Target tackles identity and access management with zero trust

Dive Brief:

  • When designing an identity ecosystem, companies need a clear line of separation between business relationships and the general workforce. The line should be defined by a “need to know” classification and reinforced with zero trust, according to Jing Zhang-Lee, principal security architect and engineer at Target, while speaking at a Forrester event in National Harbor, Maryland last week.
  • Target’s top concerns for identity management include job terminations, shared accounts, onboarding, authorization and inactive use, she said. Companies have to consider their data feeds, APIs and delegated administrators when employees are terminated or transferred. Federated single sign-on is insufficient. 
  • Authorization controls demand attention on direct entitlements as opposed to role-based access control (RBAC) and attribute-based access control (ABAC). RBAC applies to specified roles, while ABAC is based on user attributes, application/system attributes and environmental conditions. Pay close attention to least privilege and contract access, she said.

Dive Insight:

Target, a retailer with more than 350,000 employees, knows the cost of a security incident tied to credentials and the supply chain. 

In 2013, Target suffered a data breach that impacted 40 million consumers. Unauthorized access to payment card data occurred after credentials were stolen from a third-party vendor that supplied the retailer with refrigeration, heating and air.   

Supply chain partners typically need to access business applications, electronic data interchange instructions, business partner reports and procedural documents, said Zhang-Lee. The security fault is failing to limit their access. 

Companies can unintentionally increase the risk of a data breach or unauthorized business transactions without a bulletproof identity and access management strategy. 

Zhang-Lee emphasized Target’s zero trust strategy for internal and external operations — the abolishment of a trusted network within corporate perimeters.

“You have choices with implementations,” said Zhang-Lee, “once you have these basics, you need justifications for access.” 

Working with supply chain partners requires reexamining directory services, separation of duty, adaptive access, multifactor authentication and cloud identity services.

Companies have to first define the extent and type of partnerships they have. From there they can design access assurance levels they are comfortable with, according to Zhang-Lee, with added emphasis to “simplify and automate” the process.