As the title of this posting probably tells you, there are a LOT of acronyms out there talking about Access Control. To level set, here are a few translations:
Over the last 20+ years, if you didn’t offer an open API as a software maker, you were not invited to sit at the cool kids table. The culture of interconnected software has rapidly fostered tech prosperity & business growth to the point that the API has become the new database. Just imagine the possibilities, if you will, of an API so data rich that I can expose a decade of personal information for millions of users...what could possibly go wrong?
Ask most companies today about their application strategy and they’ll say, “We’ve got it covered, we’re moving to the cloud.” To which I ask, “What are you moving to the cloud?”
You may have seen my posting on East/West is the New North/South. The bottom line is that traditional API Gateway models simply don’t provide the level of security we need in modern microservice architecture. The problem is that only 20% of the traffic (that is the inbound traffic up until the gateway) is secure, everything inside the data center is “trusted.”
In computer technology we talk about security breaches and how to prevent them, but honestly, we have different kinds of breaches and different reasons to want to prevent them. Sure we hear the stats like “60% of small companies that suffer a cyber-attack are out of business within six months” but what is it about those attacks that cripple and destroy companies? And how can we create better security policies and implement those policies so we don't suffer attacks?
The Cloudentity stack is very powerful and very flexible, which means it's hard to tell the story from one person's point of view. This short (1:15) video gives a quick view from four different people's perspectives.
We talk about network traffic in two ways – North/South traffic is the traffic heading in and out of your network. East/West traffic is the traffic from one server to another inside your network. So why do we focus so much on North/South and almost forget about East/West?
As I mentioned in Identity and Security Starts at Home, the era of Zero Trust means we can’t trust traffic coming from inside the house. Internal systems can be compromised and if your internal security is just IP whitelisting or trusted certs, a “trusted app” can do a lot of damage by probing the internal network.
Authorization has come along way since setting bits in the file system. With the advancements in Machine learning, big data and behavioral profiling its time for authorization to take its next generational leap and move into a flexible risk based access control model that works in concert with legacy access control policies.
The term "API" is tricky. It stands for Application Programming Interface, but a lot of people seem to think it means “All Powerful Incantation.” You always see decision makers sigh in relief when they find out a product they’re looking at has an API, they’re not sure what it means but they know their developers will be able to do magic with it.
Trouble is, an API isn’t a single thing. It’s the classic elephant where blind men each get hold of a different part of the elephant… “It’s a snake!” “It’s a tree trunk!” “It’s a wall!” To front-end developers it’s a collection of resources. To a SysOps engineer it’s a firewall. To an engineer it’s an abstraction. And to an Information Security officer, it’s a big mess.
Security management has historically been focused on the User attempting to access a resource. But in the increasingly complex world of CI/CD methodologies and microservices, it’s no longer “Users” and “Resources” we need to secure. Applications need to talk to each other, resources need to move from development through production and be managed by automated systems, and the systems themselves have become consumers and contributors.