RBAC vs ABAC vs PBAC: A Practical Guide for Enterprises

Posted by Aditya Taneja on Mon, Aug 21, 2023

It is easy to see how the fragmentation of the modern IT landscape caused by the adoption of a Cloud-first model has increased the importance of a having well-managed authorization strategy and the complexity of achieving this goal. 

To help you choose the best access control model for your organization or application, we compare the most popular options, we'll also analyze and discuss the various attribute-based and role-based approaches for application authorization, including their applicability, strengths, and weaknesses: 

  • Role-Based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)
  • Policy-Based Access Control (PBAC)
  • Hybrid Role and Attribute-Compliant Access

A well-designed authorization system is essential for managing the day-to-day activities to control who has access to what and enable organizations to safely undergo a digital transformation moving more of their business online and into the Cloud.

Understanding the differences between different authorization models is critical for choosing an appropriate access control method for your organization or application. 

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a security and authorization model for securing access to computer
resources used by almost all enterprises to secure their systems. RBAC access is based on roles defined by the business using them. In the RBAC model, roles are created, and then sets of permissions for resources are assigned to the role. Users are then granted one or more roles to receive access to resources. 

rbac
Fig: RBAC PDP Flow Determining Access to Bob’s X-Ray for Alice

RBAC Benefits
In the RBAC model, since access is not directly assigned to users but bundled into assignments made to roles, the correct assumption is that controlling and maintaining access is easier. Moreover, because roles and access management can be centralized, it is evident who has a role and access to the role grants. There are fewer assignments to be managed, which decreases the cost of security management and compliance auditing. Furthermore, according to a 2010 NIST study, correct RBAC implementation and efficient provisioning can also reduce employee downtime resulting in significant ROI.

  • RBAC is deterministic. An RBAC approach makes it easy to know who has access to what at any moment in time.
  • RBAC is more direct and easier to visualize. Security admins can visualize the actors and resources they will affect when creating or modifying a policy.
  • RBAC is inherently auditable. With RBAC assignments, as the consequences of that access are visible, it is simple for business owners to certify or attest to access granted. This visibility contrasts with ABAC where a “before the fact audit" is impossible and the effects of a rule are difficult to ascertain.
  • RBAC can be simpler than ABAC. For example, with RBAC, bundles of access can be directly assigned to a user. To do this in ABAC requires the creation of a new rule.

RBAC Weaknesses

Unfortunately, the precise nature of the RBAC model can also be considered the source of many of its weaknesses:

  • RBAC requires advanced knowledge of the Subjects and Resources and, typically, does not support making on-the-fly contextual decisions.
  • An RBAC-only approach can result in an enormous number of roles to accomplish fine-grained authorization.
  • Resource owners must know something about the roles and their intended purpose to grant access to those roles accurately.
  • Resources must be organized into collections to facilitate delegation.
  • Probably the most well-known problem with RBAC is “role explosion.”  Organizations often end up with large numbers of roles to accommodate people performing the same job function within different geographical or functional areas within the company. Given a substantial number of roles and collections of resources, a correspondingly large number of delegations would need to be created and managed. 


ATTRIBUTE-BASED ACCESS CONTROL (ABAC)

Attribute-Based Access Control (ABAC): An access control method where the subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.

Splitter Copy 2

The policies that can be implemented in an ABAC model are limited only to the degree imposed by the computational language and the richness of the available attributes.

Splitter Copy 2

Essentially, the more decision data at your disposal at runtime, the more sophisticated your ABAC policies can be. 

ABAC relies on user attributes for authorization decisions. ABAC policies are rules that evaluate access based upon the following four sets of attributes:

  • Subject – the attributes concerning the person or actor being evaluated.
  • Resource – the attributes of the target or object being affected.
  • Action – describe the action to be performed on the Resource
  • Environment – includes attributes such as the time of the day, IP subnet, and others that do not relate to
    either the Subject or the Resource. 

abac

Fig: NIST SP 800-162 ABAC Definition

ABAC Benefits

The key advantage of ABAC is that it does not allow application developers to hardcode a static list of roles and oversimplify their authorization source code. Rather, ABAC forces them to centralize all authorization decisions and call out at runtime to decide based on the Subject, Resource, Action, and Environment request attributes. Another key benefit is ABAC’s sometimes simpler nature. This simplicity can make it easier to understand how a rule grants access to a resource when dealing with a small number of rules. In contrast, RBAC does seem foreign to many users, and, especially during the early phase of its adoption, the levels of abstraction can be challenging for an IT team.

One other added advantage of ABAC is its flexibility. With ABAC, as long as the necessary data is available, almost anything can be represented as a rule-based query. For example, a rule evaluated at runtime in a login session can use contextual information—even information passed in via SAML claims or JWT tokens. In contrast, when delivering the role membership for a user to the application, a standard RBAC engine would not evaluate this type of information.

