Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Download Presentations from the CSA AI Summit at RSAC Now

Birth Right Permissions: A Barrier to Zero Trust Security

Home
Industry Insights
Birth Right Permissions: A Barrier to Zero Trust Security

Blog Article Published: 10/20/2023

Written by Jerry Chapman, CSA ZT Working Group Co-Chair.

Identity is a pillar or workstream in Zero Trust Security models. It has also been stated that it is a signal to support multiple Zero Trust Security Models. I agree with these assertions. The standard Identity and Access Management (IAM) professional will tell you, “Identity is a business enabler”. This is also a true statement; one with which, I agree. As you work with IAM professionals, the standard services dialog starts to revolve around roles and role-based security, based on information that comes from an authoritative source (e.g., an HR system). This is the paradigm that has been happening for the 20+ years I have been in Identity and Access Management. This simply will not work in a Zero Trust ecosystem!

Regardless of the security paradigm an organization chooses to undertake, it is imperative the organization does not continue to follow the same paradigm IAM professionals have utilized! This leads to more permissions than necessary and can create both technological challenges as well as business challenges!

“Birth Right” permissions are often configured during a “role-mining” exercise to determine the access a user needs when they are hired into a new position within an organization, regardless of whether they are a new employee or current employee. The access permissions are given completely based on a title or other attribute(s). This, inherently, is the problem! These permissions contain applications (in some cases, sensitive business applications), data storage locations, or even physical access to sensitive locations!

Both business and technology processes can be changed to support minimal “Birth Right” permissions. Organizations often ask, what, then, should be considered for “Birth Right” permissions. That is usually a simple answer: Laptop provisioning, email, office suite (Microsoft, Google, others), and front door access. Other applications or physical locations can be provisioned based on context and need. For example, if a user needs access to the CRM system, the request can be managed through workflow and provided based on information like risk (have they used the system before), context (are they geographically located in a safe place), Title (VP Sales), and Supervisor’s approval, until it is established the application is utilized on a consistent basis, the workflow that provides access will put “JUST ENOUGH FRICTION” in place.

This would create a curve for the user and supervisors. Initial friction would be inherent until the system understood the need and allowed access with enough friction to ensure the user's identity. The curve would be steep with the change, then gradually, the friction would decrease until another change!


Develop and demonstrate an in-depth understanding of Zero Trust with CSA’s Certificate of Competence in Zero Trust (CCZT). Learn more here.

Identity and Access ManagementZero Trust

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Confronting Shadow Access Risks: Zero Trust and AI
New Mapping Between CCM and NIST CSF v2.0
CSA's CCZT Wins Global InfoSec Award
Trending This Week
#1 Analysis for CVE-2023-23397 Microsoft Outlook Vulnerability
#2 The 5 SOC 2 Trust Services: Criteria Explained
#3 Cloud Security Threats to Watch Out for in 2023
#4 Zero Trust and AI: Better Together
#5 The Top Cloud Computing Risk Treatment Options
Secure your cloud data with Zero Trust Training
Related Articles:
Cloud Security Alliance Paper Addresses Challenges of Implementing Zero Trust in Environments Where Artificial Intelligence (AI)-induced Shadow Access Is Prevalent

Published: 05/07/2024

Cyber Defense Magazine Names Cloud Security Alliance’s Certificate of Competence in Zero Trust (CCZT) a 2024 Global InfoSec Award Winner for Cutting-Edge Cybersecurity Training

Published: 05/06/2024

Automation is Key: DHS Report Unveils Lessons from the Microsoft Exchange Incident

Published: 05/02/2024

Defining Cloud Key Management: 7 Essential Terms

Published: 05/01/2024