首页 / 资源 / 新闻及趋势 / 时事通讯 / AtIsaca / 2023 / 卷21 / 身份作为新的安全边界

身份作为新的安全边界

身份作为新的安全边界
作者: 乔恩·R.G. Shende MSc., FBCS ctp, CISM与Gagan Satyaketu
发表日期: 2023年5月24日

在过去的十年里,我们看到了技术使用的快速变化. New technologies brought to the market shifted how we engage with and use technologies amid a global shift toward digitalization. 数字化旨在为利益相关者带来快速和即时的满足, 从澳门赌场官方下载雇主到消费者, 有了这个, 身份已经成为所提供服务的关键和核心角色.

服务可以随时使用, 无论何时何地,都要关注目标澳门赌场官方下载, 利用越来越多的连接设备和基于云的应用程序. 这些, 反过来, 给人们带来固有的风险, 在过去的传统安全边界之外的东西和系统.

身份和访问管理的历史

身份和访问管理(IAM)可以追溯到20世纪60年代 IBM 为他们的大型机系统开发了资源访问控制设施(RACF).

The intent behind RACF was to provide a centralized authentication and access control mechanism for mainframe resources. RACF would allow administrators to manage user accounts and control access to different resources based on defined policies and included features such as password management, 用户身份验证和审计.

随着技术的进步,我们在20世纪80年代看到了分布式计算和网络的兴起. 分布式计算, 反过来, led to a need for IAM systems that could manage identities and access across multiple systems and platforms, resulting in the development of Lightweight Directory Access Protocol (LDAP) and other directory services.

20世纪90年代见证了基于网络的应用程序的出现,互联网成为主流, which led to the development of 联合身份验证 standards such as Security Assertion Markup Language (SAML) and Open Authorization (OAuth). SAML和OAuth允许管理员管理跨不同域和系统的访问, 并允许用户对访问web应用程序进行身份验证和授权.

进入21世纪, 我们看到了云计算的出现和对移动设备的更多依赖, which created new challenges for IAM administrators concerning access management for resources not on-premise. 这导致了基于云的IAM解决方案的引入, which has grown further over the last several years as cloud computing and digital transformation became mainstream.

新安全边界的身份

组织, 我们都知道, are continually developing and adopting new digital technologies to meet business objectives and customer satisfaction metrics. 这, 再加上远程工作或混合工作模式的兴起, 我们所知道的传统安全边界的贡献正在变得不那么有效.

传统的基于边界的安全模型, 我们都知道, are the physical and logical boundaries that protect an organization’s IT infrastructure and rely on security within physical locations and network boundaries. 这些 models served as a foundation for enterprise security for many years until the advent and adoption of 云服务就像我们在大流行期间大量经历的那样,包括移动设备和远程工作.

As this traditional model falls obsolete in effectively protecting organizations against ever-evolving and dynamically shifting security threats, 身份将引导现代组织制定有效的安全策略.

不断移动的用户, 谁可以利用多种模式连接到互联网, a security model focused on user identity and access control will be a more agile method to secure organizations from threats against users, 只会增长的事物和系统. 用这个 作为安全防线的新身份, 身份是所有与位置无关的接入点的公分母, 设备, 和网络, 使组织能够进行整体身份验证, 授权, 管理用户, 的事情, 和系统.

然后,随着我们不断完善这个周长, 基于身份的安全模型 with embedded machine learning and AI can enhance insights on identity threats for faster remediation. 这些对组织的身份威胁对任何恶意行为者来说都是数字黄金.

回到“周界”这个词的概念上来, we are looking at a digital perimeter and establishing an identity trust model that is bounded by borderless digital and virtual environments. Such a model has to look at user identity and behavior as metrics to create an identity trust model, 正如MyVayda身份风险和信任平台团队所做的工作一样.

身份信任会考虑以下因素:

  1. 的兴起 内部威胁的一项研究表明,无论是恶意的还是偶然的 波耐蒙研究所 该研究发现,自2020年以来,内部威胁增加了34%. 此外, 2022年波耐蒙研究所内部威胁成本报告如下:

“控制内部威胁的时间从77天增加到85天.”
“那些需要90天以上才能控制住的事件平均会给澳门赌场官方下载造成17美元的损失.1900万年.”

