{"id":19101,"date":"2022-12-01T10:00:00","date_gmt":"2022-12-01T09:00:00","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=19101"},"modified":"2022-12-07T10:53:52","modified_gmt":"2022-12-07T09:53:52","slug":"zero-trust-and-identity-as-the-new-perimeter-what-about-tokens","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/","title":{"rendered":"Zero trust and identity as the new perimeter : what about tokens ?"},"content":{"rendered":"\n<p style=\"text-align: justify;\">Introduced just over 10 years ago by <a href=\"https:\/\/www.forrester.com\/blogs\/the-definition-of-modern-zero-trust\/\">Forrester<\/a>, <em>Zero Trust<\/em> is a security philosophy that starts from the premise that the cyber threat is omnipresent, both outside and inside the IS, and consequently proposes an access management strategy based on the three basic principles: explicit verification, minimising privileges, and constant monitoring.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-19102 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/1EN.png\" alt=\"\" width=\"602\" height=\"134\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/1EN.png 602w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/1EN-437x97.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/1EN-71x16.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/1EN-600x134.png 600w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 1\u00a0:<\/em><\/strong><em> The three fundamental principles of the Zero Trust model<\/em><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">Despise these principles being well-known now, their practical implementation still represents a challenge for many organisations.<\/p>\n<p style=\"text-align: justify;\">Currently, there is not and will not be a specific product that can be used to implement a Zero Trust model, instead, there are many distinctive implementation architectures. For user access, Zero Trust can be applied using two main architectural models (which are not in conflict and can be complementary):<\/p>\n<ul style=\"text-align: justify;\">\n<li>A model using a cut-off infrastructure element, e.g., a Secure Access Service Edge (SASE) approach. It dynamically controls network access to IS resources (where the user&#8217;s identity and posture are being used to make the decision).<\/li>\n<li>An approach where only identity is used to make the cut: access to IS resources is conditional, requiring proof of authentication and authorisation. In this approach, access control is carried out by an identity provider (identity manager or IdP) and by the targeted resources themselves.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">The second type of architecture will be the topic of this article. We will focus on the implementation process which uses Azure Active Directory (AAD) as the Identity Provider.<\/p>\n<p style=\"text-align: justify;\">Before understanding how the Identity Provider can be used to implement Zero Trust, here is a small description of the theory on the token-based access management mechanism.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h1 style=\"text-align: justify;\">AAD-based access management: a token story<\/h1>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">AAD-based access management follows the principles of the access scheme involving an Identity Provider, i.e. a service to which the target resource delegates the management of the life cycle of user identities and their authentication.<\/p>\n<p style=\"text-align: justify;\">In this scheme, a user&#8217;s access to a resource requires the presentation of a valid pass, issued by the Identity Provider after the user\u2019s authentication process and (potentially) verification of his entitlement to access the target resource. These passes are called tokens and are cryptographically signed to protect against the use of fake tokens.<\/p>\n<p style=\"text-align: justify;\"><em>What is a token?<\/em> A token is a string of characters containing various information called clauses, transmitted, for example, by HTTP (HyperText Transfer Protocol) requests.<\/p>\n<p style=\"text-align: justify;\">AAD, as an identity provider, can issue three types of tokens, known as Security Tokens:<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\"><em><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-19126 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Icone-1.png\" alt=\"\" width=\"46\" height=\"41\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Icone-1.png 46w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Icone-1-44x39.png 44w\" sizes=\"auto, (max-width: 46px) 100vw, 46px\" \/>ID Token:<\/em> <strong>Evidence of user authentication. <\/strong>It contains information about the user&#8217;s identity and the authentication context. It is not associated with any specific resource nor involved in access control.