When authorizing user access, what can and can't be automated?

When Authorizing User Access, What Can and Can't be Automated?

David Spark

- Paul, the world of automation, I think, has improved over time. It definitely has improved, but it is far from perfect. To what level can we automate authorization to applications?

Paul Gutherie

- We're not a hundred percent there yet but our goal is to get to the point where we can use cloud discovery software that will detect any new systems and based upon predetermined patterns, will simply spin up authorization flows. It will detect a new window server, and then it will spin up from a template, an authorization flow for a production service. And that's the type of thing that we're looking to get to. We're not a hundred percent there yet but we're a good way to getting there.

David Spark

- What is it that you are comfortable with Opal delivering on a level of automation?

Umaimah Khan

- There's like an 80-20 rule when it comes to automation and authorization and access today. And I think you can get to a point pretty quickly where you can start to kind of separate out different levels of risk baseline based on how sensitive a system is. And then, you can feel good about what a configuration looks like for a particular style of sensitive system and then start to automate that. And so that's kind of 80% of the way and where we sit and where our hope is so that you can kind of really focus that 20% of the time on your most dynamic or most idiosyncratic systems and have a little bit more, a level of depth or scrutiny there.

David Spark

- What is being automated now that you didn't automate before and was making your life miserable?

Paul Gutherie

- Opal certainly has APIs that we can use to set up authorization flows and that's something that we have been taking advantage of more and more where we are looking to API centric platforms that we can control through, for instance, our security automation platform that we use or through directly from Terraform, et. So we have multiple touchpoints, multiple things automating the authorization flows.

David Spark

- What should a user be thinking about when they get to something that they can't automate?

Umaimah Khan

- I think in authorization, this is where the kind of shift happens from productivity to true anomaly detection or threat detection and engineering. What can't be automated is effectively something that can't be pattern matched or looks a little strange. And once you get to that point, you have enough signal to start to sort of think about the problem from a fraud detection perspective like, "Hey, we know that somebody should be accessing this thing within business hours from these locations. What's happening now?" And so the way we should think about it is we're freeing up a lot of mental time and energy and maybe creative problem solving to start thinking through what could actually be like a threat in the system.

David Spark

- To learn more about automation of your authorization, why not check out what they're doing over at Opal? Head on over to www.opal.dev.

About Opal

Opal is the unified identity platform for modern enterprises. Opal aggregates identity and access data to provide visibility and defense-in-depth infrastructure for mission-critical systems. Enterprises can discover anomalous identity risks with the product and remediate them in minutes. The world's best companies trust Opal to govern and adapt sensitive access.

Want to see it yourself? Contact sales@opal.dev or book a meeting here for a personalized demo.