classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2017


Awareness and trust in context
November 2017, Access Control & Identity Management, Security Services & Risk Management

Identity management is often seen as a specialised field that is applied somewhere in an organisation to control who has access to what, sometimes in both the digital and physical realm. Yet, while IAM is definitely a specialised field, it is one that is central and crucial to the concept of secure computing.

Markus Krauss, senior director, Digital Identity and Security, CA Technologies says identity management today is central to all forms of authentication and communication, whether it’s between people or things, or people and things – referring to the Internet of Things (IoT). Moreover, central to all identity management is the concept of trust: someone is granted access to something because you trust that the person is who they claim they are and that identity has permission to do whatever they are trying to do.

Within an enterprise, for example, if a person logs into their PC and wants to access certain information, applications or authorise transactions, they will have the ‘privilege’ of open access to those assets due to their position and permissions granted when they started their job. If a person is doing something that is higher risk, such as authorising a payment, the system may automatically ask for additional verification, a second factor to provide additional proof the person actually is the person who is authorised to do the transaction.

Hence the term ‘privileged access management’. The company decides your identity has certain privileges based on your job, and the identity management systems grants you access to those assets and prevents you from accessing or even seeing what you don’t have the privilege to see. In certain conditions, it requires something in addition to a password to ensure that high-risk activities are more secure.

Getting this right in an organisation is not easy, however. We have all heard of identity management projects that have failed for a variety of reasons. Nowadays, it’s even harder as an organisation is no longer bound by walls and buildings. Although it may not be advised, your CEO (or any approved person) can authorise transactions from anywhere, even via his/her mobile device. This takes the concept of trust and privilege to another level.

Trust is relative

This is where additional attributes are required in the trust relationship: the company’s identity management system must now incorporate other factors into the trust it assigns. If the CEO is logging in from home on the company laptop, it’s a known device and location so there may be very little change in the trust assigned. If the login is on another device that the organisation doesn’t control, it’s a different matter.

If the login is from a public Wi-Fi at an airport, for example, the trust issue is escalated as there are a number of additional attributes to take into account. In a case like this, additional authentication factors are not the answer because no matter how sure we are of the identity requesting access, the environment is not trusted because it is out of the control of the organisation and is known to be insecure. In this case, taking the all attributes into account will increase the risk of access and decrease the trust assigned, meaning that the CEO may be allowed only restricted access to certain company digital assets.

The same process applies to everyone associated with the company, from the CEO to clerks and other employees. In addition, Krauss explains that the same process can be applied to the IoT. Just because it is a device wanting access, doesn’t mean the company can simply allow it – we have all heard of security breaches being conducted through devices such as security cameras and recorders. Today there are no ‘dumb’ devices, only insecure devices that can be exploited by those with malicious intent.

Controllable billions

This may seem a bit much as we hear about the billions of devices that will be connected in the IoT in the near future; and who can manage billions of identities? It is manageable, however, as Kraus explains that while there are many devices, many of them are the same devices performing the same functions. And the context, once again, defines the trust assigned. For example, a camera overlooking a parking lot needs to be secured, but it doesn’t need as much protection and trust associated with it as one in your living room.

Just as we have privileged access management in organisations for people, the IoT will require similar ‘Identity of Things’ processes to ensure that data transfers are managed effectively and securely. The good news is that the trust concept in today’s privileged identity management systems can be extended to things and the relationships between them, and between them and humans. When the data being transferred is the temperature of a generator outside your office, you don’t need to go crazy worrying about risk and trust. However, when you are monitoring the temperature and other readings from nuclear reactors, the importance of trust becomes critical.

Of course, trusting things is much easier than people because they are predictable in what they do and how they operate. When it comes to people, there is always the human factor to consider when ascribing trust and risk levels. Edward Snowden is a good example. He had all the clearances to access sensitive information, but his behaviour was not as expected, but nobody picked up on it. An IAM tool that assigns a risk score which is used to define the level of trust is therefore critical, but so is the ability to use behavioural analysis as an additional level of risk measurement.

For example, Snowden accessing files his employers considered sensitive was acceptable, but was copying them to a USB drive within his normal behaviour patterns? We don’t know the exact story of how and why he was able to collect so much information, but the principle applies to any company. Does your sales person really need a copy of the entire customer database on a USB drive or on their mobile phone?

Identity for all

CA is a company that has been operating for around four decades and over the years has developed one of the leading IAM solutions in the market. Krauss says that for much of its existence, CA focused on a limited number of customers, specifically the Top 500 companies globally. During this time it acquired a number of technology companies and expanded its portfolio of solutions and services which it supplied to its 500 customers.

Over the past few years, however, the company has changed its focus and is now more open to partnerships and bringing its technology to a broader market. One of the ways it is doing this is by combining its technical expertise into a single product that can cater to the simplest as well as the most complex installations.

It accomplishes this through its virtual appliance (the CA Identity Suite – Virtual Appliance) which Krauss says can be deployed in as little as 7 minutes and then be configured to the organisation’s requirements via a web-based interface. It’s one virtual service that can be scaled and updated easily as required, depending on the customer’s identity management and governance requirements. The virtual appliance is, of course, sold in addition to the various products the company has developed over time.


Credit(s)
Supplied By: CA Southern Africa
Tel: +27 11 417 8594
Fax: +27 11 417 8691
Email: heidi.ziegelmeier@caafrica.co.za
www: www.ca.com/za
  Share via Twitter   Share via LinkedIn      

Further reading:

  • Securex 2018 pulls the (right) crowds
    July 2018, Technews Publishing, Access Control & Identity Management, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions
    With over 6000 visitors attending and exhibitors expressing their satisfaction with not only the number, but also the calibre of the visitors, this year’s Securex was a winner.
  • SLAs - Read the fine print
    July 2018, Technews Publishing, This Week's Editor's Pick, Security Services & Risk Management
    By insisting on an appropriate maintenance contract, security technology can be used to the full extent of its possible life.
  • The generations that matter
    July 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, Security Services & Risk Management
    According to Doros Hadjizenonos, country manager, SADC at Check Point, we have entered the fifth generation of cyberattacks.
  • EOH introduces managed Security-as-a-Service
    July 2018, EOH Security & Building Technologies, News, Cyber Security, Security Services & Risk Management
    EOH has introduced a solution to modern security concerns through a managed Security-as-a-Service suite of offerings.
  • How data leaks can be avoided
    July 2018, This Week's Editor's Pick, Cyber Security, News, Security Services & Risk Management
    MyID runs as a service, monitoring your ID number, email address, mobile number and credit card number for fraudulent usage or fraudulent input on the Web.
  • The benefits of leasing
    July 2018, News, Security Services & Risk Management
    The fundamental benefit of an operating lease agreement is that the business doesn’t have to drain its Capex to purchase equipment and software.
  • Bosch’s Mobile Experience Centre
    July 2018, Bosch Security and Safety Systems, News, CCTV, Surveillance & Remote Monitoring, Access Control & Identity Management
    Bosch Building Technologies officially launched its new Mobile Experience Centre at an event held at the Serengeti Golf Estate in Johannesburg’s East Rand.
  • Re-inventing the Lenel experience
    July 2018, UTC Fire & Security, Access Control & Identity Management
    Lenel has introduced its OnGuard 7.4 security-management platform, which can be deployed in the cloud and accessed through a web browser on a mobile device or computer.
  • Beyond building security
    July 2018, Johnson Controls, This Week's Editor's Pick, Integrated Solutions, Security Services & Risk Management
    In Ireland’s smartest building, One Albert Quay, Cork, security and building management technology does more than police perimeters and keep the office at the right temperature.
  • Keeping trains on schedule
    July 2018, SICK Automation Southern Africa, Industrial (Industry), Security Services & Risk Management
    SICK LMS511PRO laser scanners protect the overhead line and help ensure trains operate on schedule through the 57 km Swiss railway tunnel, the longest in the world.
  • Delivering measurable return on ­investment
    July 2018, Active Track, Industrial (Industry), Access Control & Identity Management
    Manufacturing concerns will agree that personnel management and keeping costs to a minimum is key. Biometric access control can help control payroll waste.
  • Under-vehicle inspection system
    July 2018, ZKTeco, Products, Access Control & Identity Management
    The ZK-VSCN100 is a portable under-vehicle inspection system. When a vehicle passes over it, the system can quickly recognise the vehicle licence plate and generate a high definition image of the undercarriage, ...

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.