Episode 129 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Function-Based Access Control?

• Host: Mike Schwartz, Founder/CEO Gluu
• Co-Host: Kevin Kampman, Principal Consulting Analyst, TechVision Research

Channels

• Linkedin Event
• Youtube Video

Description

In this session, we’ll explore how traditional access control models—RBAC, ABAC, and the whole alphabet soup—are showing their age in the face of modern business needs. We’ll question whether these technical frameworks really serve business goals, and consider what a more pragmatic, function-based access control model could look like. Join us to discuss building relationships, context, and policy into models that work for both people and agents in a rapidly evolving environment.

Homework

• IGA Has Failed: A Critical Analysis of Identity Governance and Administration

• Dead Ends in Identity Management by Radovan Semančík

• Capabilities = Risk: rethinking modern enterprise access control

• Capabilities Are the New Roles — Only They Actually Work

Quote from Radovan's White Paper

Takeaways

• ⚡ Updated information about people is still important--"garbage-in... gargbage out" still applies. Our policies won't work if the information about the person who is a subject of the policy is stale. So we still need a human identity management process.

• ⚡ The part that's broken in governance is the entitlements-to-person mapping excercise. Identity governance has traditionally addressed "why does this person have access" or "who is responsible". The idea is if you can find the right throat to choke when something goes wrong, risk is mitigated because no one wants to get choked. That mindset is falling short at it's task--securing the enterprise. Especially if Radovan Semančík is correct, and business owners are blissfully ignorant of either the content of the policies, or even what an ideal policy state should be.

• ⚡ In his recent paper "Identity Management Dead Ends", Radovan writes "identity governance is concerned with inventorization, ownership and responsibility. If we have the right inventory of people, roles, and capabilities, we can make sure people only have access to the right stuff. But the application of formal reasoning offers another solution: provable "universal" statements offer a more efficient and reliable way to assert and monitor the current state of enterprise security at scale.

• ⚡ Capabilities are atomic units which lend themself to "inventorization" (to use Radovan Semančík's word). But they don't offer a strategy for access control. For example, ABAC and RBAC are used for identity-centric access control strategies. Different approaches are feasible for capability-centric access control, for example, TBAC uses trusted tokens as evidence to support a capability.

Livestream Audio Archive

Will be Here