The multilayer IAM maps services from a user’s multiple identity and active directory providers onto different network layers of ICS/OT systems. Credit: iStock Zero trust security provider Xage Security has added a multilayer identity and access management (IAM) solution to its decentralized access control platform Xage Fabric to secure assets in different layers of operational technology (OT) and industrial control systems (ICS) environments.“Multilayer IAM is needed for a couple of reasons,” said Roman Arutyunov, co-founder, and senior vice president of products at Xage Security. “First is the fact that operators design systems for high availability and resiliency, leaving no single point of failure, and second that separate identities are used at each layer and site with different admins to ensure that compromise of credentials at IT doesn’t result in compromise of OT and furthermore, compromise of one site does not lead to compromise of all sites.”Xage Fabric’s blockchain-based technology utilizes a distributed mesh architecture with nodes deployed at various levels or layers, which interact and interface with different services to orchestrate a multilayered access authentication system, Arutyunov explained. “Threat vectors in ICS/OT environments are different, needing controls focused on machine-to-machine communications rather than a human-to-machine approach in IT systems,” said Jack Poller, an analyst at ESG Global. “Also, many ICS/OT systems have limited computational power, limited storage, and limited upgrade capabilities, making them unable to add/upgrade security controls directly on the devices. Instead, they need services like Xage Security to implement security as a set of external controls, acting as proxy security for the device.” With this launch, Xage has also announced partnering with CISA under the Joint Cyber Defense Collaborative to advise on critical infrastructure protection.Different IdPs and ADs for different layersThe idea with Xage’s multilayer IAM is to map multiple identity providers (IdPs) and active directory (AD) services onto different security zones or network layers of OT/ICS systems. “The nodes in Xage Fabric may separately interface with various AD services at various levels, but they work together to apply a policy and orchestrate access using the appropriate AD at the appropriate level,” Arutyunov said. “Xage Fabric utilizes distributed consensus mechanisms and distributed threshold-base encryption based on Shamir Secret Sharing to tamperproof each node’s data and processes.”Shamir’s Secret Sharing is a cryptographic algorithm used to protect secret information when it needs to be shared among multiple parties. In this algorithm, a secret is divided into a number of shares, where each share is distributed to a different participant. A threshold number of shares is required to reconstruct the original secret.“With machine-to-machine communication, as is often the case with industrial control systems and operational technology (ICS/OT), we can’t use conventional multifactor authentication. Xage’s multilayer solution is an implementation of Zero Trust strategies, and Zero Trust is becoming the new paradigm for securing both IT and ICS/OT environments,” Poller said.Xage multilayer IAM integrates with services like Microsoft’s Active Directory, Windows-based active directory federation services (ADFS), and all other IdPs that support access protocols such as LDAP or SAML 2.0.Xage offers local and remote accessXage’s IAM allows both local and remote users to see the assets and systems within an OT/ICS site or zone after they successfully authenticate against that site-level AD and pass the site-level MFA challenge.“Each OT site (plant, mill, power generation facility, etc.) may have its own AD system to manage identities of users operating on that site. Users need access to assets (workstations, systems, PLCs, RTUs, etc) while onsite or remotely,” Arutyunov said. To avoid complications in case of multiple sites and corresponding credentials, Xage enables administrators to create granular access policies, specifying which assets can be accessed by which specific users, at which location or level, and automatically authenticate with the right site-level AD and enforce access, Arutyunov added.Local and remote users use passwordless, hardware-based, and biometric MFA mapped to different identity providers. Xage also allows local users to authenticate with the local level AD when the site loses network connectivity.“An important layer of a multilayered or defense-in-depth strategy is securing remote access. The idea with Zero Trust Network Access is to shift from a network-centric (or perimeter-based) security — where anyone who has access to the network is automatically trusted and granted access to devices and services on the network — to zero trust, where clients must be continuously authenticated and authorized for every transaction,” Poller said. Related content news analysis Chinese threat actor engaged in multi-year DNS resolver probing effort The unusual and persistent probing activity over the span of multiple years should be a reminder to organizations to identify and remove all open DNS resolvers from their networks. By Lucian Constantin Apr 30, 2024 7 mins Cyberattacks Network Security news Securiti adds distributed LLM firewalls to secure genAI applications The new offering is aimed at protecting against prompt injection, data leakage, and training data poisoning in LLM systems. By Shweta Sharma Apr 30, 2024 4 mins Generative AI news UnitedHealth hackers exploited Citrix vulnerabilities, CEO to testify In the written testimony before the House Energy and Commerce Committee, CEO Andrew Witty said after gaining access, the threat actor moved laterally within the systems using sophisticated methods and exfiltrated data. By Prasanth Aby Thomas Apr 30, 2024 3 mins Hacker Groups Cyberattacks Vulnerabilities opinion Close the barn door now! Avoid the risk of not monitoring retained access before it’s a problem There’s usually a strict protocol for granting access to systems or data to a new employee or contractor. But there are perils in not keeping tabs on that access as that person moves around or leaves. By Christopher Burgess Apr 30, 2024 6 mins CSO and CISO Access Control Human Resources PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe