Category: PlainID

[By Gal Helemski, co-founder and CTO at PlainID]

There has been a substantial trend toward improvement of authorization capabilities and controls. Policy Based Access Control (PBAC) provided by advanced authorization and access control system is progressively displacing more basic and traditional procedures like Access Control List (ALC) and Role-Based Access Control (RBAC).

PBAC provides a substantial advancement in authorization control approaches. It expands on the frameworks established by its predecessors, by providing flexibility, taking a more holistic approach, incorporating the strengths of each model while concurrently addressing their limitations.

The Evolution of PBAC

Even though it has been on the market for over 30 years, the existing RBAC management solution is complex and inflexible. Because of the intricacies of these solutions, significant amount of IT resources are invested in setting access controls and permissions right.
Role-based Access control is a coarse-grained technique in which access is static and granted simply based grouping of permissions. As the organization grows, keeping track of the increasing number of changing user roles, and the combination that need to be supported, becomes practically impossible, resulting in the known a “role explosion” problem.

Attribute-based Access Control (ABAC) is a finer-grained technique that provides access controls based on combinations of attributes. However, it is considered a localized and highly technical solution, still resulting in significant investment.

As both approaches are still utilized, Policy-Based Access Control takes the best of both techniques but makes it accessible and visible. PBAC can support both roles and attributes, of the user, the asset and the environment, providing more restricted access control and management capabilities. PBAC approaches often allow policies to be coded in plain language, bridging the gap between the app owners and dev

These capabilities have become increasingly important as organizations require more flexible access controls to the company resources, to support their growing business objectives.

Top Reasons to Consider PBAC

  • Authorization Control Efficiency: PBAC provides the most efficient method of managing authorization controls. Organizations can design and enforce access restrictions centrally by leveraging policy-based procedures, reducing complexity, and maintaining consistency across systems.
  • Simplified Development Lifecycle: The development cycle is simplified by PBAC’s policy-as-code methodology. This means that the policy can be developed and controlled as code, making version control, testing, and deployment of authorization rules easier. This streamlined procedure improves agility and minimizes application time to market.
  • Real-Time Authorization Decisions: PBAC allows for dynamic and real-time authorization decisions based on contextual information. PBAC ensures that access is provided or refused at a highly granular level by considering elements such as qualities, resource features, and environmental variables.
  • Enhanced Visibility: PBAC improves visibility by providing insight into the reasons behind access decisions. Organizations can learn why a specific access request was authorized or rejected, which can help with auditing, compliance, and governance activities. Transparency improves accountability and allows for improved decision-making.

PBAC is an essential milestone in authorization controls as it provides several benefits to enterprises. Its capacity to provide access restrictions and a more streamlined lifecycle and decision-making process, makes it a significant tool in today’s cybersecurity landscape. Remember that without policies, all access is an exception; thus, having well-defined and implemented regulations to manage access is critical. Organizations may strengthen security posture and ensure seamless access management by embracing PBAC. In an ever-changing landscape, PBAC is a testament to the continual innovation required to combat future threats to your organization.

The post The Evolution of Authorization Controls: Exploring PBAC and Its Benefits appeared first on Cybersecurity Insiders.

Access control is at the heart of IT security, evolving over the years to adapt to the rising challenges and demands of an ever-complex digital landscape. One company at the forefront of this evolution is PlainID. In a recent conversation with Gal Helemski, co-founder and CTO/CPO of PlainID, we discussed the evolution of access control, the role of policy-based access control, and how the current cybersecurity landscape is shaping up.

The Evolution of Access Control

Access control’s story is one of constant change. From rudimentary methods that revolved around physical barriers to more complex role-based systems and beyond, it has always been about ensuring that the right people have the right access at the right time.

In the early days, Identity and Access Management (IAM) systems primarily centered on defining, managing, and authenticating identities. However, as Helemski mentioned, the IAM journey didn’t end there. “The identity journey is not completed. It’s not enough just to manage the identity. And to have the identity authenticated in a very well and secured manner.” Comparing the situation to giving someone a key to a house, she inquired, “Can they go everywhere they want in that house? Can they open the fridge, take whatever they want? No, they can’t. And that’s authorization.”