Everything we cover in this blog can be explored further in our whitepaper “A Guide to Authorization”. You can find that whitepaper here: 

ABAC Primary Benefits

  • ABAC enforces centralized management of authorization policies
  • ABAC makes it easy to specify access rules as simple queries.
  • ABAC rules can be extraordinarily fine-grained and contextual.
  • ABAC rules can evaluate attributes of Subjects and Resources that are not inventoried by the authorization system.
  • ABAC rules need less maintenance and overhead because they do not require the creation or maintenance of the structure on which an RBAC model depends, e.g., roles and resource locations.

abac2


ABAC Weaknesses
The first challenge we encounter with implementing policies like this is the information needs to be obtained and evaluated at runtime. In our policy example, if we needed to know if the user’s nationality was Swiss, then this information would likely reside in either the corporate Active Directory or HR system. Moreover, if we needed to know if the company was in Emergency Mode or not, this essential information might be difficult to obtain in a live corporate environment. Likewise, if we needed to as certain their out-of-office status, this would reside in a corporate email system such as Microsoft 365. Furthermore, to attain information for network login sessions or the MFA status would require a query to an Identity Provider such as Ping Federate. 

abacchallanges

ABAC’s Primary Weaknesses

  • ABAC makes it extremely difficult to perform a “before the fact audit” and determine the permissions available to a specific user. To successfully determine access, not only might a considerable number of rules need to be executed, but they must also be done in the same order in which the system applies them. As a result, this could make it impossible to assess risk exposure for any given employee position.
  • In a comparable manner to how a “Role Explosion” can occur with RBAC, an explosion can also occur with ABAC where a system with N number of attributes would have 2N possible rule combinations.
  • Unless rules are kept extremely simple and do not access data from various source systems, ABAC systems with complex rules from multiple attribute sources can be unacceptably slow to answer authorization queries. 

RBAC Versus ABAC: Tradeoffs and Balance
As shown in Figure 28, the decision between ABAC and RBAC is a trade-off. On the one hand, you can have fast, simple, and other RBAC related benefits and, on the other, you can have extensible, scalable, and other ABAC-related advantages. To date, the challenge has been to find the right balance for your own organization’s needs. This is where Policy-Based Access Control (PBAC) helps. 

rbacabac

 

POLICY-BASED ACCESS CONTROL (PBAC)

Policy-Based Access Control (PBAC) is not a formally defined standard but rather describes an authorization model that combines RBAC and ABAC concepts and eliminates some of their shortcomings. The key concept behind PBAC is that policies are expressed as assignment relationships that can be visualized and manipulated graphically. Access rights to perform operations against resources or objects are acquired through relationships referred to as associations. This includes the ability to define complex hierarchical relationships with inheritance, which is overly cumbersome in ABAC. One might consider PBAC as “relational ABAC.” PBAC is best used for real time enforcement of authorization decisions where a well-developed role model can be leveraged for policy assignment.

PBAC policies are inherently more efficient than ABAC policies because authorization decisions are not based on multiple computed and then combined local decisions. Instead, they are based on the net result of multiple policies based on relationships existing within a single database. This aspect also allows PBAC to enforce dynamic Segregation of Duties (SOD) rules, which are not entirely achievable with ABAC. A last key feature mentioned is PBAC support for “before the fact audit,” which is the ability to see who has access to a resource at any time, and not just during the real-time evaluation of a policy set.

pbac

EMPOWERID’S HYBRID ROLE & ATTRIBUTE-COMPLIANT ACCESS APPROACH 

Defining and maintaining compliant access for a large organization can be a daunting task. Some types of applications and use cases are better suited to a more structured role-based approach, whereas others require real-time contextual decisions. RBAC, ABAC, and PBAC are three ways of managing authorization policies. Moreover, while both have overlapping qualities, individually, each one cannot cover all the necessary aspects of access control. However, for optimal, dynamic support of an IT organization’s needs, EmpowerID supports RBAC relational modeling. RBAC relational modeling provides the backbone or structure for defining an organization and its overall policies while leveraging the flexibility and real-time contextual nature of ABAC and PBAC to offer the best comprehensive solution. 



EmpowerID’s sophisticated role and relationship modeling allow security architects to model the organization and its structure and policies, including segregation of duties policies to prevent undesired combinations of access. As illustrated above, flexible attribute-based ABAC or PBAC policies support the centralized real-time decision point for applications that can call the EmpowerID API for authorization decisions. The ABAC/PBAC engine enhances or modifies the powerful RBAC engine's decisions, allowing their use only when greater flexibility or contextual information such as risk, location, and MFA type is required. By including the pre-calculated access results that the engine derives from complex RBAC policies that account for inheritance and even attribute-based queries, ABAC/PBAC policies are made much more potent. The end-goal of leveraging each approach's best is to deliver what EmpowerID calls “Compliant Access Delivery.” 

Splitter Copy 2

What is Compliant Access Delivery: Sign up for our Newsletter!

Splitter Copy 2

Conclusion

In summary, we learned that no single method covers all use cases and application technologies. The overall goal of Compliant Access Delivery requires using the best of each approach implemented following the principles of Zero Trust and Least Privilege. When executed correctly, this automates access assignments and reduces an organization’s attack surface, making it harder for attackers to find privileged credentials and offers them fewer capabilities to perform malicious activities when they compromise a privileged account. 

 

Bridge Your Security Gaps Today!

Tags: Active Directory, IAM, Virtual Directory, Access Governance, cloud security

How Enterprises can Bridge Security Gaps using Low-Code Platforms

Posted by Aditya Taneja on Fri, Aug 11, 2023

 

 

Bridge Your Security Gaps Today!

Tags: Active Directory, IAM, Virtual Directory, Access Governance, cloud security

Enhancing Identity Governance in Zero Trust Environments: The Power of Proxy Models and Workflows

Posted by Aditya Taneja on Mon, Jun 19, 2023

In the realm of cybersecurity, the Zero Trust model has emerged as a robust framework for enhancing security. A key aspect of this model is effective identity governance, which can be significantly streamlined and made more efficient through the use of proxy models and workflows.

Today we'll be exploring how these tools can be leveraged to bolster security and efficiency in identity governance within Zero Trust environments.

What are Proxy Models?

Proxy Models in identity governance can be likened to gatekeepers in a business organization, ensuring that only authorized individuals gain access to sensitive resources. Just as a gatekeeper verifies the identity and permissions of individuals before granting entry, proxy models act as intermediaries between users and the systems they wish to access. They authenticate and validate user identities, ensuring that only authorized personnel are granted appropriate access privileges.

_7ba07d58-118f-40e8-b9a1-a0626dc436a7

The Power of Proxy Models

Proxy models provide a powerful tool for managing identities in a Zero Trust environment. By acting as an intermediary between users and resources, proxy models can enforce strict access controls, ensuring that users only have access to the resources they need. This approach significantly reduces the attack surface and helps to prevent unauthorized access.

Moreover, proxy models can help to alleviate some of the challenges of the cybersecurity labor shortage and skills gap. By reducing the need for costly IT staff with specific knowledge and training in each of the proxied systems, proxy models can help organizations to manage their resources more efficiently.

By implementing proxy models, businesses can establish a robust and secure system where user actions are monitored and controlled, mitigating the risk of unauthorized access and potential data breaches. Think of proxy models as vigilant guards, protecting your business assets and maintaining the integrity of your identity governance framework.

The Efficiency of Workflows

Workflows, particularly those that are automated, can greatly enhance efficiency in identity governance. By automating routine tasks, workflows can reduce the time and effort required to manage identities, freeing up IT staff to focus on more strategic tasks.

For instance, consider the process of onboarding a new employee. An automated workflow could streamline this process, ensuring that the new employee's identity is properly set up across all necessary systems. This not only saves time but also reduces the risk of errors that could lead to security vulnerabilities.

Practical Strategies for Implementation

Implementing proxy models and workflows in identity governance involves several key steps. First, organizations need to identify the resources that need to be managed and the users who will need access to these resources. Next, they need to define the access controls that will be enforced by the proxy models.

Once the proxy models are in place, organizations can then develop workflows to automate routine identity governance tasks. These workflows should be designed to be flexible and adaptable, allowing for changes in the organization's needs and circumstances.

Today, most modern Identity Governance Platforms such as EmpowerID, are equipped with the requisite toolsets to implement these robust policy frameworks. Developing and integrating these systems separately might require significant planning, resources, and expertise for most organizations; instead opting for a modern Identity Platform that easily integrates with your enterprise's existing applications might be the way to go forward. The flexibility to easily handle on-prem, cloud, and even hybrid workflows paired with the ability to integrate with Microsoft 365, SAP, ServiceNow, SalesForce, etc creates an extremely compelling offering for any organization looking to manage their identities. 

Conclusion

Proxy models and workflows offer powerful tools for enhancing security and efficiency in identity governance, particularly within Zero Trust environments. By implementing these tools and techniques, organizations can streamline their identity governance processes, improve their security posture, and better manage their resources. As the cybersecurity landscape continues to evolve, such strategies will be crucial for maintaining robust security.

Tags: IAM, Group Management, Virtual Directory, Access Governance, cloud security, iga

MiMvsEmpowerIDArticle

Posted by Aditya Taneja on Wed, May 24, 2023

Microsoft Identity Manager (MIM) is a legacy identity management solution that has been around for a while. Organizations have been leveraging Microsoft Identity Manager (MIM) to centrally manage user identities, automate user provisioning and de-provisioning because of its relatively easy integration within the Microsoft Ecosystem. While it has served many organizations well, it lacks some of the essential features that modern identity management software offers.

