Stories‎ > ‎

The Next Generation of Entity and Access Management in Cyberspace

posted Sep 11, 2016, 4:06 PM by Michael Lenart   [ updated Sep 14, 2016, 5:12 AM ]
The Best Partners

“As secretary of defense, my mission is to make sure our military can defend our country … and we’re at our best when we have the best partners. Knowing how we’ve worked together in the past and how critical your work is to our country, strengthening this partnership is very important to me…We have a unique opportunity to build bridges and rebuild bridges [in the commercial tech sector] and renew trust." [1]

                                                                                            Secretary of Defense Ashton Carter 

A Perspective on Commercial Cybersecurity Technology

William Shakespeare once wrote, “Better three hours too soon than a minute too late." [2] Timing is everything with respect to securing the enterprise. Far too many organizations have suffered by taking a reactive approach toward security threats and risks, instead of being proactive in establishing a solid security infrastructure from the ground up. The evidence speaks for itself: Consider the breaches at the Office of Personnel Management, the Federal Communications Commission, and Target Corporation, to name a few. We live in a complex technological ecosystem that is characterized by phones, tablets, and of course, the Internet of Things. It is impossible to manage the growing number of devices in the world through older access control models like Role Based Access Control (RBAC), which is why many large enterprise environments are suffering from role explosion. [3]

This is the time to transform conventional security paradigms. In the world we live in, being one minute too late may cost your brand, your reputation, and your job. The military’s Global Information Grid (GIG) is no different, except that the stakes are higher with respect to national security. 



Access Control in the Federal Government

Access control mechanisms have evolved over the years. Older security models like Access Control Lists (ACLs) and RBAC have proven insufficient for securely handling information sharing, especially in federated environments and across organizational network domain boundaries and enclaves. These legacy security models do not scale to support today’s requirements in our interconnected world. Moreover, they are unresponsive to changes in attribute based environments that should dynamically result in a timely and accurate access control decision.

 

Jericho Systems has been a pioneer in developing and deploying a next generation of access control, commonly known as “ABAC,” or Attribute Based Access Control. Jericho introduced its product suite EnterSpace® in 2004 and completed the first commercial ABAC deployment in history with Lockheed Martin. Although widespread adoption was slow, there were major success stories. For example, starting in 2010, the Department of the Army deployed Jericho’s EnterSpace® across the Distributed Common Ground System-Army (DCGS-A) program to enhance its Identity and Access Management (IdAM) portfolio. As a result, the Army has become a forerunner in cyberspace compared to the other branches, who are now expressing interest in next generation access control. Recently, ABAC was pronounced as the access control model of choice for the federal space: Its terms and definitions were published by the National Institute of Science and Technology Special Publication 800-162 in 2014. [4]

Why ABAC? Identity vs. Entities

ABAC enables large enterprises to reduce costs, increase efficiencies, and reduce risk exposure by acting as a “smart” digital gatekeeper. Each request for access is compared against organizational policies and relevant data. Access decisions are based on relevant contextual data, or “attributes,” that describe the requestor, environment, resource, and system. Auditing and policy workflow functions give extra capabilities, allowing for easy policy creation and customized logging using industry standard protocols. [5]

The IT research firm Gartner predicts that by 2020, 70 percent of large businesses will implement ABAC.

ABAC incorporates centrally managed digital policies, which shifts the burden of access control from the software code to business leadership. Unlike previous access control models, this allows business logic to define security requirements. ABAC’s architecture was designed for cloud, federated, and virtualized IT environments. This structure allows the rules-based decision engine to dynamically draw from multiple databases for information (attributes), including identity data from legacy sources, environmental sources (time-of-day), and request metadata. With Jericho’s EnterSpace for ABAC, separate access control mechanisms for each application are no longer needed. Moreover, EnterSpace integrates well with any authentication mechanism, including person and non-person entities (NPE), and supports PKI which meets the requirements for augmenting existing authentication controls provided by an Identity or Single SignOn (SSO). 




