Sorry, you need to enable JavaScript to visit this website.
Rethinking Your Identity and Access Management Approaches June 6, 2019

by Diana Proud-Madruga

Retrofitting security within legacy systems is expensive and rarely fixes all the security holes. However, if your company is upgrading its systems and/or moving to cloud-based services, it is an ideal time to rethink your identity and access management (IAM) approaches to securing your networks.

In 2018, NIST published the Framework for Improving Critical Infrastructure Cybersecurity.” According to this document, IAM assures that “access to physical and logistical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.” Requirements include managing

  • Identities and credentials (issuing, managing, verifying, revoking and auditing for authorized devices, users and processes)
  • Physical access to assets
  • Remote access
  • Access permissions and authorizations (incorporating the principles of least privilege and separation of duties)

They also include

  • Protecting network integrity (e.g., network segregation, network segmentation)
  • Proofing identities and binding them to credentials and asserting them in interactions
  • Authenticating users, devices and other assets (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

Meeting these requirement can be a challenge. Luckily, two new technologies are emerging to assist companies with their IAM needs.

Zero Trust Model
Introduced in 2010 by Forrester, Zero Trust is “not a project but a new way of thinking about information security.” Traditional network security focuses on keeping unauthorized intruders out of the network, with security controls often “bolted on” after network creation. An underlying assumption posits that those inside the network are trusted and don’t need additional verification. Unfortunately, many breaches come from insiders. In fact, according to Verizon’s 2018 Data Breach Investigations Report, 28% of data breaches involve internal actors.

Zero Trust changes the model to one where all network traffic is seen as untrusted. As a result,

  • All resources must be verified and secured.
  • Access control must be limited and strictly enforced.
  • All network traffic must be inspected and logged.

Changing the trust model to Zero Trust reduces the insider threat and improves the overall security posture of the network.

Attribute-Based Access Control Model

In 2014, Gartner predicted that by 2020, “70% of businesses will use attribute-based access control (ABAC) to protect critical assets.”

Access control models provide a framework and a set of boundary conditions upon which the objects, subjects, operations and rules may be combined to generate and enforce an access control decision. In ABAC, a subject’s requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environmental conditions and policies specified in terms of those attributes and conditions.

Considerable benefits come with ABAC as it

  • Provides centralized management of authorization policies.
    • Rules are dynamic, fine grained and provide real-time, contextual access control.
    • Simple queries form the basis of access rules.
    • Rules can evaluate attributes of subjects and resources that are not inventoried by the authorization system.
    • Rules need less maintenance and overhead because they do not require the creation or maintenance of the structure on which a role-based access control (RBAC) model depends (e.g., roles and resource locations).
  • Is scalable.
  • Can take environmental conditions into consideration.
  • Can be mapped to mandatory access control (MAC) and RBAC models.
  • Can easily adapt to risk.
  • Offers several hybrid solutions.

The Changing Landscape

Modern technologies, such as the cloud, bring-your-own-device (BYOD) and the Internet of Things, are changing the business landscape. Public and private organizations are increasing efficiency and agility through, for example, remote access that allows them to share information with partners and customers. At the same time, employees can work remotely on any device from any locale, allowing untold professional and personal freedom. However, gains in freedom come at a price: on-premise security no longer protects employees or the organization’s information in this new world.

Today’s security solutions must control access in new ways. New IAM technologies must respond by assuring that persons, whether staff, clients or partners, are who they say they are and that their system access is limited to specific resources. Incorporating Zero Trust and ABAC Models as part of an organization’s IAM solution assists with regulatory compliance while minimizing data breaches and controlling access in such a way that users have access to what they need, when they need it.

Diana Proud-Madruga, CISSP, is a Senior Security Analyst with Electrosoft.

Return to Electroblog