Zero trust security provider Xage Security has added a multilayer identity and access management (IAM) solution to its decentralized access control platform Xage Fabric to secure assets in different layers of operational technology (OT) and industrial control systems (ICS) environments.\u201cMultilayer IAM is needed for a couple of reasons,\u201d said Roman Arutyunov, co-founder, and senior vice president of products at Xage Security. \u201cFirst is the fact that operators design systems for high availability and resiliency, leaving no single point of failure, and second that separate identities are used at each layer and site with different admins to ensure that compromise of credentials at IT doesn\u2019t result in compromise of OT and furthermore, compromise of one site does not lead to compromise of all sites.\u201dXage Fabric\u2019s blockchain-based technology utilizes a distributed mesh architecture with nodes deployed at various levels or layers, which interact and interface with different services to orchestrate a multilayered access authentication system, Arutyunov explained.\u201cThreat vectors in ICS\/OT environments are different, needing controls focused on machine-to-machine communications rather than a human-to-machine approach in IT systems,\u201d said Jack Poller, an analyst at ESG Global. \u201cAlso, many ICS\/OT systems have limited computational power, limited storage, and limited upgrade capabilities, making them unable to add\/upgrade security controls directly on the devices. Instead,\u00a0they need services like Xage Security to implement security as a set of external controls, acting as proxy security for the device.\u201dWith this launch, Xage has also announced partnering with CISA under the Joint Cyber Defense Collaborative\u00a0to advise on critical infrastructure protection.Different IdPs and ADs for different layersThe idea with Xage\u2019s multilayer IAM is to map multiple identity providers (IdPs) and active directory (AD) services onto different security zones or network layers of OT\/ICS systems.\u201cThe nodes in Xage Fabric may separately interface with various AD services at various levels, but they work together to apply a policy and orchestrate access using the appropriate AD at the appropriate level,\u201d Arutyunov said. \u201cXage Fabric utilizes distributed consensus mechanisms and distributed threshold-base encryption based on Shamir Secret Sharing to tamperproof each node\u2019s data and processes.\u201dShamir\u2019s Secret Sharing is a cryptographic algorithm used to protect secret information when it needs to be shared among multiple parties. In this algorithm, a secret is divided into a number of shares, where each share is distributed to a different participant. A threshold number of shares is required to reconstruct the original secret.\u201cWith machine-to-machine communication, as is often the case with industrial control systems and operational technology (ICS\/OT), we can\u2019t use conventional multifactor authentication. Xage\u2019s multilayer solution is an implementation of Zero Trust strategies, and Zero Trust is becoming the new paradigm for securing both IT and ICS\/OT environments,\u201d Poller said.Xage multilayer IAM integrates with services like Microsoft\u2019s Active Directory, Windows-based active directory federation services (ADFS), and all other IdPs that support access protocols such as LDAP or SAML 2.0.Xage offers local and remote accessXage\u2019s IAM allows both local and remote users to see the assets and systems within an OT\/ICS site or zone after they successfully authenticate against that site-level AD and pass the site-level MFA challenge.\u201cEach OT site (plant, mill, power generation facility, etc.) may have its own AD system to manage identities of users operating on that site. Users need access to assets (workstations, systems, PLCs, RTUs, etc) while onsite or remotely,\u201d Arutyunov said.To avoid complications in case of multiple sites and corresponding credentials, Xage enables administrators to create granular access policies, specifying which assets can be accessed by which specific users, at which location or level, and automatically authenticate with the right site-level AD and enforce access, Arutyunov added.Local and remote users use passwordless, hardware-based, and biometric MFA mapped to different identity providers. Xage also allows local users to authenticate with the local level AD when the site loses network connectivity.\u201cAn important layer of a multilayered or defense-in-depth strategy is securing remote access. The idea with Zero Trust Network Access is to shift from a network-centric (or perimeter-based) security \u2014 where anyone who has access to the network is automatically trusted and granted access to devices and services on the network \u2014 to zero trust, where clients must be continuously authenticated and authorized for every transaction,\u201d\u00a0Poller said.