Q&A: Critical infrastructure and policy-driven authorization with Mark Cassetta
Mark Cassetta discusses how policy-driven authorization reduces cyber risks that critical infrastructure organizations face in a modern world.
What issues related to critical infrastructure do we see that makes policy-driven authorization important?
Critical infrastructure is always a high risk target because it is essential to daily life – we are talking about pipelines, electricity, and transformation infrastructure, which are important to keeping the lights on (literally).
That said, no matter the industry, the fundamentals are all still the same – I have sensitive information and I don’t want people who shouldn’t have access to the information to have access.
With critical infrastructure being so interconnected, there is a constant need to share information outside of the organization so people can do their jobs. It is in this vein that they also pose a massive risk in the event of a malicious attack that moves laterally where the principles of least privilege have not been applied.
In parallel, there are people that just want to get their job done and do the right thing. Without the guardrails and the increase in compliance, these knowledge workers struggle to understand what can and cannot be shared.
Critical infrastructure organizations have extremely sensitive information that could take down a grid or shut down the entire economy, making it imperative to have the right guard rails in place. It is crucial to ensure employees have secure means to effectively collaborate with others without increasing their organization to additional risk.
This is where policy-driven authorization plays a key role. Leveraging attribute-based access control (ABAC), policy-driven authorization ensures users only access the information they need to get their job done. Access decisions are based on context including role, location, device, etc. ABAC reduces scenarios and ultimately attack surfaces to prevent everyday users from having access to more information than required and reducing the likelihood of standing access and users with outsized privileges.
How has the White House mandate on Zero Trust affected critical infrastructure organizations?
Though much of the discussion around the White House’s Zero Trust mandate has focused on federal agencies, critical infrastructure is also impacted.
After all, the government is tasked with protecting this infrastructure, whether that’s at the federal, state or local level. The Zero Trust mandate and the ongoing national security telecommunications advisory committee (NSTAC) reports, which are sent to the president, help influence what is going to happen around cybersecurity.
Where do critical infrastructure organizations stand when it comes to overall identity and access management (IAM) maturity?
Critical infrastructure organizations don’t have a straight path to follow towards maturity as they are dealing with a wide variety of applications and environments – on-premises, private cloud, public cloud, etc. While some parts of the business or even applications may have more advanced access strategy, others lag behind.
How organizations can overcome this is to focus on what is critical to their business and prioritize what they need to focus on. Many organizations think that they have to go big, but they have to start small, compartmentalize, and make a plan to scale.
What are the risks associated with critical infrastructure if proper authorization is not in place?
The risks associated with not having proper authorization in place are the same ones every organization faces. However, the biggest risk comes back to my point about lateral movement.
If you look at this industry, in particular the energy industry, everything feeds off everything else. As much as critical infrastructure organizations are siloed, they are still all connected so they have to strike a balance between collaboration, compliance and securing their infrastructure.
If critical infrastructure organizations don’t limit lateral movement, there will be a significant amount of challenges they face when it comes to being able to meet the modern threat. This is because from a cyber standpoint it poses a large risk if the principles of least privilege have not been applied.
On the other side, they must find a balance between securing critical assets and enabling effective collaboration both internally and externally. It’s not easy because modern collaboration by itself implies there is less control by the central organization.
So, how do organizations find this balance?
They must start thinking of identity as the new perimeter. While this might seem obvious, it can be challenging to balance this view with the equally resonant idea that ‘data is the new oil.’ The difference here is that treating data as the perimeter and locking it down does not allow collaboration to meet the pace of today’s organizations.
As a result, in today’s world, identity needs to be viewed as the perimeter. With policy-driven authorization, identity moves from securing access to securing resources.
The bottom line
Advancing access control through adopting policy-driven authorization is essential to protect our critical infrastructure, but is far from an easy task.
To succeed, it must be a top-down project in which the leadership teams within these organizations have a look at the White House mandate and NSTAC reports from the government and truly commit to that as the way forward.
Yes, this is a journey, but as long as people have these elements as their path to success, they can find a way to create a pragmatic strategy to define and scale access control. At every part of that journey, policy-driven authorization plays a key role, aligning the need to balance right-sized security with effective collaboration.
To help improve the security of a critical infrastructure organization with policy-driven authorization, request a demo to discuss the specifics of your organization with one of our solution experts.
Download our fact sheet to learn six ways that policy-driven authorization can fit into North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP).
Join us on LinkedIn for more insights