This gap in authorization management and control was the driver behind the founding of PlainID. The company’s vision was clear – address the missing link in the IAM journey.

Policy-Based Access Control (PBAC) vs. Role-Based Access Control (RBAC)

The shift from role-based access control (RBAC) to policy-based access control (PBAC) is significant. While RBAC focuses on the identity context, PBAC provides a holistic view, considering both the identity and the assets it accesses in the business context. Helemski elaborated, “Policies consider both what we know about the identity and what the identity is trying to access, and on top of that, any condition like environmental factors, time of day, and risk metrics which are currently in play.”

This comprehensive approach allows for dynamic, context-rich decisions about access, providing a much-needed solution to the limitations and complexities of traditional role-based systems. The policies governing policy-based access are flexible and can be defined or adjusted based on various attributes, including user attributes, resource attributes, and environmental conditions.

Flexibility & Scalability

One of the strengths of PBAC is its inherent flexibility. Whether it’s a change in job roles, introduction of new services, or organizational restructuring, PBAC can easily adapt without requiring a massive overhaul. This adaptive nature ensures that PBAC systems are scalable, catering to both small startups and vast multinational corporations.

Integration and Real-time Evaluation

Modern PBAC systems are designed to integrate seamlessly with other enterprise systems, such as HR or CRM platforms. This integration ensures that any change in a user’s status, like a job change or department transfer, can be immediately reflected in their access permissions. Real-time policy evaluation ensures that users have the right access at the right time, enhancing security without compromising on user experience.

Granularity and Context Awareness

PBAC excels in its ability to make context-aware decisions. Whether it’s distinguishing between access requests made from a secure office network versus a public Wi-Fi, or between regular working hours and unusual late-night requests, PBAC considers it all. This granularity ensures that access decisions are not just binary but are based on the comprehensive context surrounding the request.

Simplifying the Complex

While PBAC can handle complex policy definitions, it actually simplifies access management. Traditional systems might require defining and managing thousands of roles, leading to ‘role explosion’. In contrast, PBAC, with its dynamic policies, reduces the need for such extensive role definitions, making management more straightforward and more efficient.

Continuous Compliance and Audit

In an era where regulatory requirements are stringent, PBAC shines in ensuring compliance. Its detailed logging capabilities provide clear insights into who accessed what, when, and based on which policy. Such detailed audit trails not only help in regulatory compliance but also in internal reviews and investigations.

Insider Threats and Access Control

One of the considerable advantages of a policy-based approach is its nuanced understanding of risk. By considering the dynamic context of an access request, PBAC systems can respond to high-risk situations effectively. Helemski explained, “If the identity is trying to access from the office itself at 10:00 AM, that’s a low-risk access. But if they’re trying to access from a different country at 8:00 PM, that’s a high-risk access.”

Such a dynamic and granular approach is invaluable in managing insider threats, ensuring that risk metrics are continually updated and relevant.

PlainID and Zero Trust

The Zero Trust model posits that trust needs to be re-established at every point, from network access right down to data access. While many companies focus on network-based Zero Trust, PlainID believes in extending the model. “PlainID enables you to make those decisions dynamically and granularly. It does not end at the network. It continues all the way through applications, APIs, services, data and so on,” Helemski said, emphasizing the need for a comprehensive Zero Trust approach.

Recommendations for Organizations

For organizations seeking to enhance their security posture, Gal Helemski’s top three recommendations are:

  • Awareness of Visibility Gaps: Recognize that as digital space grows, there’s a pressing need to detect where digital identities are and their capabilities.
  • Provision of Tools: Equip application owners with the necessary tools to ensure consistent and secure authorization across the board.
  • Embrace the Zero Trust Program: Remember, Zero Trust is an ongoing journey. It’s essential to set clear foundations and objectives, gradually onboarding more applications to reduce overall risk.

