Blogger: Phil Schacter
For many years I’ve been a strong proponent of investing in identity infrastructure as the basis for enforcing strict access control policies. Many organizations now have mature identity systems that support such preventative identity-based access controls, although other organizations still struggle with provisioning and de-provisioning identity and entitlements. I haven’t changed my mind about the importance of identity and identity-based controls, but now recognize that it’s not enough. There are too many cases where identity cannot be strongly established, due to the nature of the relationship, the potential for credentials to be compromised, and the uncertainty whether the accessing device is in the possession of the authorized user. Equally or perhaps more important than identity is the security context in which the request to access the protected resource or system is made.
Security context is a set of determinable factors concerning the request and the requesting user/device. These factors could include network location, geographic location, device identity and characteristics, chronological time context (i.e. relative to normal business hours), nature of the activity, and any special circumstances or unusual aspects to the request. Similar contextual and behavioral information is already used by financial systems to detect likely instances of credit card fraud. As organizations adapt to externalization, consumerization, and democratization of IT there is less likelihood that the user/device accessing an IT system is an employee using an IT-managed device owned by the organization. Many non-employees will require access to specific business and IT services, hosted in a mix of private and shared data centers, from a variety of devices and locations.
Security systems need to monitor and learn what behaviors and access patterns are normal, and which are more likely to involve compromised devices, co-opted credentials, or fraudulent activity by individuals with a direct or indirect relationship to the organization. The learned patterns of behavior then must be reviewed, internalized, and subsequently applied when making access decisions. Complementing this increased application of security context information are the logging and post-event analysis systems that ensure that criminal activity is identified and sufficient forensics information is available to support prosecution or civil litigation. In other words, establish accountability for actions as a deterrent.
Comments