<\/p>\n<p style=\"text-align: justify;\"><em style=\"font-size: revert; color: initial;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-19128 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Icone-2.png\" alt=\"\" width=\"46\" height=\"41\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Icone-2.png 46w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Icone-2-44x39.png 44w\" sizes=\"auto, (max-width: 46px) 100vw, 46px\" \/>Access Token:<\/em> <strong style=\"font-size: revert; color: initial;\">A pass authorising access to a particular resource<\/strong><span style=\"font-size: revert; color: initial;\">. It may contain attributes or claims that allows the targeted resource to refine access control, such as the permissions delegated to the client application (scopes) on the resource. However, in case of Azure AD (a <\/span><strong style=\"font-size: revert; color: initial;\">self-supporting token (*) (<\/strong><span style=\"font-size: revert; color: initial;\">JWT<\/span><strong style=\"font-size: revert; color: initial;\">)<\/strong><span style=\"font-size: revert; color: initial;\">): it <\/span><strong style=\"font-size: revert; color: initial;\">cannot be revoked after it has been issued<\/strong><span style=\"font-size: revert; color: initial;\">. Its <\/span><strong style=\"font-size: revert; color: initial;\">lifetime has an average of one hour<\/strong><span style=\"font-size: revert; color: initial;\">. In other words, an Access Token remains valid until its lifetime ends. <br \/><\/span><strong style=\"font-size: revert; color: initial;\"><em><sup>(*)<\/sup><\/em><\/strong><em style=\"font-size: revert; color: initial;\">Another implementation of OAuth could have been with opaque tokens which requires querying the Authorization server in order to find the details. This type of implementation would allow for easier revocation. This is not the choice made by Microsoft.<\/em><\/p>\n<p style=\"text-align: justify;\"><em><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-19130 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Icone-3.png\" alt=\"\" width=\"44\" height=\"41\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Icone-3.png 44w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Icone-3-42x39.png 42w\" sizes=\"auto, (max-width: 44px) 100vw, 44px\" \/>Refresh Token:<\/em> is provided at the same time as the Access Token; <strong>it allows obtaining a new Access Token\/Refresh Token pair after the expiration of the previous Access Token, without explicit user re-authentication<\/strong>. It also allows to retrieve Access Tokens for other resources without explicit user authentication. In the context of Azure AD, its lifetime is 90 days or 24 hours for Single Page Applications, and unlike Access Token, it can be revoked before its expiration.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">It should be noted that Microsoft has defined a fourth type of token, the Primary Refresh Token, which allows single sign-in between applications on a given device. This token will not be mentioned in the rest of the document for the sake of simplicity.<\/p>\n<p style=\"text-align: justify;\">Now we need to understand how these different tokens circulate from actor to actor!<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\"><strong>Initial access to the target resource<\/strong><\/h2>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">At the time of the initial access, we assume that there are no valid tokens: no Access Tokens for the target resource nor Refresh Tokens. When the user wants to access the target resource, he will be redirected to AAD to be authenticated (and eventually authorised).<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-19114 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-1-VO.png\" alt=\"\" width=\"4398\" height=\"2434\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-1-VO.png 4398w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-1-VO-345x191.png 345w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-1-VO-71x39.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-1-VO-768x425.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-1-VO-1536x850.png 1536w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-1-VO-2048x1133.png 2048w\" sizes=\"auto, (max-width: 4398px) 100vw, 4398px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 2:<\/em><\/strong><em> Dynamic process of obtaining an Access Token\/Refresh Token pair during the initial access to the resource<\/em><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">The resulting Access Token will be included in each request to the target resource. The target resource will process them as long as the access token has not expired.<\/p>\n<p>\u00a0<\/p>\n<h2 style=\"text-align: justify;\"><strong>Renewal of access rights to the resource<\/strong><\/h2>\n<p style=\"text-align: justify;\"><strong>\u00a0<\/strong><\/p>\n<p style=\"text-align: justify;\">After the expiration of the initial Access Token, the Refresh Token will be used to silently retrieve, without user intervention, a new Access Token\/Refresh Token pair.<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-19118 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-2-VO.png\" alt=\"\" width=\"4398\" height=\"2482\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-2-VO.png 4398w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-2-VO-338x191.png 338w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-2-VO-69x39.png 69w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-2-VO-768x433.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-2-VO-1536x867.png 1536w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-2-VO-2048x1156.png 2048w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Schema-2-VO-800x450.png 800w\" sizes=\"auto, (max-width: 4398px) 100vw, 4398px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 3:<\/em><\/strong><em> Access session dynamic maintenance via the renewal of the Access Token\/Refresh Token pair<\/em><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">In an access management model, which involves an Identity Provider such as AAD, it can be noticed that <strong>the tokens are the keys to the castle and the Identity Provider is the gatekeeper<\/strong>. Let&#8217;s now look at how well this access management model implements the principles of Zero Trust for applications that rely on AAD to manage their login sessions.