Skip to main content
close search
site logo
Dive Brief

Target tackles identity and access management with zero trust

Published Sept. 17, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Target Bullseye blog

Dive Brief:

  • When designing an identity ecosystem, companies need a clear line of separation between business relationships and the general workforce. The line should be defined by a "need to know" classification and reinforced with zero trust, according to Jing Zhang-Lee, principal security architect and engineer at Target, while speaking at a Forrester event in National Harbor, Maryland last week.
  • Target's top concerns for identity management include job terminations, shared accounts, onboarding, authorization and inactive use, she said. Companies have to consider their data feeds, APIs and delegated administrators when employees are terminated or transferred. Federated single sign-on is insufficient. 
  • Authorization controls demand attention on direct entitlements as opposed to role-based access control (RBAC) and attribute-based access control (ABAC). RBAC applies to specified roles, while ABAC is based on user attributes, application/system attributes and environmental conditions. Pay close attention to least privilege and contract access, she said.

Dive Insight:

Target, a retailer with more than 350,000 employees, knows the cost of a security incident tied to credentials and the supply chain. 

In 2013, Target suffered a data breach that impacted 40 million consumers. Unauthorized access to payment card data occurred after credentials were stolen from a third-party vendor that supplied the retailer with refrigeration, heating and air.   

Supply chain partners typically need to access business applications, electronic data interchange instructions, business partner reports and procedural documents, said Zhang-Lee. The security fault is failing to limit their access. 

Companies can unintentionally increase the risk of a data breach or unauthorized business transactions without a bulletproof identity and access management strategy. 

Zhang-Lee emphasized Target's zero trust strategy for internal and external operations — the abolishment of a trusted network within corporate perimeters.

"You have choices with implementations," said Zhang-Lee, "once you have these basics, you need justifications for access." 

Working with supply chain partners requires reexamining directory services, separation of duty, adaptive access, multifactor authentication and cloud identity services.

Companies have to first define the extent and type of partnerships they have. From there they can design access assurance levels they are comfortable with, according to Zhang-Lee, with added emphasis to "simplify and automate" the process.

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell