Securing Enterprise Access

Nearly half a century ago, a computer scientist named James Anderson led a team that set the research agenda in information security for over a decade. Embedded in his work was the notion of a so-called reference monitor, which was essentially a decision engine that allowed or disallowed access based on security policy rules, as well as the applicable attributes of the requesting entity and the resource being accessed.

A reference monitor, for example, would permit access from some subject to an object if the associated permissions, privileges, and classifications are consistent with policy rules. In this way, the reference monitor serves as an underlying theoretical basis for modern access controls. Thus, when a platform is installed into an enterprise for the purpose of enforcing policy rules, Anderson can safely include such work as part of his legacy (he died in 2007).

Last week, I had the wonderful privilege to spend some quality time with principals from Atlanta-based Ionic Security. They offered a detailed introduction to their platform and how it enforces granular access policies to serve as a data protection engine for the enterprise. The discussion was impressive, but also enlightening, since I’d previously thought of Ionic Security as a cloud data encryption company. Let me share with you what I learned:

“Our platform serves as a system of record for data access policy management,” explained Sean Allen, vice president of marketing for Ionic. “With enterprise teams running complex and diverse architectures, it becomes non-trivial to maintain consistent policy enforcement. Instead, teams experience the silo effect across cloud systems, data repositories, enterprise applications, and email accounts.”

The Ionic engine, which is called Machina, is characterized by automated, just-in-time policy enforcement, broad enterprise visibility, consolidated attributed-based access control (ABAC), and advanced public key management – which has always been a great technical strength for the company. A more detailed view of the platform, which can be used for legacy and cloud architectures, includes the following four components:

Machina Decision – This is an API-based layer of software that sits in-line with access requests to make a just-in-time decision about whether to deny or request. Developers can integrate the Machina data protection service into applications using SDKs made available as part of the commercial offering. In many cases, only a few lines of code are necessary to enable the access control platform for policy enforcement.

Machina Attributes – This is an intelligent system that serves as an interface to enterprise systems such as DLP, IAM, and CASB to derive the optimal set of user, device, service, system, and data attributes necessary to make the best access decision. “Machina Attributes allows our customers to establish a truly scalable and well-informed access engine that can be integrated into the existing security architecture,” explained Allen.

Machina Policy – This is the platform framework that stores and implements the desired enterprise security policies, consistent with attribute-based access control (ABAC) technology. Federation is used to drive commonality, and interfaces to governance, risk, and compliance (GRC) platforms help drive support for regulatory, audit, and compliance controls, which are so central to the operation of access management.

Machina Console – This is the platform management tool used for the configuration, auditing, and analytic tasks supporting enterprise access control policy enforcement. “Our console provides visibility for security and data managers into how every piece of data in the enterprise is being handled,” explained Allen. “The goal is to ensure an accurate view of all data across its entire lifetime of use.”

One of the great strengths of the Ionic team is its all-star line-up of experienced experts and executives (perhaps the company should be called Iconic). Founded in 2011, the company includes Tom Noonan, Ted Schlein, Rohan Amin, and Kevin Mandia as members of its board. And with financial backing from JPMC, Google, Kleiner Perkins, and Goldman Sachs, Ionic is well-funded for growth.

As with any security offering, there are challenges. For example, many mid-sized and smaller organizations do not consider consistent access policy enforcement to be a high priority issue. These organizations typically offload their enterprise processing and business applications to public cloud infrastructure, and then not fret much about whether human resources data, for example, is treated differently from Office 365 inboxes, and so on.

One good trend, however, is that the cloud service providers are starting to push a shared responsibility model. The provider handles the substrate, and the customer – regardless of their size or scope – shares responsibility for security of all data and applications. This helps to explain why Capital One bears responsibility for its recent breach, rather than AWS. Ionic will likely benefit from this shared responsibility model in cloud.

An additional challenge, however, is that many teams, including larger ones, have made extensive investments in complex identity and access management systems (IAM). It is the access portion of this equation that could collide somewhat with the Ionic value proposition. And with IAM vendors desperate for new sources of revenue growth, one should expect them to mount fierce campaigns against additional ABAC platform introduction.

Nevertheless, I wouldn’t bet against this team. Adam Ghetti and Eric Hinkle are capable executives, and they’ve assembled a fine group of experts. As the company continues to drive its story to the enterprise security marketplace, my view is that they will see great enthusiasm. So, perhaps you might give them a call and ask for a description and demo of their solution for enterprise access control. As always, let us know what you learn.