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\">Tokens: vulnerable vehicles of implicit trust<\/h2>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">Looking at how Azure AD-based access management works, we see that:<\/p>\n<ul style=\"text-align: justify;\">\n<li>Access to any resource delegating access management requires proof of authentication and authorisation, through the presentation of a valid Access Token, regardless of the network origin of the access.<\/li>\n<li>An Access Token only gives access to one resource. Access to a different resource requires a dedicated Access Token from the Identity Provide.<\/li>\n<li>The Refresh Token allows to obtain Access Tokens for all resources to which the user is authorised<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">The application of Zero Trust principles is partial and perfectible at this stage:<\/p>\n<ul style=\"text-align: justify;\">\n<li>By default, the delivery of the Access Token is done against a basic authentication (login and password)<\/li>\n<li>The validity of the Access Token is decorrelated from the context. It can be used during its validity period, independent of the potential compromised signals that could have been detected<\/li>\n<li>The Access Token can be renewed without verification, if the authentication context did not changed<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h3 style=\"text-align: justify;\">Conditional Access (CA) reinforces the conditions for issuing tokens and securing of the sessions<\/h3>\n<p style=\"text-align: justify;\">Conditional Access (CA) is an AAD function requiring an AAD Premium P1 or M365 Business Premium licence that allows context to be considered in access management.<\/p>\n<p style=\"text-align: justify;\">Thanks to CA, it is possible to integrate a set of signals related to the user&#8217;s identity, the terminal used, the target resource, the access context and\/or the risk level into the access authorisation decision.<\/p>\n<p style=\"text-align: justify;\">The CA also allows non-binary authorisation decisions to be applied. Thus, an access carried out in a certain context can be authorised under specific conditions, which aim to compensate and reduce the level of risk associated with the access context.\u00a0<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-19142 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2EN.png\" alt=\"\" width=\"1604\" height=\"705\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2EN.png 1604w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2EN-435x191.png 435w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2EN-71x31.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2EN-768x338.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/2EN-1536x675.png 1536w\" sizes=\"auto, (max-width: 1604px) 100vw, 1604px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 4:<\/em><\/strong><em> The principal of Conditional Access<\/em><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">The distribution of an Access Token can be conditioned by implementing a two-factor authentication, which helps to protect against unauthorised access (as a result of stolen credentials).<\/p>\n<p style=\"text-align: justify;\">In addition, the CA offers other mechanisms for conditioning the use of tokens. Here we will focus on two mechanisms in particular: Sign-In Frequency (SIF) and Continuous Access Evaluation (CAE).<\/p>\n<p style=\"text-align: justify;\"><strong>\u00a0<\/strong><\/p>\n<h3 style=\"text-align: justify;\">The Sign-In Frequency: influences the frequency of explicit user authentication<\/h3>\n<p style=\"text-align: justify;\">The Sign-In Frequency is used to define a maximum duration during which the user must re-authenticate after having been initially authorised access to the target resource.<\/p>\n<p style=\"text-align: justify;\">Beyond the given timeframe, the Refresh Token cannot be anymore used to implicitly renew the Access Token\/Refresh Token pair.<\/p>\n<p style=\"text-align: justify;\">The SIF is thus a means of <strong>limiting the implicit trust given to Refresh Tokens over time<\/strong>.<\/p>\n<p style=\"text-align: justify;\">The operation of the mechanism is illustrated below, for a SIF set at 90 minutes.<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-19163 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/EN.png\" alt=\"\" width=\"1096\" height=\"517\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/EN.png 1096w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/EN-405x191.png 405w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/EN-71x33.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/EN-768x362.png 768w\" sizes=\"auto, (max-width: 1096px) 100vw, 1096px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 5:<\/em><\/strong><em> Illustration of the operation of the Sign-in Frequency<\/em><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">Note that the <strong>SIF has no effect on the validity of Access Tokens already issued<\/strong>. An Access Token that has not yet expired can still be used to access the associated resource, even after the maximum duration defined by the SIF has expired. The SIF only intervenes to prevent an implicit renewal of Access Tokens already issued or the implicit obtaining of new Access Tokens. In order to act on the Access Tokens already issued, it is necessary to turn to the Continuous Access Evaluation (CAE).