The National Institute of Standards and Technology (NIST) has been at the forefront of defining and standardizing cybersecurity practices. A key area of focus has been the development of robust access control policies that leverage both network and identity tiers. We reviewed the recommendations provided in NIST Special Publication 800-207A and related documents, highlighting the importance of a hybrid approach to access control.
Network and Identity Tiers in Access Control
Zero Trust Architecture (ZTA) is a cybersecurity paradigm focused on resource protection. Central to ZTA are two tiers: the Network Tier and the Identity Tier.
The Network Tier is concerned with the network infrastructure, including the policies that govern how network components operate and interact. For instance, a network-tier policy might dictate that certain types of traffic are only allowed to flow between specific devices, or that certain ports on a firewall must be closed to prevent potential attacks. This tier is often where traditional security measures like firewalls, intrusion detection systems, and network segmentation are implemented.
The Identity Tier deals with the identification, authentication, and authorization of users and devices on the network. Policies in this tier determine who or what is allowed to access the network and what they are allowed to do once they are on the network. This can include things like user credentials, access control lists, and role-based access controls.
Hybrid Access Control Policies
In a hybrid approach to access control, network-tier and identity-tier policies work together to form a comprehensive cybersecurity solution. Network-tier policies limit potential unauthorized access or harmful traffic on the network, providing a strong first line of defense. For example, a network-tier policy might restrict access to a company's internal network from outside sources, or it might limit the types of traffic that are allowed to flow between different parts of the network.
Simultaneously, identity-tier policies ensure that even if a malicious actor gains access to the network, they won't be able to do much without the proper credentials and permissions. For instance, an identity-tier policy might require users to authenticate themselves using multi-factor authentication before they can access sensitive data. Furthermore, identity-tier policies can be used to enforce role-based access controls, restricting access to certain resources to only those users who need them to perform their jobs.
By working together, network-tier and identity-tier policies form a powerful cybersecurity solution, significantly enhancing the overall security posture of an organization.
Operant Network's platform for Enforcing Identity in Critical Infrastructure
Operant’s Multi-Party Trust (MPT) solution has been successfully implemented to enforce the identity tier of access control in critical infrastructure, including electrical generation facilities. The platform is grounded in the principle of "defined trust", where trust relationships are explicitly defined and managed. This approach aligns seamlessly with the identity tier of access control, emphasizing the importance of verifying the identity of components before granting them access to network resources.
Operant’s platform is built using a Data-centric approach; which solves the most persistent problems in today's network communications, in particular: resiliency, security, and observability. It enables secure end-to-end communications without depending on the security of the underlying communication channels. Each packet is named, secured, and immutable and can be delivered along any link that can deliver bits, either stored or processed by computational algorithms. This enables applications to reliably achieve data confidentiality, integrity, and availability (CIA).
Thus, Operant’s Multi-Party Trust solution applies Zero Trust principles to each individual data packet for an additional level of security without impacting overall network performance. Each data packet is signed by a fundamental identity based on public key cryptography and validated by the trust chain. Fine-grained trust policies define specifically which network entities are trusted to perform what actions, and which key should be used for each purpose.
In the context of critical infrastructure, MPT establishes and manages trust relationships between the owners of equipment and facilities and multiple other parties that need limited access. These may include equipment vendors, O&M providers, or regulatory bodies. Each party is assigned a unique identity, used to authenticate their access and verify its trust level to a fine-grained level. This access control can extend to not only limit what equipment a vendor can access, but what they’re allowed to do, such as permitting Read Only access. The platform enforces these policies uniformly at every node of the network, providing a fabric of trusted communication throughout.
Moreover, MPT is designed to be efficient in terms of resource usage, making it suitable for use in environments where resources are constrained. This efficiency is particularly beneficial in the context of the identity tier, as it allows for a large number of components to be managed without overloading the network or the components themselves.
In conclusion, Operant Network's platform provides a robust and efficient solution for enforcing the identity tier of access control in critical infrastructure.
NIST's recommendations for a hybrid network and identity-based access control model underscore the need for a comprehensive approach to cybersecurity. By leveraging both network and identity tiers, organizations can create a robust access control framework that effectively mitigates a wide range of cybersecurity threats. The implementation of Operant Network's platform in critical infrastructure further demonstrates the practicality and effectiveness of this approach. By leveraging the principles of defined trust and efficient resource usage, it ensures that only trusted parties and components are granted access to network resources, thereby enhancing the overall security of the network. This integration of NIST's theoretical framework with Operant Network's practical application provides a promising direction for future cybersecurity practices.