Intertrust’s approach to IAM

One of the cornerstones of the Intertrust Platform is its identity access management (IAM) capability. IAM is well-known and widely used in IT deployments, but the Intertrust Platform introduces a number of innovative extensions to give companies better control over their distributed datasets. Abhishek Prabhakar, Product Marketing Manager – Data Platform, at Intertrust, provides details on the Intertrust approach to IAM.

Intertrust Platform has a new take on traditional IAM capabilities. A traditional IAM solution primarily focuses on: 

1. Extensibility, or if the identity or authorization solution is extensible across different platforms, solutions, or directory systems. 
2. Scalability, or if the system can scale to say a thousand or million users across different data sets.
3. Compliance, or whether the system complies with regulations. 
4. Open, or whether the solution adheres to open standards. 

Intertrust extends these elements of a traditional IAM, by introducing the following to the mix: 

1. Unified interoperability, or the benefit of using data across multiple clouds, private data repositories, etc., with an additional security layer that covers an entire ecosystem.
2. Device-level authentication, combined with a very granular level of governance and access control.

Key components of IAM in the Intertrust Platform

Unified governance and compliance across multiple platforms. This includes audit, rights management, and general agile data operations.

Federated data access control. Federated access control is a way to enable user sign-on across different systems and application ecosystems. For example, if there are 2 subsidiaries within a parent company and both have 10 applications running separately with different user directories, federated access control enables a single sign-on for all the applications. Here, single sign-on implies a single user identity, either for applications, users, or any third-party cloud-based data set.

Automated provisioning. For example, if a large corporation’s HR department manages the personal data of 10,000 new employees per year, creating a system that provisions the new employee data into all the different disconnected systems within the organization in an automated way is non-trivial. Intertrust can provision applications as well as users, the Intertrust Secure Execution Environments can run both of these separately inside the environment. 

Multi-factor Authentication (MFA). Multi-factor authentication is an industry standard, however, it is hard to provide this for device identity. 

The Intertrust Platform combines and increases the scope of all of these four features into users, organizations, and also to devices. 

Intertrust IAM features

Our federated ecosystem of access control is one of the key capabilities of our IAM solution because our federation is not limited to a single cloud. When an AWS-like cloud infrastructure provider says that it provides federation, it is usually limited to just within the AWS infrastructure. Our federation is truly multi-cloud and multi-platform. Additionally, our fine-grained policy governance makes this solution a complete solution for companies who want to see a trusted intermediary to manage their data without losing access. 

IAM + Intertrust Secure Execution Environments

Intertrust Secure Execution Environments can be visualized as isolated workloads that allow you to run applications securely inside them. When an application runs inside a secure workload, it needs to connect to multiple data sets and multiple active directories, or multiple user stores (basically a collection of users who need to access the application on a real-time basis. Simultaneously,  that application may need  to connect to external data sets, internally stored data sets, as well as some workflow management tools. This is where Intertrust Secure Execution Environments and access management comes in.

If you want to access the data store of an application running inside Intertrust Secure Execution Environments, the IAM capabilities will create a report for you in the centralized user store. It can then provide you access to that particular data set through the application that you want to access. Only then can you access that data store through Intertrust Secure Execution Environments. 

The relationship of DRM to IAM

When you go to watch something on Netflix and you login, that’s basically a user authorization. So, user authorization is an IAM function that’s governed by Netflix. When you click on something to be played, that is authentication. Authentication is controlled by a DRM certificate, and the DRM certificate is provided to you by Intertrust. So, we always had the authentication piece. We always helped with authorization–so now it’s about how we combine them.

The market need for IAM

With the advent of disconnected multi-party systems and the many databases associated with them, along with all the different cloud service providers, many people are saying that the data warehouse is dead. I think there is a need for a system that basically manages access across all of these different systems. Federated access is a term used in the industry that talks about how you integrate authorization across. For example, if someone has a user group in AWS, in Azure, or in a private data center, a federated access system enables single sign-on across all of these three platforms. There are a lot of people doing that, but they are not expanding their scope to include devices and user identities. 

The future is all about data, how you process, ingest, and store it and how to get the maximum out of your field data from connected devices in an efficient fashion. Currently the large tech companies are trying to create a data layer between the data generators and the data consumers. For example, if you own a connected car, the OEM  is the one that is generating the data but all of that data is flowing into Google’s data systems because they have a layer of Android on that. Intertrust enables data generators to get the most  out of their data ecosystem without having a middleman like Google or Apple taking all of the data.

That’s the reason you need a secure, trusted intermediary who can manage, ingest, store, and do certificate management of all your data. That’s the void Intertrust is filling, and that’s the future. 

Device identities and how they are managed within the Platform

Livisi, one of our customers, uses a lot of sensor data from devices inside a home, including thermostats, humidity controllers, lighting, garage door openers, etc. If it’s an IoT device, it already has some kind of a stamp in it, like a device identity. This gets transmitted when it first connects to the Internet. It gets recorded into the gateway that Livisi manufactures. Livisi is able to collect all of this information from the gateway and send that to the back end for analysis.

The IAM piece comes in handy because Livisi uses the Intertrust Platform on their back end to ingest these data streams from the different sensors that are coming in through the common gateway where it’s identified and authenticated. The different users of the Livisi platform are authorized to get access to different amounts of the data through very careful, granular rights management of the data sets that they can have access to.

A lot of the event data has timestamps associated with it. The data is made available in Intertrust Secure Execution Environments for third parties to get access to using governance rules and rule-based access controls. If further data sets are needed, such as data on local environmental conditions, markets, or other services, that data can be virtualized and accessed by applications without moving the data, which is accomplished through the Intertrust data virtualization component.

The combination of data virtualization, identity and access management, and finally making all of that available for data operations and developing analytics in secure workflow environments is unique to the Intertrust Platform.

To add to this point, every company in the world does authentication in 1 of 3 ways. The first is either a form-based authentication, that’s basically using a password and a CAPTCHA. Number two is MFA or multi-factor authentication. That’s like the fingerprint reader that you use when you are using a password to add complexity and security. The third is a certificate. A certificate can be a DRM token, or a Seacert hardware key. 

We are an issuer of device certificates. We have form-based authentication across all of our IAM capabilities. We have multi-factor authentication, in our roadmap for the next two quarters. We tick every box around different types of authentication mechanisms when it comes to IAM. 

Real world example of Intertrust Platform IAM 

A very large customer of the Intertrust Platform has around 10-15 very disconnected data systems with very different constructs. One is an Oracle SQL-based database, yet another is an Amazon Redshift database, and all are different in nature. Some of them reside in AWS, some in Microsoft Azure, and some reside in a private data center. In addition to maintaining these different databases, the organization’s plan is to move all of this data to a data lake because they want to streamline how data ops happen inside the organization. 

They have two sets of systems. One is a legacy system that they have to maintain and the second is a data lake. Now, imagine a situation where they want to move 80% of the data from the legacy systems into the data lake, but at the same time still want to have the same level of unified governance over the data that is in the data lake and on data that is not in the data lake. 

If the customer provides the data to AWS, AWS will only provide IAM solutions to the data that resides inside the AWS platform. That’s where Intertrust’s IAM comes in. If you have all these disconnected databases, if you want to integrate an AWS setup and a private data center setup, you also want to set up a secure execution environment that connects to all of these different systems.

Intertrust unified governance gives full access or full control to the company over both the data lake as well as their private data center. This is our unique proposition.