In a recent Cyber Hut webinar, SGNL CTO and Identity 25 winner Atul Tulshibagwale joined fellow identity security experts including Ian Glazer, former SVP of Identity Product Management at Salesforce and current board member of the OpenID Foundation, to shed light on authorization’s new-found prominence in access security.
While strong authentication will always remain critical to warding off attacks, limiting (and, ideally, eliminating) access rights in the first place reduces the blast radius and minimizes the damage that external and internal threat actors can inflict. Read on to discover why the shift from static to dynamic authorization systems at enterprise companies is essential to achieving Zero Standing Privilege (ZSP) — and how today’s popular access security tools like RBAC fall short.
Standing, static access doesn’t meet today’s identity and authorization needs
Authorization systems often operate under fixed rules where access controls are strictly defined by user roles or groups. These approaches were designed for simpler IT environments largely contained within the network and protected by a firewall. But the classic moat-and-castle model started showing its weaknesses in the 2000s and 2010s with expansion of cloud services and proliferation of mobile devices.
The decentralization trend kicked into hyperdrive during COVID, and it, of course, shows no signs of reversing course. On top of this, nearly 80% of all data breaches involved compromised identities. Hence, we must evolve from merely security-in-depth to identity-in-depth.
So what does that mean for identity security and IAM teams?
Begin by recognizing that employees don’t need just-in-case access — they need just-in-time access that’s based on business context. Enterprises should evaluate dynamic authorization frameworks like modern privileged identity management (PIM) that eliminate standing privilege entirely and provide limited, time-bound access only when necessary. These frameworks offer vastly more flexibility and responsiveness, allowing companies to achieve the much sought-after Zero Standing Privilege that drastically reduces the potential blast radius. If attackers compromise an identity with no standing access, there’s little they can do to harm a company.
How dynamic authorization provides modern identity-first security
To increase protection, a PIM should support Continuous Access Evaluation Profile (CAEP), a standardized way for systems to continuously share user and access updates for improved security. As zero trust becomes standard, continuous evaluation of access rights across the distributed environment is crucial. CAEP overcomes identity silos through a non-prescriptive framework for sharing risk signals.
A modern PIM coupled with CAEP can integrate into the existing tech stack to address the gaps that privileged access management (PAM), identity governance and administration (IGA), and access control frameworks present. This combo provides CISOs and their teams with a true dynamic authorization system that:
- Adopts zero trust architecture, where no entity is trusted by default from inside or outside the network, credentials are never vaulted for check-out, and verification is required from everyone trying to gain access to resources
- Switches from static authorization to real-time access rights to minimize the data and systems threat actors can potentially access by granting permissions only when necessary, and for a limited timeframe
- Evaluates — and automatically acts on — user behavior to detect suspicious activity such as a large number of file downloads or unusual access requests, indicating potential security threats and allowing for quick mitigation and remediation
- Integrates comprehensive audit trails, as detailed logs are crucial for spotting unusual activity and maintaining compliance.
By tapping into AI and machine learning (ML), dynamic authorization frameworks like a modern PIM can process the vast amounts of data required to make real-time access decisions with a response to >95% of the queries within 100 ms. Manual processes simply cannot scale to enterprises’ authorization needs.
At SGNL, we’ve built a modern PIM that protects critical systems and data — and fully supports CAEP. SGNL’s dynamic approach to access management achieves Zero Standing Privilege across your cloud applications like Azure, AWS, GitHub, and Salesforce, as well as on-prem systems.
Check out the full webinar for more insights from Atul, Ian, and The Cyber Hut founder Simon Moffatt.