern Authentication: Modern Authentication leverages tokens, sent to an authentication provider. This removes the need for the username and password to be sent over the network. For example, SAML, OAuth 2.0, OpenID Connect, MAPI, WS-Federation, etc. Preferred for all applications and services.
Endpoint Authentication: Aligned with “Modern Authentication”, enabling password-less authentication via a gesture (e.g. facial recognition, iris scan, fingerprint, etc.) Preferred for all endpoints (clients/mobiles).
Our vision of the future is to enable a password-less ecosystem, where modern authentication patterns are used by all applications, services, and endpoints.
Thanks to our “greenfield opportunity”, our entire endpoint architecture (Clients/Mobiles) will be password-less enabled by default, leveraging technologies such as Windows Hello and Apple Face ID/Touch ID.
Windows Hello is compatible with any service that supports Fast Identity Online (FIDO). Therefore, as Windows Hello matures, the use of password-less should organically increase.
In conclusion, we are in a fortunate position to be able to target a Zero Trust IT security model, enabled by our Identity Access Management (IAM) architecture.
This approach will help to ensure our ecosystem is protected, without limiting our ability to innovate and leverage cutting-edge technologies. Knowing that we will also enable password-less authentication for all users is an exciting prospect. Rarely can IT improve security and the user experience simultaneously!
In short, as the industry and our ecosystem mature, we will be in a strong position to fully embrace a password-less future across all applications, service, and endpoints.