Identity-first security is critical for zero-trust because it enables organizations to implement robust and effective access controls based on their users’ specific needs. By continuously verifying the identity of users and devices, organizations can reduce the risk of unauthorized access and protect against potential threats. 80% of cybersecurity-related attacks and compromises use some form of identity/credential theft.
Two core areas of the zero-trust framework – enforcing least privileged access and implementing segmentation – are challenging, as enterprises are seeing massive growth in machine identities. These machine identities (such as bots, robots, and Internet of Things (IoT) devices) on organizational networks are increasing at twice the rate of human identities.
The Technical Problem:
The Air Force currently uses various expensive tools to manage Public Key Infrastructure (PKI), including the Axway Validation Authority (VA) Suite. Additionally, the Air Force PKI (AFPKI) system is used to manage digital certificates.
Impersonating identities is how attackers move laterally across networks, often undetected for months. In the past five years, the number of attacks involving the forging or misusing of machine identities has increased by over 1,600%. Gartner predicts that 75% of cloud security failures will result from issues related to managing identities, access, and privileges this year.
According to a survey by Keyfactor, 40% of enterprises still use spreadsheets to track their digital certificates manually, and 57% have an accurate inventory of their SSH keys, creating vulnerabilities hackers can exploit.  Protecting machine identities through native IAM support from public cloud platforms isn’t effective, as gaps in multi-cloud and hybrid cloud configurations leave machines unprotected and more vulnerable.
There is a need to move to a Certificate Revocation List (CRL) to determine a certificate’s validity status, which is a decentralized OCSP (Online Certificate Status Protocol) database.
Our Solution:
CSEngineering is working under an STTR contract with the U.S. Air Force to innovate a new approach to Identity Access Management. Our decentralized Identity Access Management (dIAM) will provide a zero-trust solution for disconnected environments based on Self-Sovereign Identity (SSI) and cryptography principles. dIAM is a decentralized and permissionless identity framework for applications used by the warfighter.
dIAM is a next-generation private access control based on self-sovereign identity, designed for decentralized and trust-minimized environments. It provides a higher level of privacy than PKIs, as users are only identified by their cryptographic address, which is not linked to any personal information. This makes it more difficult for malicious actors to target and exploit users.
The Benefits for Government End Users:
- Simplifies the management of an exponentially increasing number of human and machine identities.
- Fully complies with the National Institute of Standards and Technology’s (NIST) SP 800-207 Zero Trust framework.
- Combines IAM and micro-segmentation further to strengthen zero-trust frameworks by isolating endpoint and machine identities into segments, regardless of their origin.
- Treats every identity’s endpoint as a separate micro-segment and eliminates any chance of lateral movement throughout a network.
To learn more about dIAM and our other disruptive innovations, contact me at chris.stone@cse-corp.com.