Chapter 3. Three Major Planes

Andrew Harris

The world is evolving fast. The iPhone first came out in 2007, starting what many call the mobile device movement. The Chrome browser from Google was introduced in 2008, reigniting browser wars. Cloud service providers have emerged as one of the largest growing markets in technology, changing how developers meet the needs of their end users and how enterprises across the globe meet their business requirements. Data is no longer purely “on-premises,” requiring virtual private network (VPN) connections; end users expect to be productive anywhere at any time.

This just scratches the surface on major changes cybersecurity professionals have had to wrap their minds around. How do security experts react as fast as their business needs, without blindly trying to slow everyone down?

What I have found tremendously helpful is breaking things down into three major planes or buckets. They are:

  • Data

  • Identity

  • Privileges

Image

Understanding these three planes, at their fundamental level, we can define higher-level abstractions, including what others call the “control plane“ and “access plane.“ Unfortunately, there are three major flaws we see even experienced professionals make when facing challenges, preventing them from seeing the fundamental challenges:

  1. Not focusing enough on where these planes meet

  2. Confusing or merging the concepts of Identity and Privilege

  3. Not applying the hypothetical syllogism

Not Focusing on Where the Planes Meet

Looking at each plane by itself is boring. It’s also not effective. When looking at data for example, one must think about who can access that data. The who here is the Identity plane. The how is the privilege that identity is granted that allows them to access the data. This is a drastically oversimplified example, but many don’t break down the problem as such.

Identity Versus Privileges

Let’s use Microsoft’s Active Directory as an example to describe where two planes, Identity and Privileges, meet. It’s easy to believe that “Enterprise Admins“ are the administrators of an Active Directory environment. However, it’s also true that a security group is explicitly given the permissions locally. By default, it is given the necessary privileges to manage everything else—but nothing is stopping from changing that!

This group is given no extra permissions on other “domain-joined“ computers. If someone in the Enterprise Admins security group logged on to their Windows device, nothing by default gives them any local administrator privileges. Context is king.

What Does This Mean?

This means a malicious actor can take another identity and give it Enterprise Admins–like privileges, without ever modifying the Enterprise Admins group. All too often, security teams try to secure a particular security group without auditing the privileges that make that group special! Are there other groups who also have the same privileges? If so, are we explicitly aware of these additions?

In addition, this means if an adversary compromises an identity on a device that isn’t “privileged“—or not an administrator—it doesn’t mean the identity doesn’t have privileges anywhere; context is key!

Not Applying Hypothetical Syllogism

Anyone who completed fourth-grade logic has learned this—rarely are they given the name, however. Many know it as this:

  • 1st premise: A → B

  • 2nd premise: B → C

  • Conclusion: If A, then C.

Remember that Active Directory example? If an identity owns Active Directory, and Active Directory controls domain-joined computers, what can we conclude? Even though that Enterprise Admins identity doesn’t have permissions explicitly on the local Windows computer, it can control Active Directory. Therefore, for the Active Directory boundary—all computers who’ve joined the Forest—these identities in Enterprise Admins are critical to secure!

Notice the word “boundary“ above? The security of this boundary is built around protecting that identity, and equally important, the privileges that give it the permissions.

Wrapping It Up

Don’t get lost in a single plane. Focus on these overlapping parts of the planes. Regardless of how technology continues to evolve, these planes will always exist—data, identity, and privileges. Their implementation and trust relationships may change, but the core concept of discovering these and using that information to defend the environment will always be paramount.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.238.62.124