Episode 032: 07‐23‐2024 No things in IGA: Considering non‐human account management - GluuFederation/identerati-office-hours GitHub Wiki
Title: No things in IGA: Considering non-human account management
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: André Koot, IAM Strategist, SonicBee
- Co-Host: Senthil Chandrasekaran, Salesforce Senior Manager--Security Engineering / Product Management
Description
Often vendors suggest our customers to manage things--robotic process automation (RPA), service accounts, etc--in an IGA system. Naaahh, that's not how you manage those type of accounts!
Homework
- Blog: Governance of things – II
- IdPro Article: Introduction to Privileged Access Management
- SGNL Blog: Access Risks of Non-Human Identities by Atul T Identifying stakeholders in access governance
- NIST SP 800-207 Zero Trust Architecture
Takeaways
-
Traditional RBAC models were not designed to handle non person users. Enterprises should not use the Join-Move-Leave lifecycle to manage access for non-person entities. Password rotation doesn't apply to service accounts--it is preferable to use asynchronous authentication anyway.
-
Andre suggests a new lifecycle for non person entity access governance: Create - Provision - Authenticate - Manage/Maintain - Deprovision Access ?
-
Rather then blanket role based permissions, we should move to "just-in-time access", granted to authorize a specific task, upon successful evaluation of relevant policies. To accomplish this, application developers need to externalize policies, and infrastructure products (e.g. API gateways) need to support delegating authorization.
-
Each instance of a machines should register a unqiue public key used for subsequent authentication. This is essential to audit all the actions performed by a person using a specific software instance. Both FIDO and OAuth offer mechanisms for cryptographic registration.