by Diana Proud-Madruga
Retrofitting security within legacy systems is expensive and rarely fixes all the security holes. However, if your company is upgrading its systems and/or moving to cloud-based services, it is an ideal time to rethink your identity and access management (IAM) approaches to securing your networks.
In 2018, NIST published the “Framework for Improving Critical Infrastructure Cybersecurity.” According to this document, IAM assures that “access to physical and logistical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.” Requirements include managing
They also include
Meeting these requirement can be a challenge. Luckily, two new technologies are emerging to assist companies with their IAM needs.
Zero Trust Model
Introduced in 2010 by Forrester, Zero Trust is “not a project but a new way of thinking about information security.” Traditional network security focuses on keeping unauthorized intruders out of the network, with security controls often “bolted on” after network creation. An underlying assumption posits that those inside the network are trusted and don’t need additional verification. Unfortunately, many breaches come from insiders. In fact, according to Verizon’s 2018 Data Breach Investigations Report, 28% of data breaches involve internal actors.
Zero Trust changes the model to one where all network traffic is seen as untrusted. As a result,
Changing the trust model to Zero Trust reduces the insider threat and improves the overall security posture of the network.
Attribute-Based Access Control Model
In 2014, Gartner predicted that by 2020, “70% of businesses will use attribute-based access control (ABAC) to protect critical assets.”
Access control models provide a framework and a set of boundary conditions upon which the objects, subjects, operations and rules may be combined to generate and enforce an access control decision. In ABAC, a subject’s requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environmental conditions and policies specified in terms of those attributes and conditions.
Considerable benefits come with ABAC as it
The Changing Landscape
Modern technologies, such as the cloud, bring-your-own-device (BYOD) and the Internet of Things, are changing the business landscape. Public and private organizations are increasing efficiency and agility through, for example, remote access that allows them to share information with partners and customers. At the same time, employees can work remotely on any device from any locale, allowing untold professional and personal freedom. However, gains in freedom come at a price: on-premise security no longer protects employees or the organization’s information in this new world.
Today’s security solutions must control access in new ways. New IAM technologies must respond by assuring that persons, whether staff, clients or partners, are who they say they are and that their system access is limited to specific resources. Incorporating Zero Trust and ABAC Models as part of an organization’s IAM solution assists with regulatory compliance while minimizing data breaches and controlling access in such a way that users have access to what they need, when they need it.
Diana Proud-Madruga, CISSP, is a Senior Security Analyst with Electrosoft.