Fresh Thoughts #103: Authoritarian Firewalls & Conditional Access Coaches
- Newsletter
While renovating our home, we experienced many different trades in quick succession.
It gave me a fantastic opportunity to observe how wildly different teams work.
Each trade had a main contractor and a trainee apprentice.
Over the 12-month-long renovation, two contractors stood out.
First, there was the plumber.
It wasn't pretty.
Barking commands.
Rigid instructions.
“Do this.
Do that.
Not that... this.”
The job was completed.
But it was unpleasant to watch.
Later the same month, the builder came to replace the roof.
It was a totally different approach.
“We can't do this and this. Because of...
When trying to do that - I've found...”
Again, the job was completed.
But it was a completely different atmosphere.
The constraints were clearly marked.
And guiding tweaks to behaviours occurred only when the situation arose.
I remembered these experiences recently while explaining the difference between firewall access controls and Conditional Access policies.
The plumber and the builder completed the job but in very different ways.
Authoritarian Firewalls
Writing firewall rules hasn't changed in decades.
It's rigid and authoritarian.
You start by locking down the firewall.
Denying all traffic: “ip deny any any”.
Only then is each acceptable connection opened.
One by one, as a precursor to the Deny All rule.
Once the pin-pricks and threads of acceptable access are defined... you're done.
These are the rules.
Fit within them.
Conditional Access Coaches
Conditional Access is different.
The default is to grant access - without constraint.
There is, of course, a Deny action, but it overrules everything.
If one of your rules proposed All Users be denied access...
No one would get in - regardless of any other rule.
So, denial must be used with specificity and care.
Conditional Access takes a layered, emergent approach.
Combining all access rules to get a final “intent” for each individual.
There may be a rule that:
- All mobile devices must use multi-factor authentication.
- If you're working remotely from the office - you must accept the remote working policy.
How staff experience these rules will vary - based on their situation and context.
Staff who use their laptop from a cafe will be required to accept the remote work policy.
But the same work on a phone - will require multi-factor authentication and accepting the policy.
For staff who only work in the office on a laptop - they wouldn't know any different than just accessing your data with a password.
Final Thoughts
New managers tend towards authoritarian approaches out of fear or a lack of control.
Prescriptive, deterministic results - by force.
As those same managers gain experience - they loosen constraints and allow freedom to achieve the outcome by a different path.
But this takes confidence and acceptance of uncertainty.
It takes time and experience.
I see a strong parallel in the move from highly constrained firewall policies to Conditional Access policies.
In time, the emergent properties of Conditional Access will be used effectively.
But at the moment - I see forced, authoritarian implementations prevailing.
January 30, 20243 Minutes Read
