Access Evolution with Ev Kontsevoy
Access Control Podcast: Episode 20 - From Orange Book to Identity-Native
- Access control consists of four technical components: Authentication, Connectivity, Authorization, and Audit.
- Multics, an advanced operating system, serves as inspiration for Teleport's approach to scaling access control. Multics introduced the concept of a reference monitor as a central point for policy evaluation and enforcement.
- The Trusted Computer System Evaluation Criteria (TCSEC), known as the Orange Book, set basic requirements for assessing the effectiveness of computer security controls.
- The CIA triad (Confidentiality, Integrity, and Availability) is presented as the foundation of trustworthiness in computing systems.
- Teleport provides identity-native infrastructure access to servers, cloud applications, and web applications. Teleport's implementation of zero trust involves technical aspects like reverse tunnels to establish connectivity behind firewalls.
- The concept of true identity should be differentiated from the common practice of associating identity with electronic records or aliases.
- The use of shared credentials or shared identities across various systems is a common anti-pattern.
- The state of authorization in current systems is broken, and it's difficult to synchronize role-based access control (RBAC) rules across different layers of technology.
- The discussion challenges the current emphasis on visibility and audit logs, suggesting that once authorization is properly solved, the importance of observability will decrease.
- A collaborative and trust-building approach between security teams and engineers is critical. Security measures should not hinder productivity but should be designed to work seamlessly with the broader computing ecosystem.
Information
- Show
- FrequencyEvery two months
- Published15 December 2023 at 21:15 UTC
- Length42 min
- RatingClean