Prof. William R. Simpson
Keynote Speaker Talk:
Zero Trust in Cloud Using Delegation of Access
Zero Trust Architectures provides secure digital identity and access management for an enterprise whether using cloud or on premises computing. It can provides a core set of security services that facilitate automated access and privilege determination for all enterprise users to all enterprise applications and services. This core set of services is designed for simplicity in common use cases, but in a large enterprise there are many exceptions that require local adjustments to access rules. This paper discusses delegation, which is the controlled sharing of one individual’s discretionary access and privilege with another entity. Mandatory access requirements must be met by the delegate. Delegation enables authorized individuals and groups within the enterprise to locally enact access rules that are not addressed by the core enterprise services. This provides several benefits. A formalized process for making exceptions to access and privilege. Local complications, uncommon scenarios, and unforeseen situations need not be escalated to enterprise-wide changes when they are confined to a single circumstance, application or service. Delegation keeps small changes local. Additionally, the visibility that delegation provides enables identification of enterprise-wide patterns that may be better addressed by permanent solutions, such as provision by the enterprise of additional information needed by applications and services. Instead of an accumulation of hidden back-door access methods, delegation keeps the access modifications visible and accountable. Delegation is provided as an enterprise service, with individual delegation policies set by the data owners, and in our ZTA formulation preserves standard claims-based authentication, authorization, and auditing protections. This paper discusses enterprise delegation and its implementation for ZTA architectures.
Dr. Simpson has over two decades of experience working to improve systems security. He has degrees in Aeronautical Engineering and Business Administration. He also attended several schools for military and government training. He spent many years as an expert in aeronautics before delving into the field of electronic and system test, and he has spent the last 20 years on IT-related themes (mostly security, including processes, damage assessments of cyber intrusions, IT security standards, IT security evaluation, and IT architecture). He has published over 300 technical papers and four text books, many of these in the field of information security.