ABAC to Data Labeling and Data Segmentation

In 2013, Jericho worked with the Department of Health and Human Services' Office of the National Coordinator and spearheaded a pilot called Data Segmentation for Privacy (DS4P). This pilot was aimed at keeping protected health information (PHI) secure across multiple health information domains. DS4P’s success was due to a key enhancement: Data Labeling and Data Segmentation or “DLDS®.” It adds a layer of security and privacy protection to traditional ABAC. For example, a user may have access to certain sensitive documents or files, but he or she may not need to see certain classified or protected portions of the document. DLDS technology gives an organization the ability to improve and enforce compliance, legal, and corporate regulations.

Jericho incorporated that DLDS component into the core EnterSpace product, recognizing that the technology could extend past Healthcare and support protected critical infrastructure information (PCII) and personally identifiable information (PII). In 2014, the Department of Homeland Security Science and Technology Directorate invested in the commercialization and deployment of EnterSpace across their sensitive networks. This has facilitated the creation of solutions to critical information sharing problems in multiple areas, including Law Enforcement, Healthcare, Emergency Response, and Geospatial Tracking.

Thinking Faster than the Enemy
Napoleon used the “double time” to outmaneuver the enemy with great success. [6] That same thinking applies today with information and intelligence.
Commanders at all levels have certain information requirements that are used to trigger appropriate responses normally called “Commander’s Critical Information Requirements,” or CCIRs. CCIRs concern scenarios that can be described as: “If X occurs, notify the commander immediately." Similarly, ABAC is expressed in Boolean logic: “If, then... .” So, ABAC policies and rules could digitize a Global Operational Command at the strategic level as well as Battalion Tactical Operations center level for alerts and responses. This is clearly a game changer for the commander’s situational awareness.

This same commercial challenge was recognized and addressed nearly ten years ago by Michael Krieger, the Director of Information Policy in the Defense Department's Office of the Chief Information Officer. Krieger introduced a new way of thinking amongst the Combatant Commanders throughout his tenure with the DOD: “The U.S. Defense Department is wrestling with a multitude of issues to provide the right people with the means to access different forms of data. Complicating potential solutions is the fact that the types of potential users are as varied as the types of data, which makes access and verification exponentially difficult.” [7] Accordingly, Mr. Krieger has been a longtime advocate of EnterSpace technology.

Audaces Fortuna Duvat: COTS vs. GOTS
Boldness is hard to come by in today’s IT world; this may be one reason that ABAC+DLDS hasn’t been implemented across the entire federal space. Some organizations can’t seem to move beyond legacy authorization models like Access Control Lists (ACLs) and Role Based Access Control (RBAC). They are comfortable with what has “worked” in the past, even though the modern security landscape clearly calls for a newer form of access control. Some, like the Defense Information Systems Agency (DISA), have turned toward GOTS products. GOTS stands for "Government off-the-Shelf" and often competes with Commercial off-the-Shelf (COTS) alternatives. On the surface, GOTS seems appealing: The internally developed nature of the capability leads to cheaper maintenance, and easier oversight. However, the allure of “cheaper” and “easier” proves to be mere illusion. DISA adopted Open Source ABAC years ago in an effort to avoid vendor lock-in, but they aren’t currently providing support to their “homegrown” Identity and Access Management (IdAM) portfolio. As of September 2016, the program is dead, which only further fuels the growing debate between GOTS and COTS.

As history proves, COTS wins from an innovation and relevancy standpoint, even if it requires the organization to take a bold step forward. If that leap isn’t made, there are severe consequences, such as lagging behind current technology trends, and massive costs incurred by U.S. taxpayers to “re-invent” authorization tools every fiscal year.

 

It's only fair to note that not all organizations have stuck to this counterproductive approach. The Army chose the COTS route with respect to DCGS-A in 2010, years before many of its peers followed suit. It selected EnterSpace, which is still deployed and operational today. It was a bold choice to lead the industry in a new IdAM strategy, but the results are undeniable. The Army has maintained EnterSpace, one of several COTS products in its portfolio, for a mere fraction of DISA’s total ABAC IdAM budget.

