Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/

Want to listen to other episodes? www.Federaltechpodcast.com

Sometimes, the plow must go deeper. Current approaches to Zeer Trust implementation can leave gaps in security. Today, we sat down with Akamai’s Mike Colson to discuss the concept of combining Identity Credential Access Management with Least Permissive Trust.

Setting the stage, Mike Colson details some of the challenges in the varying kinds of Zero Trust that are being applied in the Federal Government.

The standard way of implementing ICM can result in assigning more resources than necessary, leading to permission creep and inflexible permission.

Over provisioning: The amount of data being created is almost impossible to manage. A person may be given access to a data set they are not permitted to see. A “just in time” permission structure would help avoid that situation.

Stale: Just because a person has access to a data set on a Tuesday does not mean he has access on a Wednesday. People can leave the workforce, be reassigned, or change roles. Access must be constantly updated.

Static: Ron Popiel made the phrase, “Set it and forget it,” memorable. Unfortunately, this approach can lead to a permission structure that may limit access to key data. This may be considered under-provisioning, potentially leading to time delays in obtaining key information.

Colson took the listeners through several iterations of access control, including Role-Based Access Control and Attribute-Based Access Control. On top of these old favorites, Colson discussed what may be called Context-Based Access Control, or what he calls Least Permissive Trust.

Least permissive trust is a concept Colson outlined, which uses user behavior, device health, and contextual factors to grant permission dynamically.

The conclusion is simple: not all Zero Trust is created equal.