Most people are familiar with the need to authenticate a person. Equally important is the need to authenticate software and systems in conjunction with the person using them. In other words, you should authenticate both the person and the manner in which he or she is accessing data. This forms the beginning of establishing trust principals throughout your enterprise.
In some cases, it is necessary to include end customers as participants in the security process by prompting them to validate or approve the system they are operating. In other cases, management should only allow approved systems to access certain data, and have means for enforcing these policy decisions and security verifications.
Identity management plays a critical role in providing enterprise controls with non-repudiation of people and workloads. Successful identity management implementations often improve organizational efficiencies. Through the use of single sign-on and additional authentication factors, our customers can eliminate the need for overkill password policies and a host of other quasi security controls that do not enhance security or mission effectiveness.
These principals form the foundation for an automated authorization and access framework that becomes the start of an organization’s authorization fabric. By moving in this direction, CIO, CISOs and other cyber executives can stipulate workload policies for accessing data as a combination of the following components:
- A user (human or system) as having membership in a role
- A role performing an action
- An action as part of a workload
- A policy authorizing a role to perform a specific action in a specific workload
The Shattuck Group has helped organizations establish robust policies and in building tools to enforce those policies through a strong authorization fabric. With this approach to identity management they gain control and visibility into the who, what, when, why, and how data is being accessed and in accordance with (or violation of) deliberate policy decisions. Furthermore, organizations are able to better understand the ramifications of data security policy changes, measure a shrinking (or growing) attack surface, and safeguard data from systems and people that do not possess a valid business case for accessing the data.