 

Former DISA Commander, General Charlie Croom, once said, “The ABCs of solutions: Adopt best of breed, Buy best of breed, or try to Create best of breed. But when the government tries to create a product, they normally get it WRONG!”




Metrics for Success

From Jericho’s perspective, the following risks and shortcomings must be mitigated in order to meet tomorrow’s information sharing challenges:

       The binding of privilege with Identity (user access is privilege) through

        Reliance on security clearance

        Static Access Control List (ACL)

       Unresponsive ability to adapt to changing cyber environments

       Manpower Intensive integration of policies that can result in

         Vulnerabilities of Human Error

         Application-specific approaches that stifle innovation

         A burden on Mission Tempo

 

Today’s Warfighter metrics of success for Identity and Access Management technology are:

  • Having a Service Oriented Approach that

    • Is consistent with the GIG Information Assurance Framework

    • Separates Identity and Privileges

  •  Organization around Communities of Interest

    • Dynamic constituents, structure and requirements; Support time-sensitive decisions

  •  Assured Information Content

    • Authoritative Source, Metadata process for pedigree and discovery

  •  Assured Disclosure

    • Dynamic access control

  • Monitoring, Audit, and Distributed Policy Management in place

    • Access tracked through exhaustive log and event processing

    • Delegated, Hierarchical Policy Management

  • Detection and Reporting of Anomalous Behavior

    • Event-driven workflow and automated processes (such as IM, e-mail, etc.)

DoD's "dictionary," Joint Publication 1-02, explicitly includes information in its definition of cybersecurity:


Prevention of damage to, protection of, and restoration of computers,

electronic communications systems, electronic communications services, wire

communication, and electronic communication, including information contained

therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.”


Today, silos have been created for information and intelligence resources in “Communities of Interest,” or COI’s. This can create security challenges, especially when dealing with cross domain sharing or protecting resources in separate silos. Cyberspace has become a galactic environment with tentacles reaching out to all ones and zeros, making access control an enormous task for any one enterprise. In order to alleviate that burden, the Department of Defense must continue to take proactive steps in implementing next generation solutions like ABAC. When the environment around you can change in milliseconds, your security solution should be able to adapt just as quickly. Otherwise, you might compromise the success of the mission and increase the risk of insider threats or denial of data. There must be multiple layers of protection in place to ensure defense in depth. We see EnterSpace ABAC with DLDS as the solution that solves information sharing problems without sacrificing operational speed of execution.



Jericho Systems is supporting the Military Cyber Professionals Association at the 2016 AUSA annual meeting and exposition 3-5 October 2016 at the Walter E. Walker Convention Center in Washington, D.C.  Attendees can see first-hand how Attribute Based Access Control and Data Segmentation and Data Labeling can support enterprise and tactical network applications.


About Jericho Systems

Headquartered in Texas, Jericho Systems Corporation provides enterprise data security solutions for IT security and business process automation within a Service Oriented Architecture (SOA). In the commercial and government sectors, Jericho's EnterSpace and professional services facilitate information security, regulatory compliance, quality and efficiency.  EnterSpace improves collaboration and leverages the value of business data and SOA services by enabling them to be easily shared in a controlled manner -- not only among internal groups, but also with external partners or government agencies. Unlike competing identity and access management (IdAM) solutions or dedicated hardware appliances, EnterSpace is vendor and hardware-neutral for interoperability across multiple vendor IdAM stacks. As threats continue and business expands, it may be time to invest in a solution that can handle modern security demands. EnterSpace relieves those unnecessary burdens. Based on Jericho’s patented technology, EnterSpace delivers next-generation Attribute-Based Access Control (ABAC) and Data Labeling and Data Segmentation with distributed policy administration.




End Notes