Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Risk weighted access control
Similar to Risk weighted access control (20)
Recently uploaded
Recently uploaded (20)
Risk weighted access control
- 1. Risk Weighted Access Control
- 3. Identity Context Identity Identity Risk Ranking metrics CASB Provided Device Signature Age – First time use for identity? Known Issues Current Issues Browser Signature Age Known Issues Current Issues Origin IP Risks Known Blacklisting/Botnets Unusual for ID Geo-fencing Registration/Provisioning Process Strength Identity Store Trust level Scale Integration Owned/Not Owned/Controlled Maintenance Attribute set validity ID Age ID Usage History … In all cases can start as simplified abstractions (+1/=+.1… per item based on assumptions and adjusted over time based on learning and manual adjustment) or via using valid Bayesian outlier detection and recursive machine learning to adjust based on experience – for true machine learning there MUST be a decision point and feedback path example 1 Trusted owned managed device with recent strong authentication 3 unknown device but recent authentication 5 Blacklisted device
- 4. Transaction Context Transaction Transaction Risk Ranking Metrics • Transaction Frequency • Outside 2 standards of deviation • Transaction Scale • Outside 2 Standards of deviation • Transaction to Transaction Context • Identified Administrative transactions • Transactions that impact multiple other transactions • Authorizations that get passed to many others • Business Segregation of Duties • Usually relies on Data Context Frequency and Scale are most readably translated to actionable controls Example 1. Identity, data and transaction frequency and scale are all within normal usage with a large data set to compare with 3. Unusual or new identity or transaction 5. Dramatically abnormal transaction frequency or scale OR 5. Transaction combinations that the business says are significant SOD Issues
- 5. Data Context Data Data Risk Ranking Metrics Captured at creation or application creation. Based on the impact of a violation in CIAC • Confidentiality • Personal Information • Secrets (used for other access) • PI • … • Integrity • Controls other things • Can be used to steal • Availability • Standard Business continuity metrics • Business Impact • Time to impact • Time to first loss • Ransomware-able • Compliance/Legal • Legal Requirement • Industry Requirement • Organizational Requirement Captured at CICD pipeline and application creation and during the feedback path for the machine learning portion of the transaction outlier context
- 6. 1,5,1 1,5,2 1,5,3 1,5,4 1,5,5 1,4,1 1,4,2 1,4,3 1,4,4 1,4,5 1,3,1 1,3,2 1,3,3 1,3,4 1,3,5 1,2,1 1,2,2 1,2,3 1,2,4 1,2,5 1,1,1 1,1,2 1,1,3 1,1,4 1,1,5 3,5,1 3,5,2 3,5,3 3,5,4 3,5,5 3,4,1 3,4,2 3,4,3 3,4,4 3,4,5 3,3,1 3,3,2 3,3,3 3,3,4 3,3,5 3,2,1 3,2,2 3,2,3 3,2,4 3,2,5 3,1,1 3,1,2 3,1,3 3,1,4 3,1,5 4,5,1 4,5,2 4,5,3 4,5,4 4,5,5 4,4,1 4,4,2 4,4,3 4,4,4 4,4,5 4,3,1 4,3,2 4,3,3 4,3,4 4,3,5 4,2,1 4,2,2 4,2,3 4,2,4 4,2,5 4,1,1 4,1,2 4,1,3 4,1,4 4,1,5 5,5,1 5,5,2 5,5,3 5,5,4 5,5,5 5,4,1 5,4,2 5,4,3 5,4,4 5,4,5 5,3,1 5,3,2 5,3,3 5,3,4 5,3,5 5,2,1 5,2,2 5,2,3 5,2,4 5,2,5 5,1,1 5,1,2 5,1,3 5,1,4 5,1,5 2,5,1 2,5,2 2,5,3 2,5,4 2,5,5 2,4,1 2,4,2 2,4,3 2,4,4 2,4,5 2,3,1 2,3,2 2,3,3 2,3,4 2,3,5 2,2,1 2,2,2 2,2,3 2,2,4 2,2,5 2,1,1 2,1,2 2,1,3 2,1,4 2,1,5 Applied at authentication event or forced on alert event • All 3 in the low 1’s or 2’s – transparent or no additional authentication • Some in the 3’s – additional authentication required • Some in the 4’s – MFA or Strong Authentication required • 5’s – block and/or alert for Human action Very detailed Matrices can be built as needed by the business or risk Continuous Risk Based Authentication