Access to digital systems should be based on principles, not roles, to promote a zero-trust security environment, Yahoo’s senior principle architect has said. But convincing senior leaders they need to apply for network access will be a major challenge for CISOs.
Yahoo’s Bryan Meister said most companies rely on role-based accessed control (RBAC), which can put networks at risk.
The problem with role-based access control
The concept of principle-based access control (PBAC) has been described by the US’s National Institute of Standards and Technology (NIST) as where company security policies and job roles are used “to determine what access privileges users of each role should have.”
This means access to systems must be requested and approved, in contrast to the traditional RBAC set-up used by most companies, where an employee’s job role and seniority automatically determine their level of access.
There are a host of potential issues with this, Meister told a seminar on enterprise access control held as part of the KuppingerCole Cyber Leadership Conference in Berlin. He said as employees move around an organisation they can accumulate more privileges than are required.
“You can end up very quickly with role explosion, where an employee accumulates more and more roles over time as they request things,” Meister said. “The approval process can sometimes be glossed over and hiring managers end up approving access endlessly, whether or not it is needed. Unfortunately, this is the kind of path that role-based access control puts you on.”
This so-called ‘role explosion’ can lead to increasing operational and compliance overheads and increase cyber risks, as access becomes more difficult to police, he added.
Is principle-based access control the solution?
Meister suggested that PBAC could be the key to fixing these issues. “Policies can be extended to multiple resources,” he said. “For example, we built a policy around the accounts receivable process. It’s very easy to then duplicate that policy for other purposes and you can assign different resources with that policy template.”
This is a tenet of zero trust security implementation, as access granted is temporary and assessed on a case-by-case basis throughout the company. “There is less dependency upon organisational groups and hierarchy in order to establish policy-based access control,” Meister said.
By applying the concept of zero trust to authorisation, a company can ensure each employee is allotted the correct level of access, he continued. That way “you limit the scope and capabilities within those resources, showing again that the work an individual or a service is doing is commensurate with the level of work that they need to achieve,” Meister said. This ensures access is removed when it is no longer needed, “and not just when the user leaves the company,” he added.
The challenge of zero trust for CISOs
However, this may lead to difficulties with the higher echelons of management, as high-level access is stripped and replaced with policy-based access. This can be managed by engaging the executives in the mission of zero-trust security and what positive effects that added security will bring for the company, explained Olaf Gnade, cyber risk manager at Deloitte.
“CISOs who are pushing for it would be well advised to think about their communications approach, whether it’s a fear-based angle, or whether you can get them to buy into the new zero-trust philosophy,” he says. “In the end, it’s about protecting the company’s assets, people knowledge, connections, IP and the customers’ trust.”