Securing Enterprise Access

This is an abridged version of an article about securing enterprise access written by Dr. Ed Amoroso of TAG Cyber. You can read the complete article on their site or on LinkedIn.

Nearly half a century ago, a computer scientist named James Anderson led a team that set the research agenda in information security for over a decade. Embedded in his work was the notion of a so-called reference monitor, which was essentially a decision engine that allowed or disallowed access based on security policy rules, as well as the applicable attributes of the requesting entity and the resource being accessed.

A reference monitor, for example, would permit access from some subject to an object if the associated permissions, privileges, and classifications are consistent with policy rules. In this way, the reference monitor serves as an underlying theoretical basis for modern access controls. Thus, when a platform is installed into an enterprise for the purpose of enforcing policy rules, Anderson can safely include such work as part of his legacy (he died in 2007).

Last week, I had the wonderful privilege to spend some quality time with principals from Atlanta-based Ionic Security. They offered a detailed introduction to their platform and how it enforces granular access policies to serve as a data protection engine for the enterprise. The discussion was impressive, but also enlightening, since I’d previously thought of Ionic Security as a cloud data encryption company. Let me share with you what I learned:

“Our platform serves as a system of record for data access policy management,” explained Sean Allen, vice president of marketing for Ionic. “With enterprise teams running complex and diverse architectures, it becomes non-trivial to maintain consistent policy enforcement. Instead, teams experience the silo effect across cloud systems, data repositories, enterprise applications, and email accounts.”

The Ionic engine, which is called Machina, is characterized by automated, just-in-time policy enforcement, broad enterprise visibility, consolidated attributed-based access control (ABAC), and advanced public key management – which has always been a great technical strength for the company. 

Continue reading…

About Ed Amoroso

Dr. Amoroso is currently Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.

Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-seven years, where he has introduced nearly two thousand graduate students to the topic of information security. He is also affiliated with the Tandon School of Engineering at NYU as a Research Professor, and the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.

Ed holds the BS degree in physics from Dickinson College, the MS/PhD degrees in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School. He holds ten patents in the area of cyber security and media technology and he has served as a Member of the Board of Directors for M&T Bank, as well as on the NSA Advisory Board (NSAAB). Ed’s work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy.