This is an ongoing series of guest blogs written by TAG Cyber analysts in conjunction with various members of our SPHERE team. Offering insights from the perspective of the professional industry analysts combined with a technology company focused on the goal of establishing cyber hygiene. This article comes from a fearless leader, CEO & Founder of TAG Cyber, Edward Amoroso.
I have in front of me an early security manual published in 1996 for the IBM i mainframe. (I also managed to find an updated version from 2010 of the document here.) You might recall that during the era of mainframes, security was emerging as a new discipline, and the community was just beginning to decide which types of security controls would be important. It’s fun to look at the various topics that might seem old fashioned in this manual, such as securing job actions, sharing memory controls, and establishing library lists. Anyone who lived through the mainframe era will recognize these and similar tasks as being unique to early computer architectures and operations – and many of these methods have not survived to the modern era.
But notice also from the manual how dominant the focus is on identity, access, and permissions. Virtually the entire volume addresses some aspect of this topic – and none of the tasks look old-fashioned today. In fact, the table of contents – with some modernization of references – could easily apply to a current cloud or SaaS deployment of data and resources.
This clearly exemplifies the pervasive and on-going nature of permissions in cybersecurity – and it offers a roadmap to make the (perhaps not so bold) prediction that the concept of defining who can do what to which asset – and under which types of permissions – will remain a central primitive in the design of secure systems, well into the future. This appears certain.
Cybersecurity vendor, SPHERE, is thus well-positioned to support long-term engagements and planning efforts because identity hygiene, the pillar on which their solutions are built, has emerged as a mandatory task to ensure that the support structure for identity and access management (IAM) does not include misconfigurations, inaccurate data, or other exploitable vulnerabilities. It seems almost ironic, in fact, that perhaps the most important protections for future computing security support will be the foundational controls that have been present since the mainframe era. And while this might seem surprising, another interpretation is that this pervasive focus should provide comfort that our focus will not shift away from maintaining a secure foundational base.
What this means for your enterprise is that if you are beginning to plan for artificial intelligence, autonomous computing, and related emerging innovations, then the best actions that can be taken today involve making certain that these exciting new advances are not introduced to an insecure base. Cleaning up bad permissions in a sloppy IAM environment would be a great place to start.
As always, let us know what you think – and we look forward to hearing from you.