Can we turn off Snowden’s access after the fact?

By E.K. Koh

In my last blog, Would data-level controls have stopped Snowden, I highlighted the importance to separate system rights from data rights. But what if Snowden was using a login credential that in fact grants him rights to sensitive data? Accounts vary, but in the blog What the Snowden affair taught us , Anand alluded to the fact that Snowden gained access by stealing credentials of users with higher privilege. Unfortunately, even a system with fine grained data entitlement capabilities will not be able to stop Snowden, under his new identity, from copying sensitive data. more “Can we turn off Snowden’s access after the fact?”

Attributes is the new role?

By Sandeep Chopra.

“Attributes” is the new Role?

In the last Gartner Identity and Access Summit in Nov 2013, Gregg Kreizmann, Research VP in Gartner, made a prediction that by 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.

In Oct 2013, NIST published their report titled “Guide to Attribute-based Access Control Definition and Consideration”, which we discussed in an earlier blog. This is recognition that organizations, including the federal government, need to govern how information is shared across systems, applications, and organizations. more “Attributes is the new role?”

Would data level controls have stopped Snowden?

By E.K. Koh

The blog What the Snowden affair taught us questioned, “Why should a system administrator be allowed to download and move files? Shouldn’t system privilege and data privilege be separate?”

Ideally “yes”, but in practice, that has not been the case.

Most system administrators have unfettered access to data given their system privilege. This happens because their jobs often require them to be able to move and copy data and documents. However, not all documents are the same and depending on the classification of the document, certain restrictions may be required. For example: more “Would data level controls have stopped Snowden?”

What the Snowden affair taught us…the Super User problem

By Anand Kotti

With use of computer networks and information systems comes security risks. The risks range from unauthorized access, to lost, stolen and cyber-attack on sensitive data. In the recent past, there has been an increase in security breach by insiders, threatening to leak the information confidential to US federal authorities, which caught us completely off guard. more “What the Snowden affair taught us…the Super User problem”

NIST Report Reflects Increasing Need for ABAC…but Over-Engineers Its Deployment

by Andy Han

The National Institute of Technology and Standards (NIST) held a conference a few months back on Attribute Based Access Control (ABAC).  The primary objective of the conference was to promote a special publication on ABAC and the event brought together leaders from various government programs, technology vendors, industry analysts and subject matter experts on authorization and access control.  The event and paper are recognition that the adoption of ABAC is accelerating and that we needed to put in writing a shared understanding of when and how to deploy ABAC.   more “NIST Report Reflects Increasing Need for ABAC…but Over-Engineers Its Deployment”

DAC in 2 Minutes

By Sandeep Chopra.

In my last two posts on Dynamic Access Control (DAC), I described some of the limitations of traditional approaches to Authorization Management (see here) and how dynamic authorization is different (see here). It’s all about choosing the right tool for the job. more “DAC in 2 Minutes”

XACML is Growing Up

By Andy Han.

I have been following the blog debate over the death of XACML spurred by Andres Cser at Forrester.  The conversation reminded me of a similar debate we had here at NextLabs over eight years ago.   In 2004, XACML was dead.  I think there was one commercial product.   But the security market was starting to shift its focus from securing the network and applications to securing the data (for example the early DLP companies were getting traction).  It was clear that the model companies used to secure their data was so manual and inflexible that it would never scale to meet the demands of future regulations, mobility, cloud, and hyper collaboration.  So the big idea: “What if you could write a policy about how your information should be protected and it would be enforced universally?”   An obvious good idea and a hard problem – Sign me up! more “XACML is Growing Up”