Looking Ahead

As the digital landscape continues to evolve, the need for dynamic, context-aware access control mechanisms like PBAC becomes even more apparent. By focusing on policies rather than static roles, PBAC provides a forward-thinking approach to access control, ensuring that organizations remain secure in an ever-changing digital world.

For more information, visit https://www.plainid.com/

The post The Evolution of Access Control: A Deep Dive with PlainID’s Gal Helemski appeared first on Cybersecurity Insiders.

By Gal Helemski, Co-Founder and CTO/CPO at PlainID

“Data is the lifeblood of an organization.” Becoming somewhat of a platitude in the security space, it’s challenging to believe every organization truly upholds this sentiment. Yes, data is used to generate new ideas, inform decision-making, develop products faster, and so much more, but without a solid data management strategy, it’s not always guaranteed to be accessible, integrable or protected.

The threat landscape continues to evolve, yet many companies are stuck in the past, deploying a static solution that is difficult to maintain and increasingly complex to manage. Perimeter-based solutions, while they do provide some value, aren’t able to keep up with the growing complexity of the modern organization. They often require coding to make changes and are limited in the visibility they can provide.

Today, everyone is trying to solve the problem of what happens when credentials are compromised and a network is breached. The simplest approach is to minimize movement until security teams are able to resolve the incident. Cybersecurity is a defense-based mission and having a well-equipped team with smart security solutions can be the differentiating factor between a major cyber incident and an alert.

We know now that smart security has to be “identity-aware.” And identity-aware security calls for a smart, dynamic  Authorization solution. Authorization is the management, control and enforcement of the connections of identities to data, functions, and apps they can access.

Identity is a Prerequisite to Smart Security

Identity-aware security is often achieved with a zero-trust architecture. Zero Trust security architecture has been studied rigorously over the last decade and could have even prevented many of the past years’ attacks if implemented correctly (or at all). At the heart of a Zero Trust architecture is the ability to decide whether to grant, deny, or revoke access to a resource. The Zero Trust ideology is paramount in the modern work environment where more companies are using data hubs like cloud to allow their employees to work more freely from anywhere. With data moving more fluidly among users in and out of an organization, it’s increasingly difficult to rely solely on traditional perimeter security methods. This rise in complexity is why smart, identity-first security will be a business necessity going forward.

One of the most significant benefits of Zero Trust is its ability to automate permissions policies that virtually eliminate human error and lower risk exposure. It also gives security teams dynamic decision-making capabilities that allow them to rely on risk signals to make real-time decisions on what users can access.

A Word on Authorizations

What’s important to keep in mind, however, is understanding Authorizations and the link between the identity world and the security of the data.

There is a growing trend to provide advanced data access controls that are identity-aware, dynamic, fine-grained and governed by policies. Data owners should think of identity-first security as part of their data access control strategy and to research their options. This is crucial for securing the organization’s most important asset: its data.

Authorization vs. Authentication

Identity-first security can’t end at the gate. Identities and their access should be verified and controlled all the way to the data the user is accessing. Security in the digital world eventually relies on who can access what. The “who” are the identities, and the “what” is mostly the data that must be protected. Authentication handles the “who,” and Authorization takes care of the “what they can access.” Both are equally important at all levels of access.

Consider the airport control system analogy: initial access to the terminal is open to everyone. There are very few controls there. To proceed, however, the traveler must present a verified ID. To access the gate, they’ll need a ticket in addition to the verified ID, and once on the plane, they must be in their own seat. Every step they take forward insists on stronger control, combining who they are with what they can access. Having access to the terminal doesn’t mean they can board any plane, and accessing a plane doesn’t mean they can sit anywhere they’d like.

This same idea should also be implemented in the digital world, combining authentication and authorization and enforcing granular controls as a user gets near data.

Understanding & Leveraging Authorization

Authorization is the practice of managing and controlling the identity’s connection to digital assets such as data. That is a fundamental part of identity-first security. It starts with the authenticated identity and continues with the controlled process of what that identity can access. Full implementation of identity-first security can’t be achieved without an advanced authorization solution that can address all paths to data applications, APIs, microservices and the data hub itself.

Data breaches will continue to become more aggressive and increasingly expensive, especially when businesses continue to consolidate their data into large data hubs. Leaders must invest in solutions that support identity-level controls at all required points of an organization’s technology stack. This measure reduces the risk of a devastating breach by restricting movement within the network until it is authenticated.

Identity-based security has gone beyond a trend and is now a business necessity. The identity space is already experiencing rapid growth as the importance of identity as the new security perimeter sinks in. Identity solutions will experience more profound and more widespread support, especially in the cloud, and provide deeper levels of control.

 

[Image by vecstock]

The post Preparing for the Future: Understanding Identity’s Role in Data Security appeared first on Cybersecurity Insiders.

Gal Helemski, Co-Founder & CTO/CPO of PlainID

Many lessons can be learned when reflecting on 2022’s slew of data breaches. As we understand more about data security and, even more so, as data becomes more fluid, complex and dynamic, it’s critical to reevaluate what constitutes strong data protection. Up until very recently, traditional data technologies didn’t have strong security controls in place. In many cases, security controls were placed on a very course-grained level and, in other cases, left to the application to deal with. Too often, this leaves data repositories wide open. For this reason, data security professionals ought to reevaluate the role of advanced, dynamic data access controls as part of their overall data security strategy. The data security market should also embrace the notion of identity-first security and implement those types of controls in the year ahead.

Double-Edged Sword

As organizations continue their migration to the cloud and utilize cloud-related technologies, data security is increasingly at risk. Businesses are accelerating their consolidation of data—using data hubs like the cloud to improve convenience for the end user and improve productivity—but are consistently leaving security at the gate. While data access and convenience are important to productivity, it brings along a massive security risk.

Security must never be sacrificed for convenience, but at the same time, we must acknowledge the need for speedy access and simplification of security policies in the increasingly competitive and globalized business landscape. After all, in most cases, time is money, which leaves security teams grappling with the proverbial double-edged sword. In the new year, organizations will seek to invest in modern tools that meet this problem of convenience vs. security head-on.

In the future, this will lead to the acceleration of identity-first security, which uses the integrity of a user’s identity to execute an organization’s security strategy. The identity space has already experienced large growth, especially as the importance of identity as the new security perimeter sinks in. Identity solutions will most likely see even more widespread adoption in 2023, especially in the cloud, and provide deeper levels of control moving forward. An important part of this is the understanding of the role of authorizations and the link between the identity world to the security of the data and digital assets in general.

An Ever-Evolving Answer

The cost of data breaches will increase over the next year since the data access control space is still in its early stages and relies mostly on older techniques such as role-based controls and system account usage. The need to work with data and collaborate with data is increasing, and with that comes a greater, more costly impact in the event of a breach.

With this changing risk landscape in mind, more dynamic and comprehensive solutions have entered the authorization space. Using authorizations—instead of focusing on the perimeter of a digital enterprise—to protect the organization is more effective now that data has become more fluid. The main pillar of authorization is its role in managing and controlling an identity’s connection to digital assets, such as data. It starts with the authenticated identity and continues with the controlled process of what that identity can access. Authorizations are a fundamental part of identity-first security. Full implementation of identity-first security can’t be achieved without an advanced authorization solution that can address all required technology patterns of applications, APIs, microservices and data.

Another element within the realm of authorization that will see more adoption in 2023 is policy-based access control (PBAC). The main benefit of PBAC is that it makes authorization more manageable for everyone, including business owners and data analysts. PBAC is considered the most effective approach to authorization management and control by reducing the amount of authorization decisions to manage and providing both a business-oriented language in addition to a policy-code representation.

