In the unceasing wake of the RSA breach, and especially given Art Coviello’s most recent post, I’ve been thinking about what role identity and access governance can play in mitigating post-RSA attacks. As you know, I don’t cover authentication – that’s Mark’s beat and he’s been on this like a hawk. This separation of coverage reflects how most organizations work: teams focusing on remote access, teams focused on authentication, teams focused on provisioning and certification, etc. Ok, so if I represent the access governance team, what could I do to help?
The most important thing I could do is start identifying who in the organization has access to the most sensitive IP the enterprise has. It was this sort of information that was targeted in the RSA breach and it appears that the same sort of information was targeted in the Lockheed breach. So I as the keeper of the “who’s got what” repository ought to know who has access to such sensitive data.
Except, I might not.
Yes, I’ll know what entitlements are assigned to which people on which systems. But that isn’t the same as knowing what kinds of data people can work with. Overall enterprise identity teams have done a good job building out their entitlement catalogs. My customers constantly amaze me in describing the contents and scope of their entitlement catalogs. But there’s a gap. The mapping of people to entitlements is strong, but the mapping of entitlements to kinds of data is often weak.
Too often people managing access to data operate on tribal, implicit knowledge – if it comes from that server, then the data is likely financial data. But unfortunately, that tribal knowledge doesn’t make it into our entitlement catalogs.
I’m starting to believe that “kind of data” is the new perimeter for the enterprise. Each kind of data in the enterprise has its own attack surface, and protecting and governing access to those kinds of data requires blending different techniques depending on context. The entitlement catalog has a major role to play, but it can only do so if we start making explicit what kinds of data entitlements enable action upon.
Just a heads up, I’ll be talking about this idea in the privacy track at Catalyst. See you there!