Page 195 - Cyber Defense eMagazine August 2024
P. 195

appropriate  authorization  to  access  this  particular  resource  in the  specific  context  in  which  they’re  to
            access it?”

            The distinction between the corporate and public networks doesn’t matter in a Zero Trust security model.
            Zero trust applied in this way makes all resources location-independent.



            The shift from role-based to attribute-based  authentication

            Companies  can further harden  their access control by ensuring that resource access is taking place in
            an appropriate context.

            Attribute-based  authentication  is  how  we  get  there,  effectively  setting  very  granular  requirements  for
            when someone can access a resource.

            For example, if you have a database  table housing sensitive  data, the first step might be to only grant
            access  to employees  with  a specific  job title  – e.g.,  ‘role-based  authentication,’  or RBAC.  From  here,
            companies can get more granular with attribute-based authentication,  or ABAC. A few factors you might
            weigh for whether or not a user gains access include:



               •  Where are you? Are you in your ‘workplace’ (the office), or are you in Tahiti?
               •  What device are you using? Are you on a work laptop or something  else, such as a personal
                   phone or tablet?
               •  What  time  is  it?  i.e.,  do  you  want  to  permit  access  to  a  resource  when  it’s  being  used  in
                   production?



            You can create a rule that says, “All senior programmers trying to access database table XYZ have to be
            in Kansas between 2pm and 4pm.” You’ve now shut access to anyone not meeting these conditions. If
            the employee  is on vacation in Hawaii, if they’re not senior enough, or if the database  is in production
            use, it’s locked by default.

            Everyone  should govern on attributes  this way when granting  access to users, as opposed to granting
            access  to anyone  inside  ‘the  network’.  These  attributes  are  key  to  organizations  reducing  the  attack
            surface exposed to bad actors with nefarious intent.



            Observability needs to be coupled with enforcement

            Much investment  is happening  in the startup space  across observability  tools like identity  security and
            policy governance. These are being layered on top of access technologies to add insight into how access
            is taking place. But they’re being handled in isolated buckets, making associating the actual human user
            with each action hard.





            Cyber Defense eMagazine – August 2024 Edition                                                                                                                                                                                                          195
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   190   191   192   193   194   195   196   197   198   199   200