Whether it is a malicious attack or an inadvertent release on protected or classified data, a breach of government data can level a severe blow to integrity and reputation, leading to legal and legislative consequences that impact partners, allies and the public. For those reasons, cybersecurity and privacy practices for the protection of electronic information go hand-in-hand.
The verification of user and device authenticity has been a substantial information security challenge. While controls and safeguards enforce strict conditions on data, devices, users and connections, the definition, assurance and delivery of those trusted conditions begin with architecture and management philosophies. In other words, we’re getting there.
Two common philosophies that address trust and assurance levels that are required by government, in particular, are zero-trust architecture and federated identity management (FIM). At the root of both are identity management, credential management and access management, collectively referred to as ICAM, that work together to deliver the ‘trust’ dictated by the assets and environments.
Identity management, the construction of a digital identity based on defined attributes, provides the proofing, resolution, maintenance and deactivation function for identity. Credential management provides the authoritative proof of the constructed identity with sponsorship, registration, issuance, maintenance and revocation ensuring end-to-end management. Lastly, access management leverages identity and credential management allowing access to assets under specified point-in-time conditions and for the intended user.
Capitalizing on these foundational components, both zero-trust architecture and FIM pulled a 360-degree on the traditional views of security and privacy, challenging the notions of perimeter and session security and identity proofing and persistence.
As always, the devil is in the details. What makes zero-trust and FIM highly effective? For both, it’s the definition, implementation and management of criteria that enforce trust conditions, regardless of the technology.
Federated Identity: The Trust Thrust
Years ago, the idea of ‘single sign-on’ was a big deal. It still has its place in commercial models (Google, Gmail, YouTube, and others) to allow access to services within an entity or organization. However, for more secure systems that seek efficiencies by eliminating network and organization boundaries, FIM provides authenticated digital identity through enhanced validation, verification and identity management policies.
More than seamless convenience for the end-user and improved maintenance for providers, FIM shares identity to permit access to the federation and its services, across the two (or more) organizations. In fact, it may be the earliest iteration of the portable identity. Facilitating an agreement between organizations, FIM enables and shares the required programmatic and ICAM policies, decisions and information so that trust can be established before any access is granted.
FIM offers an elegant and straightforward concept. The principal initiates an interaction by requesting a service or an outcome, and the authoritative party authenticates and passes their identity and credential assurance to the relying party. Only then is the principal is provisioned access, ensuring all parties are who they claim to be and are playing by the defined rules.
Back in 2008, the Government of Canada saw the benefits of FIM for government and developed the Directive on Identity Management to meet government’s unique legal, privacy, security and assurance requirements in identity in delivering electronic services to the public. Later, the Policy on Government Security and Directive on Departmental Security Management paved the way for federal initiatives, such as the ePass program, British Columbia’s BCeID, Quebec’s ClicSÉQUR and the electronic health records program, Canada Health Infoway.
While there are substantial benefits, such as reduced identity administration costs, abstraction of authentication differences and the elimination of redundancy, FIM does present risks, such as the dependency on a partner for recourse in identity claims, forensics and record retention. However, most can be mitigated with governance and shared standards, controls and policies, justifying the investment to reduce residual risk.
With FIM, policies are aligned and activated, and user credentials are authenticated and shared…voila, you have the keys to the Kingdom. A good thing for some but not all.
Zero-Trust: You Shall Not Pass
Far from old-style trust models that assumed everyone – and everything – inside the network can be trusted, the zero-trust model assumes the opposite. Zero-trust architecture became a popular philosophy several years ago for high-assurance and sensitive information systems since it is rooted in “never trust, always verify”. Evolving from the previous ‘trusted network’ model, where breaches proliferated (especially credential-based ones), zero-trust enforces access, traffic and movement within defined sub-perimeters that resemble micro-segmentation.
By invoking policy, such as user identification, traffic and data flows, application visibility and connection criteria, ‘trust’ is moved from the network perimeter and placed inward. A user may have the credentials to enter an organization’s network but once inside they are verified and validated using decision-based risk analysis on defined data, current device status and connectivity to ensure continued secure access to the resources.
More importantly, zero-trust architecture restricts lateral movement of malicious attacks. If an attack infiltrates a network or endpoint, exposing less restricted areas or target assets, risk increases risk exponentially as the attack surface expands. Defining sub-perimeters marked by junctions or inspection points, a zero-trust architecture uses restriction with additional authentication and rules to allow or deny traffic, countering credential-based attacks and creating smaller, more contained attack surfaces.
The restrictions introduced by zero-trust architecture may not be a one-size-fits-all solution nor is it a panacea to the all identity and authentication needs. For some, it is too restrictive, but for others, it is a game changer.
Best of Both Worlds: Combining Zero-Trust and Federation
Currently, several government departments use the zero-trust model, especially those who collect classified or special access data for internal use, such as intelligence and logistics. However, to fulfill mandates or collaborative partnership strategies, governments find the need to consider more fluid (but secure) access to information for other departments or international partners.
For classified assets, this usually requires architecting entirely separate networks with specific security and monitoring requirements. In these design concepts, unidirectional bridges or data diodes allowing only one direction of data flow and guards that validate and control data transfer validation through release policies, are common safeguards. Access on this scale is complex and rife with many considerations; cost and effort may not be justifiable for less sensitive or limited data.
Zero-trust or federation on their own may not be adequate, but together they may provide a solution for trust and identity assurance– conceptually at least – where data with multiple levels of sensitivity or may be stored with financial and investigation data under multi-lateral agreements or memorandums of understanding.
Between the two, an adaptive and behaviour-based solution may embody the principles of both. The network as a perimeter is no longer the gate-keeper and assets with multiple data classifications can be separated for authorized access. Also, a connection from a particular network does not determine access to services while users and devices must be challenged, verified and validated depending on the required conditions and criteria. Moreover, access privileges and authorization are limited based on user and device information and asset sensitivity.
As we move closer to even more collaborative and open environments and portable identity that depends on security, privacy and efficiency, the more architecture and management models will require creativity. Although hardware and software will continue to deliver these environments, particularly artificial intelligence and machine learning, we’re a long way from them replacing human-made concepts that make them effective.
Philosophy as a science has allowed us to understand problems, challenges and long term solutions along with dependencies, barriers and unintended consequences. Just as zero-trust changed how we view networks and how federation changed how we guarantee and sustain identity, new philosophies can be applied to other areas of technology to generate new knowledge, driving innovation ideas that can be developed into integral solutions.