May 11, 2020
Security

Identity and Access Management: Good for Cybersecurity, Not So Much for Information Security

Let’s begin with the premise that cybersecurity and information security are not the same thing:

Cybersecurity:

  • The art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.[1]
  • Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.[2]
  • The measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.[3]

Information security (a/k/a infosec) (the emphasis is ours):


  • The measures that protect and defend information and information systems by ensuring their availability, integrity, and confidentiality.[4]
  • The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.[5]
  • The practice of protecting information by preventing unauthorized access to data.[6]

While cybersecurity is broad in both its context and application, information security is singularly focused on the protection of data. In practice however, most businesses repeatedly use the same tools, controls, strategies, mindset, etc., to defend against cyber-attacks as they do to protect their data. Is it because everyone else is doing it that way, or perhaps adequate processes are lacking, or maybe there’s simply a dearth of tools specifically designed to address information security? The unfortunate reality is that most tools are designed fundamentally to address cybersecurity, and while these tools may to some degree help with information security, it’s really not their raison d’être.

Take for example identity and access management (IAM). IAM can be defined as access controls based on user credentials, passwords, multi-factor systems and even snazzier new tools such as risk-based authentication.[7]

How many of you reading this article rely almost exclusively on IAM to prevent unauthorized access to information?

Hmm, we bet a lot of hands are going up right now.

IAM has become the backbone of most cybersecurity programs. IAM is a wall, or series of walls that are designed to keep the bad guys from getting in. IAM therefore serves an important purpose by preventing unauthorized access. But those walls do very little to protect information once someone has successfully entered the perimeter.

Think of your existing cybersecurity tech stack – access to information based on user authentication does little if anything to protect information from an adversary who has successfully attacked IAM controls using, for example, social engineering, credential stuffing, a zero day exploit, etc. Once the adversary authenticates themselves or gains control of an authenticated user’s computer, the organization goes from 100% secure, to 100% unprotected. That’s because the IAM controls are designed to be part of the cybersecurity stack, not designed for the requirements of information security.

We're not saying those access walls shouldn’t be an important component of cybersecurity or advocating that the walls be dismantled. But with regard to information security, when the IAM walls fail, an organization can be left in dire straits.

History is replete with false assurances of security. For centuries, cities defended themselves by erecting walls to repel invaders and deter attacks. Walls were indeed a state of the art defense mechanism. They secured the inhabitants of the city along with their valuables. The walls of Constantinople, for example, were considered impenetrable. For hundreds of years they withstood pretty much every attack. But technology eventually caught up. Gunpowder and large cannons became advanced enough to breach Constantinople’s fortifications. Most every wall in human history eventually succumbed to the same fate – the Manchu Qing marched through the Great Wall of China, the Germans flew over the Maginot Line, and the best most secure cybersecurity walls continue to be breached on a daily basis. It’s become a veritable nonstop arms race between security providers and hackers.

If we view IAM through the lens of cybersecurity and look separately at information security, it makes sense to consider one of the most powerful forms of information security: encryption. Let’s see how encryption tends plays out in practice.

Constant Corp believes it has implemented top-notch cybersecurity and information security programs. The company has a state-of-the-art IAM system, segregation of duties, activity monitoring, data classification, etc. Access to Constant Corp’s data is role-based to encompass business-unit requirements, and is proactively managed to reflect data requirements, with encryption based on permissions. It maintains thorough logs of encryption and decryption events, and closely monitors and orchestrates policies across its disparate encryption and IAM products. Kudos to Constant Corp. It appears to have rolled one heck of a sophisticated authentication-based encryption framework.

One day a Constant Corp employee is spearfished. The employee’s credentials are stolen and used to access a network drive containing all of Constant Corp’s files that have been tagged “private” by its data classification tool. The attacker exfiltrates the data, which happen to be confidential client files, and demands 50 bitcoin. If the ransom is not paid, the attacker will begin to publicly publish the files.

Constant Corp’s IAM walls remain erect and mostly impenetrable, but they did very little in the way of protecting Constant Corp’s information. At the core of Constant Corp’s failure was its decision to use cybersecurity systems as the backbone for information security. In fact, Constant Corp would have had more success by simply encrypting each file with a unique file password, than its' sophisticated cybersecurity had accomplish.    

Constant Corp is a fictionalized entity, but the scenario we just ran through is by no means unique. When it comes to encryption and access to encrypted data, most organizations rely on their IAM controls. User-credentialed applications, group privileges, and third-party data entitlements all require login credentials, which when successfully entered allow the “authorized” user to access everything they have been permissioned to see. However, organizations that continue to associate these access controls with information security will eventually experience devastating results.

So, what is the solution? A proper segregation of cybersecurity and IAM from information security. Using encryption for information security is, indeed, the appropriate path. The right way to use encryption is with a complete separation of IAM from access to encryption keys.

Atakama is a true information security software that protects files at a granular basis based on the location of the file, completely untethered to IAM or traditional cybersecurity frameworks. Each file saved to the Atakama-enabled location is automatically encrypted using AES with a 256 bit key. The unique key for each file is then automatically fragmented into “key shards”. The key shards are each separately encrypted using asymmetric (public key) encryption and distributed through to at least two or more physical devices controlled by the user. In most cases, at least one of the devices is a user’s smartphone running the Atakama Mobile app. The second device is generally the user’s computer. By employing a file-by-file encryption design, Atakama renders a breach almost completely useless to the attacker. Undeniably, a vast improvement over the status quo.

Security professionals are tasked with designing and implementing security programs to prevent, detect, and mitigate an attack; absolute necessities. But those same programs are rarely if ever a sufficient form of information security. Request a demo to see how Atakama can deliver best-in-class information security for your organization and fortify your existing cybersecurity infrastructure.

 

[1] https://www.us-cert.gov/ncas/tips/ST04-001

[2] https://csrc.nist.gov/glossary/term/cybersecurity

[3] https://www.merriam-webster.com/dictionary/cybersecurity

[4] https://niccs.us-cert.gov/about-niccs/glossary#I

[5] https://csrc.nist.gov/glossary/term/INFOSEC

[6] https://en.wikipedia.org/wiki/Information_security

[7] Based on https://www.csoonline.com/article/2120384/what-is-iam-identity-and-access-management-explained.html

background cta