Awareness and trust in context
November 2017, Access Control & Identity Management, Security Services & Risk Management
Identity management is often seen as a specialised field that is applied somewhere in an organisation to control who has access to what, sometimes in both the digital and physical realm. Yet, while IAM is definitely a specialised field, it is one that is central and crucial to the concept of secure computing.
Markus Krauss, senior director, Digital Identity and Security, CA Technologies says identity management today is central to all forms of authentication and communication, whether it’s between people or things, or people and things – referring to the Internet of Things (IoT). Moreover, central to all identity management is the concept of trust: someone is granted access to something because you trust that the person is who they claim they are and that identity has permission to do whatever they are trying to do.
Within an enterprise, for example, if a person logs into their PC and wants to access certain information, applications or authorise transactions, they will have the ‘privilege’ of open access to those assets due to their position and permissions granted when they started their job. If a person is doing something that is higher risk, such as authorising a payment, the system may automatically ask for additional verification, a second factor to provide additional proof the person actually is the person who is authorised to do the transaction.
Hence the term ‘privileged access management’. The company decides your identity has certain privileges based on your job, and the identity management systems grants you access to those assets and prevents you from accessing or even seeing what you don’t have the privilege to see. In certain conditions, it requires something in addition to a password to ensure that high-risk activities are more secure.
Getting this right in an organisation is not easy, however. We have all heard of identity management projects that have failed for a variety of reasons. Nowadays, it’s even harder as an organisation is no longer bound by walls and buildings. Although it may not be advised, your CEO (or any approved person) can authorise transactions from anywhere, even via his/her mobile device. This takes the concept of trust and privilege to another level.
Trust is relative
This is where additional attributes are required in the trust relationship: the company’s identity management system must now incorporate other factors into the trust it assigns. If the CEO is logging in from home on the company laptop, it’s a known device and location so there may be very little change in the trust assigned. If the login is on another device that the organisation doesn’t control, it’s a different matter.
If the login is from a public Wi-Fi at an airport, for example, the trust issue is escalated as there are a number of additional attributes to take into account. In a case like this, additional authentication factors are not the answer because no matter how sure we are of the identity requesting access, the environment is not trusted because it is out of the control of the organisation and is known to be insecure. In this case, taking the all attributes into account will increase the risk of access and decrease the trust assigned, meaning that the CEO may be allowed only restricted access to certain company digital assets.
The same process applies to everyone associated with the company, from the CEO to clerks and other employees. In addition, Krauss explains that the same process can be applied to the IoT. Just because it is a device wanting access, doesn’t mean the company can simply allow it – we have all heard of security breaches being conducted through devices such as security cameras and recorders. Today there are no ‘dumb’ devices, only insecure devices that can be exploited by those with malicious intent.
This may seem a bit much as we hear about the billions of devices that will be connected in the IoT in the near future; and who can manage billions of identities? It is manageable, however, as Kraus explains that while there are many devices, many of them are the same devices performing the same functions. And the context, once again, defines the trust assigned. For example, a camera overlooking a parking lot needs to be secured, but it doesn’t need as much protection and trust associated with it as one in your living room.
Just as we have privileged access management in organisations for people, the IoT will require similar ‘Identity of Things’ processes to ensure that data transfers are managed effectively and securely. The good news is that the trust concept in today’s privileged identity management systems can be extended to things and the relationships between them, and between them and humans. When the data being transferred is the temperature of a generator outside your office, you don’t need to go crazy worrying about risk and trust. However, when you are monitoring the temperature and other readings from nuclear reactors, the importance of trust becomes critical.
Of course, trusting things is much easier than people because they are predictable in what they do and how they operate. When it comes to people, there is always the human factor to consider when ascribing trust and risk levels. Edward Snowden is a good example. He had all the clearances to access sensitive information, but his behaviour was not as expected, but nobody picked up on it. An IAM tool that assigns a risk score which is used to define the level of trust is therefore critical, but so is the ability to use behavioural analysis as an additional level of risk measurement.
For example, Snowden accessing files his employers considered sensitive was acceptable, but was copying them to a USB drive within his normal behaviour patterns? We don’t know the exact story of how and why he was able to collect so much information, but the principle applies to any company. Does your sales person really need a copy of the entire customer database on a USB drive or on their mobile phone?
Identity for all
CA is a company that has been operating for around four decades and over the years has developed one of the leading IAM solutions in the market. Krauss says that for much of its existence, CA focused on a limited number of customers, specifically the Top 500 companies globally. During this time it acquired a number of technology companies and expanded its portfolio of solutions and services which it supplied to its 500 customers.
Over the past few years, however, the company has changed its focus and is now more open to partnerships and bringing its technology to a broader market. One of the ways it is doing this is by combining its technical expertise into a single product that can cater to the simplest as well as the most complex installations.
It accomplishes this through its virtual appliance (the CA Identity Suite – Virtual Appliance) which Krauss says can be deployed in as little as 7 minutes and then be configured to the organisation’s requirements via a web-based interface. It’s one virtual service that can be scaled and updated easily as required, depending on the customer’s identity management and governance requirements. The virtual appliance is, of course, sold in addition to the various products the company has developed over time.