Organizations will continue to leverage the PBAC framework to support the ever-evolving demands on modern computing environments. It will bring a better answer to security teams looking to balance frictionless digital user journeys with security risk mitigation and data privacy.

From Trend to Necessity

Lastly, authorization will evolve from a trend in 2022 to a necessity in 2023. An important part of this adoption will be the understanding of authorizations and the link between the identity world to the security of the data and digital assets in general.

Access control policies will begin to take a larger portion as the preferred method of controlling access. Already we are seeing that an increasing number of technologies and cloud vendors are offering the policy option in addition to the traditional entitlement and role-based method. This is a very positive step towards simplification of this challenging space.

Identity-first security and zero trust should be a top priority for 2023. Security professionals should strongly consider developing an identity-first security plan and validate this strategy in all technology stack layers, starting from access points, networks, applications, data and infrastructure.

The post Learnings from 2022 Breaches: Reassessing Access Controls and Data Security Strategies appeared first on Cybersecurity Insiders.

By Gal Helemski, co-founder and CTO, PlainID

The number of access rules that must be managed across directories, applications, repositories, and other platforms by today’s digitally oriented enterprises is growing at an unprecedented pace. One of the major security headaches this creates is that controlling and auditing authorisations and entitlement is becoming more complex and challenging.

Also playing a bigger role is the widespread adoption of remote and hybrid working arrangements, and taken collectively, many organisations are now at greater risk of data breaches – unless they can consolidate and standardise access controls more effectively.

These challenges serve to highlight the value and growth in the adoption of identity and access management (IAM) technologies, which are used for regulating who has access to what information and how it is used. In particular, security teams are looking at how IAM can manage access across expanding and complex enterprise security perimeters.

While IAM has emerged from requirements focused on issues such as identity lifecycle, governance, proofing and access, today’s digital user journeys have prompted an important shift in emphasis. For instance, given significantly expanding security risk vectors and the need for more effective privacy controls and governance, the current generation of IAM solutions deliver more advanced levels of access control, with authorisation reemerging as a crucial component of IAM.

More specifically, real-time “dynamic authorisation” is becoming central to the zero-trust security strategies that aim to protect today’s dynamic technology environments. This represents an expansion of existing IAM components, which are now employed to build more robust systems that reduce the danger of compromised credentials providing unauthorised access to digital assets.

While this objective is growing in importance, one of the challenges of delivering on it is the disparate nature of access and authorisation policies used within the typical modern organisation. In many cases, for example, thousands of policies may be in use without sufficient levels of standardisation, centralised management or visibility. The result of these shortcomings can range from operational inefficiency to significantly increased risk.

Prevention is better than cure

Responding to these increasingly pressing issues, enterprise security teams are focusing on how they can standardise and consolidate access to deliver a preventative approach to today’s diverse risks. In effect, identity has become the common denominator for enforcing authentication and access control (via dynamic authorisation).

Looking ahead, the broader adoption of dynamic authorisation is likely to be driven by a range of factors, such as those organisations moving from an in-house policy engine to a proven industry solution, particularly as applications are built or refreshed. In the case of those organisations focused on the implementation of zero-trust architectures, for example, manually processing the growing number of entitlements is – for many – no longer sustainable. Instead, security teams need the capabilities that only automated solutions can provide if they are to minimise the impact of human error and more effectively control their exposure to risk.

Indeed, dynamic authorisation is increasingly viewed as a prerequisite for delivering effective zero-trust architectures. As part of this approach, implementing a fine-grained authorisation policy can put organisations in a much stronger position to meet their data privacy compliance obligations across specific data sets.

This kind of dynamic decision-making is central to the ability of security teams to make real-time changes in how and when users are granted access to data and resources across enterprise networks. Without an effective approach to policy management that allows users to be verified through an authentication solution, data is much more difficult to protect. When the network is controlled within a resilient architecture, however, access points to critical data are protected by more resilient and agile security measures.

