Awareness and trust in context

Access & Identity Management Handbook 2018 Access Control & Identity Management, Security Services & Risk Management

Identity management is often seen as a specialised field that is applied somewhere in an organisation to control who has access to what, sometimes in both the digital and physical realm. Yet, while IAM is definitely a specialised field, it is one that is central and crucial to the concept of secure computing.

Markus Krauss, senior director, Digital Identity and Security, CA Technologies says identity management today is central to all forms of authentication and communication, whether it’s between people or things, or people and things – referring to the Internet of Things (IoT). Moreover, central to all identity management is the concept of trust: someone is granted access to something because you trust that the person is who they claim they are and that identity has permission to do whatever they are trying to do.

Within an enterprise, for example, if a person logs into their PC and wants to access certain information, applications or authorise transactions, they will have the ‘privilege’ of open access to those assets due to their position and permissions granted when they started their job. If a person is doing something that is higher risk, such as authorising a payment, the system may automatically ask for additional verification, a second factor to provide additional proof the person actually is the person who is authorised to do the transaction.

Hence the term ‘privileged access management’. The company decides your identity has certain privileges based on your job, and the identity management systems grants you access to those assets and prevents you from accessing or even seeing what you don’t have the privilege to see. In certain conditions, it requires something in addition to a password to ensure that high-risk activities are more secure.

Getting this right in an organisation is not easy, however. We have all heard of identity management projects that have failed for a variety of reasons. Nowadays, it’s even harder as an organisation is no longer bound by walls and buildings. Although it may not be advised, your CEO (or any approved person) can authorise transactions from anywhere, even via his/her mobile device. This takes the concept of trust and privilege to another level.

Trust is relative

This is where additional attributes are required in the trust relationship: the company’s identity management system must now incorporate other factors into the trust it assigns. If the CEO is logging in from home on the company laptop, it’s a known device and location so there may be very little change in the trust assigned. If the login is on another device that the organisation doesn’t control, it’s a different matter.

If the login is from a public Wi-Fi at an airport, for example, the trust issue is escalated as there are a number of additional attributes to take into account. In a case like this, additional authentication factors are not the answer because no matter how sure we are of the identity requesting access, the environment is not trusted because it is out of the control of the organisation and is known to be insecure. In this case, taking the all attributes into account will increase the risk of access and decrease the trust assigned, meaning that the CEO may be allowed only restricted access to certain company digital assets.

The same process applies to everyone associated with the company, from the CEO to clerks and other employees. In addition, Krauss explains that the same process can be applied to the IoT. Just because it is a device wanting access, doesn’t mean the company can simply allow it – we have all heard of security breaches being conducted through devices such as security cameras and recorders. Today there are no ‘dumb’ devices, only insecure devices that can be exploited by those with malicious intent.

Controllable billions

This may seem a bit much as we hear about the billions of devices that will be connected in the IoT in the near future; and who can manage billions of identities? It is manageable, however, as Kraus explains that while there are many devices, many of them are the same devices performing the same functions. And the context, once again, defines the trust assigned. For example, a camera overlooking a parking lot needs to be secured, but it doesn’t need as much protection and trust associated with it as one in your living room.

Just as we have privileged access management in organisations for people, the IoT will require similar ‘Identity of Things’ processes to ensure that data transfers are managed effectively and securely. The good news is that the trust concept in today’s privileged identity management systems can be extended to things and the relationships between them, and between them and humans. When the data being transferred is the temperature of a generator outside your office, you don’t need to go crazy worrying about risk and trust. However, when you are monitoring the temperature and other readings from nuclear reactors, the importance of trust becomes critical.

Of course, trusting things is much easier than people because they are predictable in what they do and how they operate. When it comes to people, there is always the human factor to consider when ascribing trust and risk levels. Edward Snowden is a good example. He had all the clearances to access sensitive information, but his behaviour was not as expected, but nobody picked up on it. An IAM tool that assigns a risk score which is used to define the level of trust is therefore critical, but so is the ability to use behavioural analysis as an additional level of risk measurement.

For example, Snowden accessing files his employers considered sensitive was acceptable, but was copying them to a USB drive within his normal behaviour patterns? We don’t know the exact story of how and why he was able to collect so much information, but the principle applies to any company. Does your sales person really need a copy of the entire customer database on a USB drive or on their mobile phone?

Identity for all

CA is a company that has been operating for around four decades and over the years has developed one of the leading IAM solutions in the market. Krauss says that for much of its existence, CA focused on a limited number of customers, specifically the Top 500 companies globally. During this time it acquired a number of technology companies and expanded its portfolio of solutions and services which it supplied to its 500 customers.

Over the past few years, however, the company has changed its focus and is now more open to partnerships and bringing its technology to a broader market. One of the ways it is doing this is by combining its technical expertise into a single product that can cater to the simplest as well as the most complex installations.

It accomplishes this through its virtual appliance (the CA Identity Suite – Virtual Appliance) which Krauss says can be deployed in as little as 7 minutes and then be configured to the organisation’s requirements via a web-based interface. It’s one virtual service that can be scaled and updated easily as required, depending on the customer’s identity management and governance requirements. The virtual appliance is, of course, sold in addition to the various products the company has developed over time.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
New State of Physical Access Control Report from HID
HID Global Editor's Choice Access Control & Identity Management News & Events
HID released the 2024 State of Physical Access Control Report, identifying five key trends shaping access control's future and painting a picture of an industry that has been undergoing considerable transformation.

Read more...
Smart intercoms are transforming access control
Access Control & Identity Management Products & Solutions
Smart intercoms have emerged as a pivotal tool in modern access control. They provide a seamless and secure way to manage entry points without the need for traditional security guards to validate visitors before granting them access.

Read more...
Innovation and security go hand in hand
Technews Publishing Facilities & Building Management Security Services & Risk Management
In a world where the demand for tech innovation is matched only by the acceleration of cybersecurity threats, businesses face the challenge of balancing new product development and robust security measures.

Read more...
Easy, secure access for student apartments
Paxton Access Control & Identity Management Surveillance
Enhancing Security and Convenience at Beau Vie II Student Accommodation, a student apartment block located at Banghoek Road, Stellenbosch, with Paxton's access control and video management solution

Read more...
Invixium acquires Triax Technologies
News & Events Access Control & Identity Management
Invixium has announced it has acquired Triax Technologies to expand its biometric solutions with AI-based RTLS (Real-Time Location Systems) offering for improved safety and productivity at industrial sites and critical infrastructure.

Read more...
ControliD's iDFace receives ICASA certification
Impro Technologies News & Events Access Control & Identity Management
The introduction of Control iD's iDFace facial biometric reader, backed by mandatory ICASA certification, underscores the commitment to quality, compliance, and innovation.

Read more...
The future of workplace access
HID Global Access Control & Identity Management
Mobile credentials are considerably more secure than physical access control, because they eliminate the need for physical cards or badges, support multiple security protocols, and add layers of protection on top of basic card encryption.

Read more...
Bomb threat landscape in South Africa
Editor's Choice Security Services & Risk Management
Over the past 25 years, South Africa has faced thousands of bomb threats and explosive incidents annually, imposing a significant economic burden on the nation, costing billions of rand.

Read more...