Here are a few of the key features that MiM is missing compared to modern identity management solutions:

  1. Cloud-First Approach: 

    MIM was designed for on-premises environments, and while it can be extended to support cloud-based environments, it lacks the cloud-first approach that modern identity management solutions offer. This can make it challenging to manage hybrid environments or to take full advantage of the cloud's scalability and flexibility.
  2. Flexible Identity Models: 

    MIM relies heavily on the Active Directory schema, which can limit its flexibility when it comes to managing non-AD identities such as contractors, partners, and customers. Modern identity management solutions offer more flexible identity models that can accommodate a wider range of identity types and sources.
  3. Self-Service Provisioning:

    MiM requires significant manual intervention for account provisioning and access request workflows. Modern identity management solutions offer self-service capabilities that enable users to request and manage their own access, reducing the administrative burden on IT staff.
  4. Access Governance: 

    MiM offers basic access control functionality but lacks the more advanced access governance features found in modern identity management solutions. This includes capabilities such as entitlement cataloging, risk-based access certification, and access analytics.
  5. User Experience:

    MIM's user interface is complex and challenging to use, MiM’s frustrating User Interface is a common gripe amongst all its customers. Modern identity management solutions offer streamlined user experiences that are more intuitive and user-friendly, reducing the learning curve and improving user adoption.

EmpowerIDvsMiMs

In summary, while MIM has been a reliable identity management solution for many organizations, it lacks some of the essential features that modern identity management solutions offer. If you're looking for a more flexible, scalable, and user-friendly identity management solution, it's time to consider upgrading to a modern identity management platform such as EmpowerID.

EmpowerID is a next-generation identity and access management platform that provides unparalleled flexibility and scalability. With EmpowerID, you can easily manage identities, applications, and resources across your entire organization, regardless of size or complexity.

Here are just a few reasons why you should consider moving to EmpowerID:

  1. Greater Flexibility: EmpowerID offers a highly configurable platform that can be customized to fit your organization's unique needs. With our flexible architecture and robust API, you can easily integrate EmpowerID with your existing systems and workflows.
  2. Improved Security: EmpowerID provides comprehensive security features, including multi-factor authentication, role-based access control, and privileged access management. With EmpowerID, you can ensure that your organization's sensitive data and resources are protected from unauthorized access.
  3. Simplified Administration and Self-Service: EmpowerID's intuitive user interface and streamlined workflows make it easy for administrators to manage user accounts, access requests, and other identity-related tasks. With EmpowerID, you can reduce the administrative burden on your IT team and improve overall efficiency.
  4. Better User Experience: EmpowerID offers a seamless user experience, with a single sign-on portal that provides easy access to all of your organization's applications and resources. With EmpowerID, your users can enjoy a streamlined, hassle-free experience that improves productivity and reduces frustration.

So if you're looking for a powerful, flexible, and easy-to-use identity management solution, look no further than EmpowerID. Contact us today to learn more about how EmpowerID can help you take control of your organization's identity and access management needs.

Upgrade from Microsoft Identity Manager Today!

Tags: Active Directory, authentication, IAM, Access Governance, 2-Factor, authorization, Azure security

Say Goodbye to ActiveRoles - Upgrade Your Identity Management with EmpowerID

Posted by Aditya Taneja on Wed, Apr 05, 2023

If you are an ActiveRoles user, you know the value of a powerful and flexible Active Directory management solution. But as IT environments become more complex and diverse, managing identities and access across multiple systems and platforms requires a more comprehensive approach.

A modern Identity Governance solution provides more diverse features that understand the growing complexities of modern IT environments enabling deeper use cases than what you'd be limited by Quest Active Roles. While it provides many useful features for managing AD, it has quite a few limitations compared to other AD and identity governance platforms.

One of the biggest game-breakers with Active Roles is that it offers very limited functionality for Cloud users. While in theory, Quest can manage cloud users, but only to an extremely limited extent. The tool allows you to create and provision an AD user to a cloud system. However, the cloud system objects aren't inventoried and managed in the user interface, and you always need to have an AD user as your starting point for management.

This limitation can be problematic for organizations that rely heavily on cloud-based systems, as it creates an additional layer of complexity that may not be necessary. Without proper inventory and management of cloud-based users, organizations may struggle to maintain security and compliance standards.

EmpowerIDvsQuestActiveRoles-1

Aside from this, here's a list of a few more of these limitations for Quest ActiveRoles:
  1. Restrictive reporting and analytics capabilities:

    Quest ActiveRoles provides limited reporting and analytics capabilities, limited to just Users and Groups, as compared to other IGA Platforms that can provide in-depth and comprehensive analytics on every single AD Attribute. This severely limits you from getting a complete picture of your identity and access management activities.

  2. Neglible support for non-Microsoft platforms:

    Quest Active Roles is designed to work only with Microsoft Active Directory environments and does not support other directory services. This can be a significant limitation for your organization if you use a mix of different platforms, such as Unix or Linux. 

  3. Limited integration with other Systems and IAM solutions:

    Quest ActiveRoles does not integrate well with other IAM solutions, making it difficult for organizations to implement a comprehensive identity governance program. Active Roles also is limited to just being able to manage only your Active Directory, providing no way to manage users on other Systems and Applications. 

  4. Finite automation capabilities:

    Quest ActiveRoles does not provide extensive automation capabilities, which can make it difficult for organizations to automate repetitive tasks and workflows. Users will have to rely on writing scripting to complete tasks, which, when managing directories with millions of groups, objects, and users, can make even small tasks take exponentially longer and more expensive.

