Application access / permissions trends and best practices

%3CLINGO-SUB%20id%3D%22lingo-sub-2279785%22%20slang%3D%22en-US%22%3EApplication%20access%20%2F%20permissions%20trends%20and%20best%20practices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2279785%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EHave%20a%20question%20around%20trends%2Fbest%20practices%20and%20application%20access.%3C%2FP%3E%3CP%3EBack%20in%20the%20%22old%22%20days%20application%20access%20was%20controlled%20from%20within%20the%20app%2C%20whereby%20roles%20may%20have%20been%20defined%20within%20the%20application%2C%20individual%20accounts%20were%20created%20within%20the%20app%2C%20and%20people%20could%20use%20the%20app%20accordingly.%3C%2FP%3E%3CP%3EThen%20came%20Directory%20Services%2C%20and%20if%20the%20application%20was%2C%20for%20example%2C%20AD%20integrated%2C%20then%20that%20is%20how%20access%20to%20the%20app%20was%20controlled%20-%20use%20AD%20accounts%20%2F%26nbsp%3B%20AD%20Groups.%3C%2FP%3E%3CP%3ENow%20we%20have%20the%20Cloud.%3C%2FP%3E%3CP%3ESo%20is%20the%20new%20trend%20to%20use%2C%20for%20example%2C%20Azure%20Groups%20to%20control%20access%20to%20%22modern%22%20apps%20-%20with%20all%20the%20benefits%20of%20Azure%20Groups%20(e.g.%20dynamic%20membership%2C%20centralized%20admin%2C%20easier%20auditing%2C%20etc%20etc%20etc).%3C%2FP%3E%3CP%3EWhile%20writing%20this%20question%20out%2C%20I%20think%20I%20have%20answered%20myself%20(somewhat)%20-%20but%20keen%20to%20hear%20people%20views%20on%20the%20matter.%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3ESK%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2279785%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGetting%20started%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20%26amp%3B%20Access%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280219%22%20slang%3D%22en-US%22%3ERe%3A%20Application%20access%20%2F%20permissions%20trends%20and%20best%20practices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280219%22%20slang%3D%22en-US%22%3EOld%20era%20connectivity%20through%20the%20internet%20is%20limited.%20Networking%20among%20People%2C%20Process%20and%20Technology%20is%20very%20much%20limited%20within%20a%20contained%20area.%20Considering%20the%20threat%20vectors%20for%20identities%20are%20very%20much%20narrowed%20in%20scope.%20With%20the%20advancement%20of%20internet%20era%2C%20all%20the%20AAA%20services%20including%20Authentication%2C%20Authorization%20and%20Accounting%20flip%20to%20a%20different%20level.%20As%20an%20example%20Kerberos%20cannot%20meet%20the%20requirements%20on%20the%20authentication%20anymore.%20Password%20considered%20as%20no%20longer%20safe%20and%20moved%20to%20multi-factor%20authentication%20mechanisms%20such%20as%20human%20bio%20metrics%2C%20RFID%20and%20PINs.%3CBR%20%2F%3EConsidering%20the%20hot%20topic%20on%20Zero%20Trust%20Architecture%20all%20elements%20should%20be%20treated%20as%20un%20trusted.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

Have a question around trends/best practices and application access.

Back in the "old" days application access was controlled from within the app, whereby roles may have been defined within the application, individual accounts were created within the app, and people could use the app accordingly.

Then came Directory Services, and if the application was, for example, AD integrated, then that is how access to the app was controlled - use AD accounts /  AD Groups.

Now we have the Cloud.

So is the new trend to use, for example, Azure Groups to control access to "modern" apps - with all the benefits of Azure Groups (e.g. dynamic membership, centralized admin, easier auditing, etc etc etc).

While writing this question out, I think I have answered myself (somewhat) - but keen to hear people views on the matter.

Thank you,

SK

2 Replies
Old era connectivity through the internet is limited. Networking among People, Process and Technology is very much limited within a contained area. Considering the threat vectors for identities are very much narrowed in scope. With the advancement of internet era, all the AAA services including Authentication, Authorization and Accounting flip to a different level. As an example Kerberos cannot meet the requirements on the authentication anymore. Password considered as no longer safe and moved to multi-factor authentication mechanisms such as human bio metrics, RFID and PINs.
Considering the hot topic on Zero Trust Architecture all elements should be treated as un trusted.
Thanks for the reply, doesn't really answer the question though.