<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h3 style=\"text-align: justify;\">Continuous Access Evaluation (CAE) represents the way of linking the validity of Access Tokens to the context<\/h3>\n<p style=\"text-align: justify;\">CAE is a CA feature, available since January 2022, that allows <strong>context to be considered throughout the access session and not only at the time of the initial authorisation<\/strong>, so that it can <strong>force a renewal of the Access Token already issued in response to certain signals<\/strong>, including signals that suggests a compromise.<\/p>\n<p>\u00a0<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-19146 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/4EN.png\" alt=\"\" width=\"3124\" height=\"473\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/4EN.png 3124w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/4EN-437x66.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/4EN-71x11.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/4EN-768x116.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/4EN-1536x233.png 1536w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/4EN-2048x310.png 2048w\" sizes=\"auto, (max-width: 3124px) 100vw, 3124px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><em>Figure 6:<\/em><\/strong><em> Types of signals that can force the renewal of the Access Token<\/em><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">CAE requires a communication link between AAD and the target resource to notify the latter of signals requiring re-authentication and to retrieve the conditional access policies defined for it. When the target resource receives an access request, it checks if it has not previously received a notification about the concerned user and whether the access context is different from the one allowed by the conditional access policies or not. If so, it rejects the access request and sends the user back to AAD with a request (challenge) for explicit re-authentication and a re-evaluation of the applicable access policies.<\/p>\n<p style=\"text-align: justify;\">It should be noted that <strong>CAE is not a transparent mechanism for the target resources and its implementation requires changes in their operating logic<\/strong>. The implementation of CAE requires a CAE-capable client application capable of interpreting the request (challenge) returned by the target resource while redirecting the user to AAD. Microsoft has started to implement AAD for its <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/conditional-access\/concept-continuous-access-evaluation\">M365 collaboration suite applications<\/a>.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h1 style=\"text-align: justify;\"><em>Summary<\/em><\/h1>\n<p style=\"text-align: justify;\">Nowadays, it is possible to implement a Zero Trust access philosophy based on identity, however, to avoid falling into the shortcomings of historical security models, the conditions for issuing and using these tokens must be tightened up, otherwise they will become carriers of implicit and excessive trust.<\/p>\n<p style=\"text-align: justify;\">The use of mechanisms allows us to integrate signals that authorises the evaluation of context and allows a continuous control on the issued tokens when necessary.<\/p>\n<p style=\"text-align: justify;\">However, it must be kept in mind that, in the face of a token theft scenario, these mechanisms play a reactive role depending on detection capabilities, and not a preventive role capable of preventing the use of stolen tokens. We will have the opportunity return with more details in a future article, discussing the problems of a token theft and the various existing and emerging solutions for dealing with them.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduced just over 10 years ago by Forrester, Zero Trust is a security philosophy that starts from the premise that the cyber threat is omnipresent, both outside and inside the IS, and consequently proposes an access management strategy based on&#8230;<\/p>\n","protected":false},"author":1292,"featured_media":19134,"comment_status":"open","ping_status":"closed","sticky":true,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3266,3977],"tags":[4192,4191],"coauthors":[2863,4198,4202],"class_list":["post-19101","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-next-gen-it-security-en","category-focus","tag-aad","tag-zero-trust"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Zero trust and identity as the new perimeter : what about tokens ? - RiskInsight<\/title>\n<meta name=\"description\" content=\"Zero Trust is a security philosophy that starts from the premise that the cyber threat is omnipresent, both outside and inside the IS\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Zero trust and identity as the new perimeter : what about tokens ? - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"Zero Trust is a security philosophy that starts from the premise that the cyber threat is omnipresent, both outside and inside the IS\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-01T09:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-12-07T09:53:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/couverture1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"853\" \/>\n\t<meta property=\"og:image:height\" content=\"480\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Etienne Lafore, Omar Zamani, Justin Leblanc\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Etienne Lafore, Omar Zamani, Justin Leblanc\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/\"},\"author\":{\"name\":\"Etienne Lafore\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/00ee9607d2b8cd5205bfe63b482a2b14\"},\"headline\":\"Zero trust and identity as the new perimeter : what about tokens ?