Do You Know Who to Trust?

In April, as a precursor to RSA, I published a blog that suggested the collective security community should be challenging the status quo and not succumb to the pressures of culture (Can Change in IT Security Win the Cultural Battle). The first challenge, “my IT defenses are impenetrable” was addressed in my blog on May 20th - They Will Get In, When Will You Know? The next in line to examine is, “my network of trust (or Trust Framework) is well understood and everyone is in compliance” or as I like to think about it “do you know who to trust?” 

Do you know who to trust, seems like an easy question, right?  You trust the individuals that hold credentials issued in compliance with your trust framework.  A trust framework is defined by the set of technical, operational, and legal (i.e., regulatory) requirements for identity credential data and other required data exchanges between a set of agreeing parties.  The technical and operational components of a trust framework include processes such as identity proofing, credential management, authentication requirements and audit and assessment oversight, just to name a few.

Consider the problem of Shadow IT, where users are creating accounts in unapproved cloud applications and potentially transferring your company’s sensitive data to these applications. This is a simple form of data breach and could lead to a significant problem. In this example, the user is not acting in compliance with the trust network.  There are lots of technologies in the market today that can address the Shadow IT problem and get a handle on IT approved (sanctioned) or unapproved (unsanctioned) apps, for example Netskope and Managed Methods.

Now assume that you have discovered unsanctioned apps and brought them in to your trust network, or at least know the unsanctioned apps and can play big brother.  You may have a team that oversees a presumed closed looped identity credential lifecycle management process, but are you certain that the process has not been compromised?  Is it possible that someone (who you thought you could trust) has penetrated the process sometime after identity credential creation and that breach has resulted in one or more updates to user privileges? If yes, then you will need to rapidly determine if this penetration has allowed them to perform unintended and inappropriate system behaviors – such as creating privileged accounts or perhaps stealing corporate data.  In the case of an insider threat, this is someone you believe you can trust, but in reality, they are someone you can’t!

But how do you know that the person you thought you could trust is no longer trustworthy?  As discussed in my May blog, rapidly detecting an intruder is a big data problem where data analytics and machine learning can be used to discover the relationships and behaviors contained within the data exchanges between interacting system entities and components. Such analysis provides the real insight into IT security behaviors and overall secure operations of a trust framework. 

Establishing a trust framework, making sure your users are compliant with that framework and monitoring behavior are all important elements of a secure enterprise, but you still can’t be sure that your users (real or imposters) are trustworthy.  This is where a provenance framework comes in to play.  The provenance framework establishes a formal record of ownership of an identity credential, and that record is used to continuously prove the authenticity and quality of the identity credential i.e., “the who.” The identity credential lifecycle management example illustrates the need to understand and define all of the data exchanges that exist between numerous trust partners/entities and the capability/service providers. In other words, know and understand your trust framework capabilities and limitations.

Don’t let out of date cultural norms such as, it is too hard to perform the end-to-end data exchange analysis required within a trust framework, impede your progress. If you really want to be able to answer the question “do you know who to trust?” you must first answer, “how can I tell?”  You must be able to continuously verify that the person you trusted last time they authenticated, is someone you can still trust.  

I encourage you to read more about these topics through the terrific body of information available from the Open Identity Exchange and the National Institute of Standards. Not all the tools and technologies are available just yet, but they are coming. In the meantime, you need to acknowledge the need to prepare yourself because “they will get in” and you need to rapidly determine “can I still trust you.”

Rate this blog entry:
0