  5. Lacking Cloud readiness:

    ActiveRoles Server was designed to work with on-premises Active Directory environments, which is not ideal for organizations that are moving to the cloud or adopting hybrid environments. A modern Identity Management solution offers better cloud-ready features, such as support for multi-cloud environments and identity as a service (IDaaS) capabilities, reported missing in Quest ActiveRoles. 

  6. Lacking essential Identity features:

    ActiveRoles Server lacks advanced features like identity governance, access certification, risk-based access control, and identity analytics that are essential for modern organizations to manage identity and access in complex environments. Self Service features such as Access Requests and Password Resets are shown to have saved organizations millions of dollars in helpdesk costs and are seen as a must for any good IGA platform.

EmpowerID offers a modern, web-based solution that goes beyond Active Directory management to provide full Identity Governance and Administration, Access Management, and Privileged Access Management capabilities. With EmpowerID, you can manage identities and access across on-premises and cloud-based systems, applications, and platforms, including Microsoft Azure, SAP, Oracle, and more.

EmpowerID's True Zero Trust administration for Azure and other platforms allows for fine-grained access controls and risk management, and its low-code identity orchestration engine allows for easy automation of complex business processes. EmpowerID's powerful RBAC and PBAC hybrid authorization engine provides efficient and flexible administration and runtime policy enforcement.

Not only does EmpowerID offer advanced capabilities beyond Active Roles, but it also offers the convenience and scalability of a modern SaaS platform. EmpowerID's modular licensing allows you to add or remove features as your needs change easily, and its cloud-based deployment means you can manage your identities and access from anywhere.

Don't settle for less with ActiveRoles - Make the switch to EmpowerID and experience the power and flexibility of a modern, web-based Identity Governance and Administration solution that goes beyond Active Directory management.

If you'd like to read more about Cloud Ready Identity Governance Platforms, we'd recommend our Whitepapers on these subjects: Siemens Case Study, Cloud Infrastructure Entitlement Management (CIEM) Report

 

Upgrade from ActiveRoles Today!

 

Tags: Active Directory, IAM, Virtual Directory, Access Governance, cloud security

Cyber Attacks: What You Need to Know and Do

Posted by Patrick Parker on Fri, Oct 25, 2019

photo-1510915228340-29c85a43dcfe

Unsurprisingly, Verizon’s 2019 Data Breach Investigations Report doesn’t make for comfortable reading.

In 2018:

  • 43% of security breaches involved small businesses
  • 52% involved hacking (69% of the attacks proved to be the work of outsiders)
  • 33% were through social media
  • 28% involved malware.

(Verizon, 2019)

What’s also important to note is that C-level executives were 12 times more likely to be the target of a social engineering incident and nine times more likely to be the target in a breach caused by social engineering. Given this much higher target rate, it’s clear that modern cybercrime organizations are deducing that there’s higher value in a more targeted, high level attack (Barth, 2019).

Unfortunately, for many businesses, and despite the increased risks and chances of hacking, they are still using outdated methods and approaches. What’s worse is that some are even following the same approach to cyber security today as they were a decade or so ago.

As we mention in our Anatomy of a Cyber Attack white paper, that’s simply not going to work in today’s business theater. So much so that

Businesses Should Assume They Have Already Been Hacked and Are Currently Under-Siege

Seriously, that is the best, easiest, and most practical way to look at your security efforts to date.

Suffice it to say that, if information security is something you’ve been lackadaisical with up to now, today’s the day… [you need to change that]. You need to get wise to what’s happening. Before it’s too late.

Yes, there is a lot of information out there (much of it false), and though not having enough information can be fatal, the opposite is also true.  Either one can lead to 3 critical issues:

  • ineffective planning
  • insufficient mitigation of risks
  • inability to recover quickly following a breach.

With that last point, above, you don’t need us to tell you how important your customers are to your business.

In terms of numbers, Bryan Littlefield, CISO of Aviva, said that following a customer data breach, research suggests that of those customers who are thinking of cancelling their account with you, 50% of them actually will (Out-law News, 2015).

That long-standing relationship you’ve been building… destroyed.

That trust level you hold so dear to your heart and have painstakingly nurtured… gone, In an instant.

Cyber Security is Not Something That Only Others Do

Moreover, the days where security was considered to be extraneous or a separate arm of the business are long gone. Indeed, security must work as a  “…flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line.” (Sartin as quoted in Guta, 2019)

We do have more information on cyber-attacks (and you can download our paper at the bottom of this page), but for now we advise you to take this approach:

  1. Assume you’re already under-siege. You need to fight back.
  2. Work inside out. Adopt a defensive posture, start from the core, and ‘clear and secure your lines’, all the way to the external perimeter of your organization.
  3. All the while, rethinking your security approach and how you’re going to make it as hard as possible for the hacker/attacker in the future.

That’s what you need to do.

Naturally, you’re here on our webpage, on our site, so we’re going to offer advice on what works for us (‘us’ being our clients, customers, and partners) and what we ourselves recommend.

Identity Access Management and Zero Trust

We recommend Identity Access Management. In particular, what we call Zero Trust.

