The Small Business Administration hopes to eventually design a trust algorithm that controls network and data access based on the agency’s appetite for risk, according to Security Architect Trafenia Salzman.
The National Institute of Standards and Technology‘s Special Publication 800-207 identifies a trust algorithm as a logical component of any zero-trust architecture, which the Cybersecurity Executive Order issued in May directs agencies to implement.
“You want to have leadership or the security architects, basically everyone at the agency, figure out: What’s our appetite for risk?” Salzman said, during an ATARC event Wednesday. “And assign that to the policies within the trust algorithm, and then that trust algorithm can then act based on the policies that you have written to it.”
A policy engine is the brain of a trust algorithm, which is the process used to grant or deny access to the agency’s network and data. The engine often uses machine learning (ML) or artificial intelligence to rate the risk of network activity in real time based on five inputs:
- access requests,
- a database of user identities and history,
- a database of agency assets and their status,
- the agency’s minimum requirements to access the resource, and
- intelligence on active threats and malware combined with logs from sources like firewalls and routers.
Agencies may weigh the importance of each input or leave it up to a proprietary algorithm, depending on the value of the data being protected.
If the trust algorithm determines the risk of an access request to be above the agency’s limit, a user may only be granted access to a few resources if any. The algorithm may also alert the agency’s security operations center that additional investigation of a suspicious login or other anomalous behavior is needed by a cyber analyst.
Most trust algorithm simulations now have user event behavior analytics functionality, but they’re still adjusting to ML and AI engines, said Kelvin Brewer, senior manager for sales engineering of public sector at ForgeRock.
Governance and access management solutions must also still be added to the sim for a complete trust algorithm, Brewer said.
“Where I think the market is going is that each solution — whether that’s the sim or the access management engine or the governance engine, whatever those are — is all going to have artificial intelligence pieces that are calculating risk and feeding it into making real-time decisions,” he said.