\",\"datePublished\":\"2022-12-01T09:00:00+00:00\",\"dateModified\":\"2022-12-07T09:53:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/\"},\"wordCount\":1812,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/couverture1.jpg\",\"keywords\":[\"AAD\",\"zero trust\"],\"articleSection\":[\"Cloud &amp; Next-Gen IT Security\",\"Focus\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/\",\"name\":\"Zero trust and identity as the new perimeter : what about tokens ? - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/couverture1.jpg\",\"datePublished\":\"2022-12-01T09:00:00+00:00\",\"dateModified\":\"2022-12-07T09:53:52+00:00\",\"description\":\"Zero Trust is a security philosophy that starts from the premise that the cyber threat is omnipresent, both outside and inside the IS\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/couverture1.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/couverture1.jpg\",\"width\":853,\"height\":480},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Zero trust and identity as the new perimeter : what about tokens ?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/00ee9607d2b8cd5205bfe63b482a2b14\",\"name\":\"Etienne Lafore\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/etienne-lafore\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Zero trust and identity as the new perimeter : what about tokens ? - RiskInsight","description":"Zero Trust is a security philosophy that starts from the premise that the cyber threat is omnipresent, both outside and inside the IS","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/","og_locale":"en_US","og_type":"article","og_title":"Zero trust and identity as the new perimeter : what about tokens ? - RiskInsight","og_description":"Zero Trust is a security philosophy that starts from the premise that the cyber threat is omnipresent, both outside and inside the IS","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/","og_site_name":"RiskInsight","article_published_time":"2022-12-01T09:00:00+00:00","article_modified_time":"2022-12-07T09:53:52+00:00","og_image":[{"width":853,"height":480,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/couverture1.jpg","type":"image\/jpeg"}],"author":"Etienne Lafore, Omar Zamani, Justin Leblanc","twitter_misc":{"Written by":"Etienne Lafore, Omar Zamani, Justin Leblanc","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/"},"author":{"name":"Etienne Lafore","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/00ee9607d2b8cd5205bfe63b482a2b14"},"headline":"Zero trust and identity as the new perimeter : what about tokens ?","datePublished":"2022-12-01T09:00:00+00:00","dateModified":"2022-12-07T09:53:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/"},"wordCount":1812,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/couverture1.jpg","keywords":["AAD","zero trust"],"articleSection":["Cloud &amp; Next-Gen IT Security","Focus"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/","name":"Zero trust and identity as the new perimeter : what about tokens ? - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/couverture1.jpg","datePublished":"2022-12-01T09:00:00+00:00","dateModified":"2022-12-07T09:53:52+00:00","description":"Zero Trust is a security philosophy that starts from the premise that the cyber threat is omnipresent, both outside and inside the IS","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/couverture1.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/couverture1.jpg","width":853,"height":480},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/12\/zero-trust-and-identity-as-the-new-perimeter-what-about-tokens\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Zero trust and identity as the new perimeter : what about tokens ?"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/00ee9607d2b8cd5205bfe63b482a2b14","name":"Etienne Lafore","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/etienne-lafore\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/19101","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1292"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=19101"}],"version-history":[{"count":7,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/19101\/revisions"}],"predecessor-version":[{"id":19170,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/19101\/revisions\/19170"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/19134"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=19101"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=19101"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=19101"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=19101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}