Zero Trust follows the 3 fundamental principles of never trust, always verify, and always enforce least privilege. (We have a white paper called Identity is the New Perimeter: Zero Trust is its Firewall where we talk more about that.)

In its simplest form, Zero Trust involves an identity verification and authentication portion. If these are incorrect then the rest fails.

With that in mind, let’s take a closer look at the anatomy of a cyber-attack (if you want to jump straight to the white paper, click here).

Caveat: before we go any further, we’re not for 1 second suggesting that you haven’t been taking security seriously. It’s just that as someone for whom this is our ‘meat and potatoes’ (or bread-and-butter, if you’re British), we know full well how overwhelming security can be.

Not least because of the rate with which the tech is changing, but also because of the myriad of terms and definitions, and all the rest of it.

That’s one of the main reasons we created this white paper. Others include helping you to cut through all that noise, to eliminate that chaff, so you get an easy to read, understand and digest picture off what’s going on.

The Anatomy of a Cyber Attack

The Anatomy of a Cyber Attack white paper covers the following:

  • An overview of cyberattacks and how the landscape is changing. One of the problems of today is that “As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed” (Sartin, 2019).
  • The architecture of the modern attack, including phishing and social Engineering
  • The danger of local admin privileges and cached passwords
  • Attacks to Kerberos and Active Directory
  • The consumerization of hacking
  • Can we keep the hackers out?
  • Assume breach – now what?
  • Other tips to discourage hackers. These include preventing users from being local admins, avoid group nesting, and use dedicated secure admin workstations for admin tasks, etc.

Understanding what constitutes a cyber-attack is just 1 weapon that you will need in your arsenal: it’s only one of the steps you must take. I hope you’re like me and, when you see people reminiscing on or about the good old days, you smile. I’m happy for them–seriously happy. From my own perspective, life outside of cyber security must seem a trifle mundane. Admittedly, I don’t dwell long, because what we’re seeing and experiencing in cyber security now is unprecedented. Sure, today might be a great day, but let’s use that time wisely and prepare for tomorrow, too.

Click on the link below to download the white paper:

Download the White Paper\

 

References:

Barth, B. (2019, May 9). Verizon Breach Report: Attacks on top executives and cloud-based email services increased in 2018. Retrieved August 19, 2019, from SC Magazine: https://www.scmagazine.com/home/security-news/verizon-breach-report-attacks-on-top-executives-and-cloud-based-email-services-increased-in-2018/

Guta, M. (2019, May 22). 43% of Cyber Attacks Still Target Small Business while Ransomware Stays On the Rise. Retrieved August 19, 2019, from Small Business Trends: https://smallbiztrends.com/2019/05/2019-small-business-cyber-attack-statistics.html

Out-law News. (2015, July 3). Info security professionals are business brand preservationists, says Aviva security chief. Retrieved from Pinsent Masons: https://www.pinsentmasons.com/out-law/news/info-security-professionals-are-business-brand-preservationists-says-aviva-security-chief

Sartin, B. (2019, May 5). C-Suite Beware: You are the latest targets of cybercrime, warns Verizon 2019 Data Breach Investigations Report. Retrieved August 19, 2019, from Verizon: https://www.verizon.com/about/news/verizon-2019-data-breach-investigations

Verizon. (2019). 2019 Data Breach Investigations Report. Retrieved August 22, 2019, from https://enterprise.verizon.com/resources/reports/dbir/

Tags: Data Governance, Identity and Access Management (IAM), Access Governance

Cybersecurity and Why You Cannot Rely on Yesterday’s Tactics

Posted by Patrick Parker on Fri, Oct 25, 2019

RustedLock

“They came on in the same old way – and we defeated them in the same old way.”

Though it could easily be used today, that quote does have rather more deep-rooted origins. The speaker was Arthur Wellesley (though you may know him by his more common titles of The Duke of Wellington and, later, Prime Minister of Great Britain). He spoke those words after his and Field Marshall Blucher’s combined Allied forces had just defeated Napoleon at the Battle of Waterloo.

Without going into the details of the battle itself, the outcome was quite significant in several ways:

  • Napoleon’s tactics at Waterloo were both out of date and inflexible
  • His battle plan lacked finesse, consisting only of repeated ‘in your face’ brute force attacks
  • The outcome of this helped shape the future of Europe for almost 100-years
  • Given ‘The Battle of Waterloo’ was in 1815, it does, in fact, predate the on-going debate about RBAC v ABAC which still persists today.

Okay, that last point is stretching a little white lie (a hint of a joke, as it were). But If you’ll permit me, I’ll tell you 2 specific reasons why it does fall flat on its face:

  • The RBAC v ABAC debate is now in its 22nd year (yes, it began in 1997)
  • Like Napoleon at Waterloo, if you honestly expect to win today’s battle with yesterday’s tactics then you’re going to lose.

Unfortunately, and we know this firsthand, some companies still are using old systems, old methods, and old tactics.

(Please tell us this isn’t you, though?)

Your Attacker is Getting Cleverer

One glance at the news tells you that your attacker is getting cleverer. (It might also be a concern to know that there are a lot more attackers out there since hacker tools became more commercialized. If you want to learn more, then click here to get our The Anatomy of a Cyber Attack white paper.

Make no bones about it, your attacker is getting cleverer, more devious, and increasingly skillful–they’re evolving. And though steam rolling in with brute force methods might be just one part of their plan, unlike Napoleon on that fateful day, we both know they’ll adapt and move on to other means as soon as necessary.

This isn’t hyperbole, either.

You’ve likely seen or heard all of the scare tactics, the dire threats, the ‘end of the earth as we know it’ (if you haven’t, let us know and we’re more than happy to fire some your way).

But here at EmpowerID, where cybersecurity, RBAC and ABAC, and your security is concerned, we prefer to stay a little more grounded. A little more pragmatic.

The Cyber Threats Are Real

But make no mistake…

Don’t think for a minute that the threats aren’t real–because they are.

You and I both know, full well, that your attackers’ plans are evolving continuously.

Unfortunately, the very nature of cybersecurity is that they’re likely to be evolving far faster than you or any of us can ever react.

However, it isn’t all 1-way and isn’t all doom and gloom. There are steps we can take to mitigate this. To limit the chances of them being successful.

We can’t stop them from selecting us as their target, but our goal here, of course, is to make it so difficult that they move onto easier pickings. They turn their attentions and efforts elsewhere.

Let’s not get ahead of ourselves just yet, though…

What Is Your Battle Plan?

A question for you:

When the attackers’ beady little eyes do eventually turn to and focus on you, what exactly is your battle plan?

At Waterloo, Wellington had surveyed that ground years 2 or 3 years before.

We both know we’ll never ever have that luxury.

Then what?

“But we’ll be okay,” said every single security consultant or manager in the world ever. (All the while secretly praying that they’re okay.)

And then they weren’t, of course (okay, that is).

Reading this, you, may very well think that we’re wrong.

If that’s the case, then tune into the media and watch or listen. Turn on your TV or radio, or tune in via your PC, whatever it is you use.

Because if the next security breach is not all over the news today, then it’ll be tomorrow or next week.

It’s only a matter of time.

As realists, we both know it’s coming.

We sincerely hope they’re not talking about you.

White Paper: Identity is the New Perimeter: Zero Trust is its Firewall

To learn more about constructing your organization’s defenses and laying out your battle plans, we have a white paper called ‘’Identity is the New Perimeter: Zero Trust is its Firewall.

In it, we talk about how identity and Zero Trust are where the 21st century battle will occur. Zero Trust is founded on 3 fundamental principles:

  • never trust
  • always verify
  • always enforce least privilege.

Quite simply, when a user attempts to access to your system, they have to verify and authenticate themselves. If they fail either, then they’re denied access.

Click here to download the Identity is the New Perimeter: Zero Trust is its Firewall white paper

 

Tags: Data Governance, Identity and Access Management (IAM), Access Governance

Turkey citizenship database leak highlights need for full database encryption

Posted by Chris Hayes on Tue, Apr 05, 2016

Screen_Shot_04-04-16_at_09.08_AM.png

Citizens of Turkey woke up Monday with the knowledge that a Citizenship Database has been publicly dumped for anyone in the world to download and view.

The dumped database included:

  • National Identifier (TC Kimlik No)Screen_Shot_04-04-16_at_09.06_AM.png
  • First Name
  • Last Name
  • Mother's First Name
  • Father's First Name
  • Gender
  • City of Birth
  • Date of Birth
  • ID Registration City and District
  • Full Address

 

 

This database leak underlines why it is important to encrypt data at rest.  Most IAM projects implement 443 for access to the product, secure DMZ firewalls and Role Based Access Controls but neglect to implement encryption for the identity warehouse.  EmpowerID fully supports encryption of information in our identity warehouse and has been able to validate our latest release 2016 using these same encryption methods.

Notes from the database leaker

EmpowerID utilizes transparent data encryption (TDE) which provides full database-level encryption. TDE is the optimal choice for bulk encryption to meet regulatory compliance or corporate data security standards. TDE works at the file level, which is similar to two Windows® features: the Encrypting File System (EFS) and BitLocker™ Drive Encryption, the new volume-level encryption introduced in Windows Vista®, both of which also encrypt data on the hard drive.  This means that the identity and attribute information stored within EmpowerID will stay secure even if someone gets access to a backup of the database or gets access to the flat files from a server.

To learn more about how EmpowerID can utilize a fully encrypted database just click below.

Request a Demo

 

Tags: Data Governance, Identity and Access Management (IAM), Access Governance

EmpowerID Inserts Intelligence into 2013 SharePoint People Picker

Posted by Chris Hayes on Wed, Jun 24, 2015

EID SP

The SharePoint 2013 People Picker is the tool you use to find and select users, groups and claims to grant someone a permission to a site in SharePoint.  The SharePoint 2013 People Picker is heavily dependent on how authentication is configured for your site so you need to ensure your SAML or claim provider is intelligent.

Don't let this happen to you

All claim providers created equally!

