For years, “identity and access management” (IAM) has meant a specific thing to security practitioners. However, if we expand the definition of “identity” to include the identity of system resources, it’s easy to see that system resources—just like users—have many attributes which constitute an identity; identity isn’t limited to a small set of user-defined inputs, and it definitely should not be based on things an attacker can socially engineer.
As a way to curtail account takeover, many security teams have implemented multi-factor authentication (MFA), especially for privileged accounts which have access to sensitive systems and data. Traditional MFA, though, isn’t bulletproof; attackers have successfully bypassed MFA. It’s therefore necessary to look at how to change the definitions of both identity and MFA to be more robust and more reliable as security controls.
System-based identity as an IAM mechanism
Expanding on the idea of multi-factor authentication and applying it to system resources, consider that fact that assets/resources have identities (just like users), and those identities can be used to determine access permissions to other networked resources. In this new world of system-based MFA, rather than defining each resource by an identity created from made up attributes (i.e., username and password), identities are based on a collection of attributes taken from data sourced in the kernel and can include hardware/software product name(s), version, patch level, loaded modules, baseline behavioral information, and much more.
This process of aggregating identity information (rather than assigning it then using a separate second factor for validation) provides contextual information which allows security policies to determine the true authenticity of network communication requests and more reliably authenticate system resources. If one attribute in an identity changes, for instance, patch level or file path, system-based MFA checks the rest of the requesting asset’s identity for validation before the resource is allowed to send or receive a request.
Because system-based identity automatically incorporates myriad factors, the additional verification action required for traditional MFA becomes obsolete. The aggregated identity attributes, themselves, become the “extra check” needed to determine whether an application or service should be authorized on the network. As a result, users can be assured that only legitimate resources are communicating on the network and that they aren’t malicious.