- 126 pages
- November 2009
6. Global-Scale Identity Management
What is the problem being addressed?
Global-scale identity management concerns identifying and authenticating entities such as people, hardware devices, distributed sensors and actuators, and software applications when accessing critical information technology (IT) systems from anywhere. The term global-scale is intended to emphasize the pervasive nature of identities and implies the existence of identities in federated systems that may be beyond the control of any single organization. This does not imply universal access or a single identity for all purposes, which would be inherently dangerous. In this context, global-scale identity management encompasses the establishment of identities, management of credentials, oversight and accountability, scalable revocation, establishment and enforcement of relevant policies, and resolution of potential conflicts. To whatever extent it can be automated, it must be administratively manageable and psychologically acceptable to users. It must, of course, also be embedded in trustworthy systems and be integrally related to authentication mechanisms and authorization systems, such as access controls. It also necessarily involves the trustworthy binding of identities and credentials. It is much broader than just identifying known individuals. It must scale to enormous numbers of users, computer systems, hardware platforms and components, computer programs and processes, and other entities.
Global-scale identity management is aimed specifically at government and commercial organizations with diverse interorganizational relationships that today are hampered by the lack of trustworthy credentials for accessing shared resources. In such environments, credentials tend to proliferate in unmanageable ways. Identity management within single organizations can benefit from—and needs to be compatible with—the global-scale problem.
4. Combatting Insider Threats
What is the problem being addressed?
Cybersecurity measures are often focused on threats from outside an organization, rather than threats posed by untrustworthy individuals inside an organization.
Experience has shown that insiders pose significant threats:
Trusted insiders are among the primary sources of many losses in the commercial banking industry.
Well-publicized intelligence community moles, such as Aldrich Ames, Robert Hanssen, and Jonathan Pollard, have caused enormous and irreparable harm to national interests.
‘Many insiders involved in misuses were hired as system administrators, became executives, or held other kinds of privileges
This section focuses on insider threats to cyber systems and presents a roadmap for high-impact research that could aggressively curtail some aspects of this problem. At a high level, opportunities exist to mitigate insider threats through aggressive profiling and monitoring of users of critical systems, “fishbowling” suspects, “chaffing” data and services users who are not entitled to access, and finally “quarantining” confirmed malevolent actors to contain damage and leaks while collecting actionable counter-intelligence and legally acceptable evidence.
There are many proposed definitions of the insider threat. For the purposes of this discussion, an insider threat is one that is attributable to individuals who abuse granted privileges. The scope of consideration here includes individuals masquerading as other individuals, traitors abusing their own privileges, and innocents fooled by malevolent entities into taking adverse actions. Inadvertent and intentional misuse by privileged users are both within the scope of the definition. Although an insider can have software and hardware acting on his or her behalf, it is the individual’s actions that are of primary concern here. Software proxies and other forms of malevolent software or hardware—that is, electronic insiders—are considered in Section 5 on combatting malware and botnets.
The insider threat is context dependent in time and space. It is potentially relevant at each layer of abstraction. For example, a user may be a physical insider or a logical insider, or both. The threat model must be policy driven, in that no one description will fit all situations.
Unlike unauthorized outsiders and insiders who must overcome security controls to access system resources, authorized insiders have legitimate and (depending on their positions) minimally constrained access to computing resources. In addition, highly trusted insiders who design, maintain, or manage critical information systems are of particular concern because they possess the skills and access necessary to engage in serious abuse or harm. Typical trusted insiders are system administrators, system programmers, and security administrators, although ordinary users may have or acquire those privileges (sometimes as a result of design flaws
and implementation bugs). Thus, there are different categories of insiders.
What are the potential threats?
The insider threat is often discussed in terms of threats to confidentiality and privacy (such as data exfiltration). However, other trustworthiness requirements,such as integrity, availability, and accountability, can also be compromised by insiders. The threats span the entire system life cycle, including not only design and development but also operation and decommissioning (e.g., where a new owner or discoverer can implicitly become a de facto insider).