Why does user authorization matter more than identity?
Huge shoutout to David Spark, host of CISO Series, Paul Gutherie, ISO of Blend, and Umaimah Khan, CEO of Opal, for discussing the best practices of dynamic access management
Transcript
David Spark:
Umaimah, what is authorization, and why should security professionals care?
Umaimah Khan:
Authorization is the specification of what you are allowed access to and how you are allowed access to it.
David Spark:
Changes, and that's different than identity, because identity, I don't stop being me, but what I should have access to changes kind of all the time, doesn't it?
Umaimah Khan:
Yeah, I would say access is colored by identity. It is idiosyncratic. So who you are colors what you have access to.
David Spark:
Paul, what are the troublesome issues you've had with authorization?
Paul Gutherie:
Well, I think one of the most difficult problems to solve is that in a dynamic organization, a modern organization, what you have access to changes all the time. We have to have ways of quickly deciding whether or not somebody can have access, quickly providing that access, and then taking it away when they no longer need it. And so if you wanna be compliant and you wanna be secure, you want to give people the minimum access just for the time that they need it and then take it away.
David Spark:
Paul, I understand that you're a customer of Umaimah's company, Opal, and let me just ask you, I mean, this is a chronic problem that every security professional has, because it's just physically exhausting to constantly deal with provisioning people and de-provisioning. So how does Opal address this issue?
Umaimah Khan:
What it means to be dynamic is to actually look at how information flows in an organization or how a person works. So a classic example is what it means to go on call. That's usually not defined by a rigid job duty. It can mean many things in many roles, but you know that by definition when you go on call, you may need access to sensitive systems. And when you go off call, you may not need access to that. So that's an example of something that would be dynamic.
David Spark:
Do people behave differently because of the tool of the product, or it's kind of invisible and people are allowed to still behave the way they normally behave?
Paul Gutherie:
I can't say it's invisible, but it's very low friction, and that's certainly something that we look towards. I mean, in a dynamic organization also, you can't be waiting 24 or 48 hours for somebody to approve access to something, especially if you have some exception or some customer who's waiting for information from you or for a problem to get fixed. We want somebody to make a conscious decision as to whether or not somebody has access to a particular resource for them to look at, you know, the access requests, and say, yeah, this makes sense, and then to go ahead and, and approve that access. Often when somebody needs to conduct a business process, there might be 3, 4, 5 systems involved and we want to provide them access to all of them with one request. And so that helps reduce friction, but also helps keep the security levels high.
David Spark:
For better authorization, essentially only giving people access in the time they need it, de-provisioning it, and making it happen sort of simpler rather than people waiting and also maintaining your security at the same time. Pretty impressive. For more on how to do this, go to Opal's site at https://opal.dev/.
About Opal
Opal is the unified identity platform for modern enterprises. Opal aggregates identity and access data to provide visibility and defense-in-depth infrastructure for mission-critical systems. Enterprises can discover anomalous identity risks with the product and remediate them in minutes. The world's best companies trust Opal to govern and adapt sensitive access.
Want to see it yourself? Contact sales@opal.dev or book a meeting here for a personalized demo.
Eugene Ling