In today’s dynamic business environment, companies are facing a range of crucial challenges related to access control, security, and cybercrime. In order to remain secure and agile, it is essential for organisations to adopt a standardised, consolidated approach to access and authorisation. This can not only help to provide robust security that supports the goals and priorities of the business, but by taking this approach, companies can achieve a win-win situation where effective security and bottom-line success go hand in hand.

The post Why Access Control Should Be a Core Focus for Enterprise Cybersecurity appeared first on Cybersecurity Insiders.

By Gal Helemski, Co-Founder and CTO, PlainID

As the world continues to enter into virtual spaces, the use of identity and access management, or IAM, is ultimately a requirement for participating organizations. In particular, the need for smart technology that manages who can access what and when is at high demand within the healthcare industry.

Many healthcare organizations are using their IAM systems to address their ongoing complex compliance requirements, combat persistent cybersecurity threats, and securely share medical records with patients and within the healthcare network. This balancing act often leaves healthcare providers with a series of obstacles during critical circumstances.

While these obstacles aren’t new to healthcare organizations, it doesn’t mean that the IAM systems in place are equipped to solve each issue. A few factors that test the functionality and efficiency of these systems are:

Compliance Complexities and Digital Data

Complexities within the compliance landscape continue to change course due to code updates resulting in new requirements. Healthcare-specific compliance frameworks like HIPAA require healthcare organizations to manage digital data so that it aligns with the newer data privacy laws, like the EU’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA). Increasing complexities regarding how medical information and data is applied have placed additional responsibilities on healthcare providers to respond with efficiency.

Consumer Expectations

Consumers expect information regarding their health to be delivered with a certain level of sensitivity and transparency. Privacy concerns can be expected in relation to health data, but consumers are also looking to be handled with the same special care that exists between a healthcare provider and patient. The need for open communication about personal health information is why Gartner recommends healthcare organizations develop “strategies for notification, communication and minimizing the amount of data collected and retained.”

Data’s Lifetime Impact

The impact of valuable data isn’t lost on healthcare organizations, but the challenge they face is how to use data for future use. While leaders in the healthcare space recognize the significance of data as a critical resource, stakeholders can run into issues in accessing and adequately leveraging it. Creating an intentional use for data over a period of time can be challenging due to the difficulty of sharing data securely and efficiently. This is especially true when it comes to sharing patient medical information.

Security Threats

As part of the digital landscape, the healthcare industry isn’t foreign to cyberattacks, especially those caused by ineffective data management and access controls. Health facilities are frequently using massive databases to accommodate health providers and patients. As facilities continue to exchange these databases, there is a growing need for data access controls to provide intuitive authentication methods to give the right personnel access to the right information.

Ultimately, policy-based access control (PBAC) can provide healthcare organizations with the proper solutions to address these issues. Using a dynamic and policy-based access control system creates an environment for healthcare organizations to address each factor from a more holistic perspective.

A holistic approach enables the type of scalable functionality needed for modern healthcare organizations to build success. Policy-based access control streamlines access control for healthcare data, making it easier for healthcare providers to align technical controls with business requirements.

By delivering dynamic authorizations that are controlled by a centralized PBAC, healthcare organizations can establish a solution that delegates governance, management and enforcement of the right controls at the right time. More specifically, through granular access control policies, healthcare providers can share medical information to individual patients while providing the same information with their organization based on certification level.

Overall, the obstacles healthcare organizations and their providers face to deliver effective care will persist. Confusing compliance mandates, proper data research and security threats will always remain, along with the demand for healthcare to become more accessible and digital-friendly. But there are ways to address the fine-grained needs of healthcare organizations while maintaining the necessary security and risk requirements.

While many healthcare organizations using identity and access management systems seem to be a step ahead, they may not be positioned to share vital information across their network. Leading with policy-based access control technology is the best way for the healthcare industry to manage data in the most efficient and secure way. The power of using dynamic authorization enables decision-makers to set meaningful and efficient access controls policies.

The post Addressing the Unique Obstacles in Healthcare Through Policy-Based Access Control appeared first on Cybersecurity Insiders.