Page256
Adaptive Authentication
Adaptive authentication represents a different approach that also has risk-based access control touchpoints. With adaptive authentication, the application or information system has identified suspicious behaviors or characteristics associated with the subject and will require further validation before access will be granted. Perhaps a user attempts to access data which they have never before accessed or from a location not previously seen. This deviation from their normal profile could trigger the application to require the user to successfully navigate an MFA challenge again before providing the access requested.
Identity and Access Provisioning Lifecycle
Once the proper access control model has been chosen and deployed, the access provisioning lifecycle must be maintained and secured. While many organizations follow best practices for issuing access, many lack formal processes for ensuring the entire lifetime of access is kept secure as employees and contractors move within an organization. The identity and access lifecycle includes considerations such as enrolling and vetting identities, defining logical roles, securely provisioning and deprovisioning both accounts and access. Operational controls to limit exposure of accounts and associated access are also relevant and include components such as access reviews, Just-In-Time provisioning, and also privilege elevation mechanisms.
Always include account revocation as a required step in the access provisioning lifecycle. This process should be tightly coordinated with the human resources department, and track not only terminations but also horizontal and vertical moves or promotions within the organization. Additionally, as noted previously, inactive accounts should be targeted for revocation.
Registration, Proofing, and Establishment of Identity
While many security professionals mentally jump to authentication when considering the vetting and verifying of individuals, the logical preliminary step involves a robust process for the identification component. Put simply, before we can authenticate an individual we need to actually know and gather information associated with that individual. To that end, establishing an identity in an information system involves the process of identity enrollment and proofing.
Registration, which can also be termed enrollment, involves requesting or applying for an identity within a system and providing information required by the system that allows for unique identification. Once the necessary identifying attributes have been supplied, the attributes will need to be validated. Proofing involves the verification and validation of attributes supplied as part of the registration/enrollment process. One of the reasons that proofing is overtly called out as a separate process is because some scenarios will involve leveraging third-party processors during the identity validation process. The extent of the identity proofing validation process is, as with most things, governed by risk management principles.
Role Definition
Organizations and their information systems change regularly. As new job functions are defined within organizations, clearly there will also be a need to express the access control requirements for those job functions in the form of defining roles. However, there can be substantial shifts in an employee’s function over time even if they continue in the same job. The changing nature of a job can likewise be cause for new role definitions within the access control systems. The efficacy of the previously discussed Role-Based Access Control (RBAC) and Attribute-Based Access Control implementations leveraging role as an attribute depend on well-defined and understood roles.