Controlling Identity with the Endpoint

The year is 2019 and if you’re like most of us, you’re seemingly gravitating closer and closer to all things ‘aaS’. Software, Identity, Infrastructure, Access Management, Integration – you name it and there’s a similar (if not superior) version of a core business service available in the cloud. While this shift has resulted in an explosion of innovation, it has also put IT leadership in a position to demand tighter integration, seamless security controls and ROI across this new wave of services.  To make matters worse, most IT departments are living in a hybrid world of software greatest hits (and often not so great) from the 80’s, 90’s and 2k’s.  Innovation (and work habits) has also led to end users dealing with more new devices or endpoints – adding another dimension to an already complex set of challenges.

These problems could drag on forever if not framed properly. We’ll focus on two subject areas that are receiving a lot of attention these days: Identity/Access Management and Endpoint Management (formerly known as Enterprise Mobility Management (EMM) and Mobile Device Management (MDM)). They might seem to reside in two entirely different sections of the spectrum, yet they are the foundational layers that could ultimately spell success or failure.

Tour de Identity

In the olden days (aka Y2K), a user’s identity was stored securely in a directory within the network perimeter, predominantly in the form of Microsoft Active Directory.  For its time, this multi-master, highly available model served as the point of integration regarding identity for in-house and 3rd party services and provided sufficient support to give end users a single sign-on experience.

After reining for nearly a decade, the on-premise directory began to show its shortcomings; primarily in terms of extensibility – when services began to extend beyond the company’s perimeter starting with B2B scenarios – which then followed by the invasion of SaaS.  This resulted in the development of federation protocols like SAML and more modern ones such as OpenID-Connect based on top of OAuth.  Federation fueled productivity and in doing so, it also quickly dismantles the corporate perimeter as we know it.

All Things Endpoint

And while the federation protocols fuel productivity, the device/endpoint explosion is also fueling productivity in a different way – from desktop to laptops, phones and tablets; from IT issued managed devices to unmanaged BYOD’s; from an office-oriented culture to remote workers dominating the workforce.  From day one, convenience and security have always been opposing forces causing IT headaches.  IT consumerization, no longer a new term, has forced IT to seriously re-evaluate their strategies.  Welcome to the Zero-Trust world.

As Tom Malta pointed out in his previous blog the first thing you need is the right identity ownership identifying the set of personas and their associated identity lifecycles.  Once we’ve identified the user (through proper provisioning and authentication mechanisms), is that enough to “trust” the user?

Not according to Den Jones, Director of Enterprise Security at Adobe, “… it’s a combination of the users AND the devices they are coming from …” that determines trust.  In the zero-trust world, context is important.  It’s not enough to just know who the actor is.

The engine behind needs to consider all contexts of the user and the very attempt of accessing a certain resource – including but not limited to device postures, security postures and risk postures.  Endpoint management provides the context of the device or the endpoint that the user is using.  Access management properly authenticates and identifies the user.  At a coarse-grained level, Access Management can react immediately based on device posture alone whether to authorize access or not.  But the information can be used in conjunction with fine-grained policies to provide contextual access at the resource level if properly configured.  This, when combined with additional risk posturing from external risk engines such as a threat detection and UEBA engines forms the basis of a risk-based authorization model – as illustrated by the following security controls:  Risk-Based Authentication, Risk-Based Governance, and Risk-Based EMM Management.

Den has developed a Zero-Trust framework at Adobe called The Zero-Trust Enterprise Network (or ZEN) – based on the very principles of these security controls.   Learn more about Adobe’s challenges, solution and lessons learned by reading the case study.

About the Author: Eric Woodland, Partner Solutions Technical Architect (Endpoint/Mobile) for Okta, has over a decade of experience in the mobility and endpoint space – having spent time as a professional services veteran for MobileIron and as an IT practitioner.  Okta is a member of the IDSA.



Let's work together to help everyone become more secure.