December 15, 2023

From Orange Book to Identity-Native

41 minutes

Access Evolution with Ev Kontsevoy

Access Control Podcast: Episode 20 - From Orange Book to Identity-Native

Access control consists of four technical components: Authentication, Connectivity, Authorization, and Audit.

Multics, an advanced operating system, serves as inspiration for Teleport's approach to scaling access control. Multics introduced the concept of a reference monitor as a central point for policy evaluation and enforcement.

The Trusted Computer System Evaluation Criteria (TCSEC), known as the Orange Book, set basic requirements for assessing the effectiveness of computer security controls.

The CIA triad (Confidentiality, Integrity, and Availability) is presented as the foundation of trustworthiness in computing systems.

Teleport provides identity-native infrastructure access to servers, cloud applications, and web applications. Teleport's implementation of zero trust involves technical aspects like reverse tunnels to establish connectivity behind firewalls.

The concept of true identity should be differentiated from the common practice of associating identity with electronic records or aliases.

The use of shared credentials or shared identities across various systems is a common anti-pattern.

The state of authorization in current systems is broken, and it's difficult to synchronize role-based access control (RBAC) rules across different layers of technology.

The discussion challenges the current emphasis on visibility and audit logs, suggesting that once authorization is properly solved, the importance of observability will decrease.

A collaborative and trust-building approach between security teams and engineers is critical. Security measures should not hinder productivity but should be designed to work seamlessly with the broader computing ecosystem.

...more

View all episodes

By Teleport

33 ratings