by Ian Glazer | June 7, 2011 | Comments Off on No, really, who has access to what?
In the unceasing wake of the RSA breach, and especially given Art Coviello’s most recent post, I’ve been thinking about what role identity and access governance can play in mitigating post-RSA attacks. As you know, I don’t cover authentication – that’s Mark’s beat and he’s been on this like a hawk. This separation of coverage reflects how most organizations work: teams focusing on remote access, teams focused on authentication, teams focused on provisioning and certification, etc. Ok, so if I represent the access governance team, what could I do to help?
The most important thing I could do is start identifying who in the organization has access to the most sensitive IP the enterprise has. It was this sort of information that was targeted in the RSA breach and it appears that the same sort of information was targeted in the Lockheed breach. So I as the keeper of the “who’s got what” repository ought to know who has access to such sensitive data.
Except, I might not.
Yes, I’ll know what entitlements are assigned to which people on which systems. But that isn’t the same as knowing what kinds of data people can work with. Overall enterprise identity teams have done a good job building out their entitlement catalogs. My customers constantly amaze me in describing the contents and scope of their entitlement catalogs. But there’s a gap. The mapping of people to entitlements is strong, but the mapping of entitlements to kinds of data is often weak.
Too often people managing access to data operate on tribal, implicit knowledge – if it comes from that server, then the data is likely financial data. But unfortunately, that tribal knowledge doesn’t make it into our entitlement catalogs.
I’m starting to believe that “kind of data” is the new perimeter for the enterprise. Each kind of data in the enterprise has its own attack surface, and protecting and governing access to those kinds of data requires blending different techniques depending on context. The entitlement catalog has a major role to play, but it can only do so if we start making explicit what kinds of data entitlements enable action upon.
Just a heads up, I’ll be talking about this idea in the privacy track at Catalyst. See you there!
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.