Today the most common issue SharePoint administrators find with an authentication claim provider is that any name you type in the People Picker, SharePoint will accept.  Even worse, with a typical claims provider you can type nonsense and you will see two results, neither of them valid!

Not Valid

Credit:Kirk Evans Microsoft Blog

This is not because the SharePoint People Picker needs to be fixed, it's working as designed, it is a result of the claim provider.

The EmpowerID SharePoint Manager solves this problem, we have created the most intelligent claim provider in the market today.  In doing so we set out to do 4 things which will have a huge impact on the day to day operations of your SharePoint site.


1. Create the most intelligent claim provider in the world.  We didn't stop at providing intelligent responses to the query, we also segregate the data so that delegated administrators can only view results for data that they can see.  This is a very important point, if a business partner administrator wants to grant someone rights to a site the EmpowerID data filtering and masking is still maintained.

Screen Shot 06 24 15 at 10.18 AM

2. Provide SharePoint "web parts".  This is technology that allows users to find new sites and request access to it.  It also allows site administrators to approve site access, all directly within SharePoint.Screen Shot 06 24 15 at 10.09 AM
3. Fully support federated or claims based authentication into SharePoint.  Users can authenticate with EmpowerID, bring their own social identity or use another.

Screen Shot 06 24 15 at 10.03 AM


4. Answer the "Why" question.  Why does someone have access and when was it granted?  The other side a SharePoint claim provider is tracking these finer details.  EmpowerID includes full certification and attestation for SharePoint access, this provides your enterprise with a host of risk controls not previously available.

Screen Shot 06 24 15 at 10.25 AM

Want to know more?

Watch a previously recorded webinar that discusses these points here

click the button to request more information.

Request a Demo
EID SPFull resized 600


Tags: Single Sign-on (SSO), authentication, Governance and Regulatory Compliance, Federation, User provisioning, Data Governance, Attestation, consumers, SAML, SharePoint, Access Governance, SSO

Data breaches continue to grow in Healthcare sector

Posted by Chris Hayes on Tue, May 26, 2015

Internal employees continue to pose biggest risk in security breaches.

Screen Shot 05 26 15 at 10.13 AM resized 600

Latest Experian security forecast - Cost of breaches in the healthcare industry could reach $5.6 billion annually.

How will the next identity spill happen?  The latest Experian data breach industry forecast points to your employees being the biggest threat.  Stronger external authentication and tighter protocols continue to miss the mark.  Employee negligence will continue to be the leading cause of security incidents in 2015.

Experian goes on to state that Healthcare breaches will continue to grow this year.  With the huge challenge of securing such a significant amount of data, the problem becomes even more serious when organizations are faced with a shortage of internal expertise.  With the majority of breaches originating from inside company walls, the report clearly indicates business leaders need to fight the root cause of data breaches rather than buy the latest security widgets.

What are some steps that you can take in your organization to prevent the next identity spill?

Preforming regular certification/attestation of access – At any time you need to be able to snapshot the access granted to a resource by roles, locations and person accounts.  Security assignments should be automated, but access should be certified and routed to an appropriate authorized person for review.  This review should verify the access and certify if it is valid or not.  A tool like EmpowerID makes certifications easy for the organization with scheduled certification and attestation policies that can be run and audited.

Implement automated provisioning/deprovisioning – Role based or attribute based access needs to be automatically and immediately provisioned or deprovisioned.  When an employee’s role changes, the resultant set of access needs to be calculated instantly.  Some application and resource access will be taken away and some will be granted.  Absence of role based deprovisioning is a root cause of an employee having too much access.  EmpowerID takes provisioning to the next level by allowing you to provision and deprovision based upon roles in the organization.

Implement RBAC & ABAC controls - You need an RBAC/ABAC engine to continuously evaluate how much access someone should or shouldn't have.  EmpowerID uses a hybrid approach with RBAC and ABAC adding in rules and even Separation of Duties enforcement.

Control access to applications via a central identity provider - Having users log into apps with a separate username and password is a recipe for disaster.  An IdP allows you to centrally validate someone’s identity and then assert that identity into applications wherever they are.  The EmpowerID IdP allows employees to search for applications that are granted for their role, removes ones that are not granted and provides the SSO into the application.

Provide Self-Service password reset - Let's face it, this not only tightens up security, but saves a lot of money.  EmpowerID provides full detailed audit trails of anything account related such as who changed the password, who approved it and more.

Implement strong authentication, regardless of the application - There are a lot of ways to get into your network.  The VPN, the email server and SaaS applications are all exposed entries into the protected network.  Do they all have the same authentication capabilities?  You need an authentication service that supports all the protocols, not just those most used.  EmpowerID can step up authentication at any level for any service.  The VPN, the routers, the SaaS apps, SharePoint, it doesn't matter.

The bottom line is this, an ounce of prevention is better than a pound of cure.  According to Experian the average cost per lost record is just under $200 dollars, with average total impact cost to your organization just under $4 million.  Click through below and let us show you how easy it is to automate access and control privilege in your environment.

Request a Demo

Tags: GRC, authentication, IAG, IAM, Identity and Access Management (IAM), Access Governance