Zero Trust. Identity Fabric. Terms covering a diverse area, but centralised around one thing – you. Your ability to identify yourself digitally, and access resources in a secure manner.
What’s an Identity Fabric?
‘Identity Fabric’ is a deployment architecture allowing organisations to spin up new use cases or identity groups very quickly. As a user, you experience this through your ability to use your personal identity, securely, across the variety of online companies and services. Logging into Twitter with your Apple ID. Accessing your companies HR platform via your bank code or mobile ID. Using governmental services by identifying yourself digitally, for example with an eID card. And of course using your Facebook or LinkedIn account to share common interests and topics with your friends, family and business associates.
Put simply, your Identity Fabric is who you are online. It’s unique to you. Other people may have similar online profiles, but your Identity Fabric is how you can work from your desk at home, perform online banking and check up on your children’s homework and exams. It’s how you can book your next holiday (yes, we are all dreaming about that), and check up on your favourite Instagram feeds. It’s the intricate, interwoven linking of you, online. Your usernames, your passwords, your accounts – which all make up your Trust Anchors within your personal Identity Fabric. All used for whatever you need or want them to do.
What’s the difference between Identity Fabric and Zero Trust?
Using your fingerprint or face to open your phone or an app on your phone is an everyday experience of an Identity Fabric that we are all used to. Having an auto-lock timing on your phone or required identification each and every time you open an app is an example of Zero Trust – again something you use likely every single day. The notification that your bank sends you when you make a contactless payment at the grocery store is another example of Zero Trust. If you ever get a notification and you aren’t at the store (or shopping online these days), the notification will immediately raise your concern. It’s a modern take on Zero Trust – always check things out, make sure they are valid and ok, but in a seamless, non-obtrusive way.
There is no real difference between your personal security and that of your employer. Sure, your employer’s systems can be more complex than your own, and shared resources require group control access and audit managements. But functionally, you will probably be using a corporate identity (your corporate email address for example) to establish and verify your identity within your company’s Identity Fabric (Office365, HR time reporting and Atlassian products like JIRA and Confluence, for example) for your employer’s own Zero Trust implementation.
The case for Identity Fabrics (when and why)
In Finland for example, the existence and use of an Identity Fabric is so pervasive that we have a national system, Suomi.fi, for most public service items we need as citizens. It relies on our ability to identify ourselves online with an eID (if you have one), the MobileID (again if you have one) or your online banking credentials via the Finnish Trust Network. These are examples of Trust Anchors. Within the service, you can interact with most aspects of the Finnish government – all from your computer or mobile phone, without needing to go to a tax office or social insurance institution office. And most online purchases are made either directly via your bank or secured credit card – reducing the risk of fraud and identity theft.
We’ve also seen recent news where the GAIN Digital Trust proposal is working to create a global Identity Fabric similar to the Finnish Trust Network. The potential for positive impact from GAIN is significant.
The case for Zero Trust (when and why)
Zero Trust, on the other hand, is an operational model that has been in use for more than twenty years now. The ability to use your identity, often your work login account coupled with a form of MFA (multi-factor authentication), permits your employer to grant and withdraw access to corporate information based on a number of factors. Things like – are you on the office VPN? Or is it the company laptop you are connecting with? And is your user account allowed to access that page or resource?
Your employer then takes your identity and the device or location you accessed from, and matches them up with corporate hardware that is not in your control – like the VPN concentrator, or corporate internal firewall or Active Directory; all of which have logging systems used in monitoring. The combination of who you are, where you are coming from and if you’re permitted to access a resource (which can be dynamically adjusted) is the basis of a Zero Trust network. This is very useful for controlling fixed assets (your company’s intellectual property) in a highly controlled, yet flexible, manner. It becomes clear that it would be impossible to maintain a Zero Trust architecture without the use of Trust Anchors within an Identity Fabric.
Ubisecure’s role – how we enable your journey
Ubisecure’s Identity Platform helps your organisation define and then build its Identity Fabric. Using existing identity repositories for your staff, like your existing Active Directory, or your customers’ existing identities, like their social media accounts for login to your service, we help your business on its digital transformation journey.
This has proven to be even more useful during the last year when face to face meetings have been impossible – we all really use our existing Identity Fabric daily. We need to know who we can trust and how to conduct business with our partners, customers and end users of our services. All without actually seeing the customer or end user. Just think about the number and diversity of online purchases you’ve made over the last year. Or meetings you have held. The ability to have and use your Identity Fabric in a trusted manner, using identity providers and Trust Anchors, has become essential.
Your company, or online service that you’re using still needs to implement and review their Zero Trust service. But the ability to carry out any Zero Trust plan has a foundation in the people using the service and ultimately the level of verification carried out by the identity provider. The level of assurance we can bring to an identity provider, used across an Identity Fabric with a network’s Zero Trust model applied, is the key differentiator.
Get in touch to find out how Ubisecure can help your organisation with its Identity Fabrics and Zero Trust transformations.