  1. 数字化的迅速采用, 云服务和远程工作, 身份管理在哪些地方至关重要, 确保只有授权用户才能访问特定的系统和资源. 这就要求, 不管他们在哪里,也不管他们使用什么设备, 每个授权分配特权和权利, 和政策,并定期审计.
  2. 法规遵从性,e.g.、SOX 404、GDPR、CCPA等., can be challenging in a distributed environment where data is stored across multiple locations and jurisdictions.
  3. 应用程序、系统和物联网(IoT)的复杂性,需要身份可扩展性.
  4. 减少和整合碎片化的身份数据,以减少安全漏洞, 访问控制管理的成本和错误.
  5. Striking the right balance between security and user experience to reduce friction for users that could impact productivity and user satisfaction.

解决身份管理挑战的技术和策略

To address challenges such as complexity in managing and securing digital identities across multiple 云服务, 设备, 和网络, 内部威胁, 以及法规遵从性要求, 以下几点对确保成功至关重要.

在建立身份作为新的安全边界时,我们必须包括单点登录(SSO), 多因素身份验证, continuous monitoring and an IAM platform that provides a centralized solution to manage user identities, 访问控制和身份验证策略. It is imperative that we also have a robust policy and process that defines auditable risk-based access control.

Not only will a risk-based access control process dynamically adjust the level of authentication and authorization required by an organization mapped to a user’s behavior, 设备, 地点和其他环境因素, 但是作为一个模型, 当用户使用应用程序时,它将提高用户满意度和操作体验, 系统和物联网(IoT)在日常功能中的应用.

当然, 必须对新过程进行测量和测试以进行改进, 成熟, 和有效性. 记住这一点, some of the 的事情 we will need to measure and quantitively assess as a measure of the success of our new identity security perimeter are:

  1. How is identity as a security perimeter protecting digital assets from un授权d access and reducing the risk of data breaches?
  2. SSO和MFA是如何通过简化应用程序访问来改善用户体验的?
  3. How is this new security perimeter enabling organizations to scale their security measures more effectively, 确保员工可以从任何位置访问所需的资源, 设备或网络?
  4. 组织如何利用IAM平台来确保可审计和健壮 身份生命周期管理 从入职到离职, 发放和取消发放访问权限, 更新用户信息并监控可疑活动?
  5. How are organizations integrating identity governance to provide a centralized view of all user identities and access rights across the organization, 制定政策, 执行合规, 并通过识别和解决安全威胁来降低风险?
  6. 他们如何使用IAM平台来管理用户角色, 组, 以及基于业务需求的权限?
  7. 基于组织的审批工作流程, 如何将用户请求自动路由到适当的审批者?
  8. How are they automating password management and password synchronization across multiple systems?
  9. 他们是如何利用杠杆的 特权访问管理 在他们的组织内部,以及他们如何使用 联合身份验证,这将简化跨多个云服务和应用程序的访问管理?

随着新的安全防线的不断发展, AI和ML等技术, 区块链, 生物识别技术, 无密码认证, 和“零信任将大大加强身份安全. Most of us know the concepts or building blocks comprising the term "zero trust architecture (ZTA)" have been around for a while.

Many core security principles and technologies comprising the ZTA model have been evolving for decades.零信任的概念可以追溯到“需要知道”原则, developed in the 1960s by the US Department of Defense (DoD) as part of its security policies for classified information.

其他机构后来也采用了这种做法,包括美国国家标准与技术研究所(NIST),它发展了“最小权限”访问控制的概念.

驾驭日益增长的安全边界

The evolution of the security perimeter from traditional to identity-based is critical to protecting organizations’ digital assets in today’s interconnected world. 随着技术的发展,网络安全形势变得越来越复杂, 身份作为新的安全边界的重要性只会继续增长.

结果是, this traditional concept of a well-defined security perimeter bound by physical borders and incident response mechanisms is no longer the ideal option.

通过采用基于身份的纵深防御策略, organizations can not only improve protection against external and internal threats but also gain increased insight and integrated auditability with integrated 我的平台. 这些 will ensure the security of their data 和系统 in preparation for tomorrow’s more complex and interconnected digital ecosystem.

这, coupled with an understanding of identity risk and living identity movements throughout organizations’ applications, 系统和物联网,正如MyVayda团队和其他人所展示的那样, 作为一个新的安全边界,身份是否对成功至关重要.