Trusting your privilege
November 2017, This Week's Editor's Pick, Access Control & Identity Management, Integrated Solutions
The concept of trust as the basis for access control is really the same when looking at both physical and logical access. The Access & Identity Management Handbook 2018 has an article looking at the issue from the physical access perspective, and in this article we report on a round table Hi-Tech Security Solutions held on logical (or digital) access and identity management.
The participants in the round table are:
• Sagan Pillay, the solution strategist for security from CA South Africa. CA’s focus on security covers anything from identity management right through to privileged account management, and the company is also developing a strong behaviour analytics capability in terms of managing identities.
• Michael Horn, CTO at Lawtrust. He says Lawtrust comes at identity management from a slightly different angle, from a positive binding of the identity, a cryptographic approach bringing smart cards cryptographic tokens in to play, electronic signatures, face-to-face verification, enrolment stations and so on. He adds that it is complementary to classical solutions companies like RSA or a CA could be providing.
Dale de Kok.
• Dale de Kok, system engineer for RSA Security (part of DellEMC). From an identity and access point of view, he says RSA has been doing strong authentication for about 30 years, concentrating in part on access governance, managing the whole identity life cycle, focusing on strong authentication.
• Mayleen Bywater, senior product manager in the cybersecurity portfolio from Vox. She says the identity and access management space is the next step in the growth of how Vox secures its clients’ environments as well as its own.
• Garith Peck, regional security solutions lead for cloud and on-premise security from Oracle. He manages the Cloud, IDM and DBSEC business for the southern African region. He is also the Oracle EU GDPR champion for the region. Due to time constraints Peck was unable to join us on the day, but was able to provide his insights, which are printed at the end of this article.
Starting off, we asked our digital participants how one goes about assigning or ascribing digital trust to someone in a work environment where a company could have thousands of employees accessing digital assets every day (and smaller companies have the same issue on a smaller scale and with a smaller budget). The issue of trust in the digital and physical access worlds are similar, but the IT industry has turned the process into more of an holistic science than simply allowing access or not, as we shall discover in the article.
Whereas the physical world starts with the identity you want to give access to a building or campus to, Bywater says the digital approach should start by understanding your policies and processes internally in terms of who should have what access. “If you do not have those you can assign any kind of access to anybody. But if you really know who should have what access it is easy to govern, manage and then apply that to the roles and responsibilities you have clearly defined.
“If you do not have that, no matter what you do within the security environment, especially on access and identity, you will not know and mistakes will be made.”
Pillay agrees, noting that many businesses today are probably in their third, fourth or even fifth generation of identity access management. “It is a long journey with a lot of challenges if they do not define these policies, procedures and processes appropriately. You can install any technology, but remember that all it is going to do is automate the processes you have designed.
“The bottom line is that if you do not define it correctly and you do not have the proper communication around it, it will never be successful.”
He adds that creating these processes means you first need to know what people need to do. When you know what access (or privileges) are critical to your business and for each job, assigning trust privileges to company assets is simpler. Of course, if you are going to assign access to some areas and deny others, you first need to lock down all of your access. Then you can start deciding who needs access to what, when and where.
If you have one building or one server, this isn’t too hard. But companies are more complex these days and one needs to consider how to assign privileges to internal and external employees, contractors, visitors and even consumers who may be consuming services you offer. Trust needs to be assessed and assigned in each case.
“It’s all about context,” says De Kok. “Who is it that requires access, where are they coming from and what do they want to access. When you have all the attributes you need, you can then apply the relevant assurance level, the trust level that will be appropriate for that person and action.”
The ‘who’ is critical in the assignment of trust, according to Horn. Who is the person you are bringing on board and what level of trust can you assign them. He says answering this question must be accomplished in the on-boarding stage, a process that will differ according to the company – a bank will have a different and more intricate process than another business. In this area, physical and logical trust requires the same processes to define the ‘who’.
The full trust lifecycle
These processes must also apply throughout an employee’s tenure at a company, adds Bywater. If their job changes, their access changes, and if they leave they need to be removed from the system – have their trust revoked in other words.
At the end of the day, Pillay says managing an identity means that you need to be able to understand the full life cycle of their identity. And understanding the life cycle of an identity means there could be many changes over time that need to be tracked, acknowledged and the trust implications addressed.
You need to have a process in place that identifies this individual throughout that life cycle, covering their journey from day one to the present time, even if that person has left. In other words, throughout the journey as an employee, contractor, visitor and so on, the company must adapt to assign or revoke trust as required in different situations, but still know the individual as a single identity – an identity for life.
He points out that an identity for life is a means of tracing the person’s journey through the organisation, not leaving their access privileges unchecked as they move around.
De Kok agrees, noting there must be accountability in the process to ensure people have the access they require, but this is an ongoing process and privileges change as the person’s role changes. If not, you will end up with many people who have access to things they should not have, creating a security nightmare.
“It’s a standard part of the governance and compliance to run frequent attestations to understand: does this person still need this access right.”
The issue with developing and maintaining a single identity journey for people is that there are often many ‘versions of the truth’ in organisations. In other words, HR has a database of personal information, but so does payroll. Perhaps IT also has a database for assigning access to servers and other digital assets, while the physical security team has another for assigning physical access rights. This type of scenario often happens in a fast growing company where oversight is compromised as the business grows.
One version of the truth
“How do you take all of these different identities and merge them to have a single identity view that you then use to make your trust decisions,” asks De Kok. “If you have various, unconnected data sources, how can you design and manage your identity policies with accuracy?”
Horn says the vision in the identity and access management world is to have a single version of the truth that contains accurate personal information. There have been many attempts over the years to combine information, for example, from the physical and logical access realm. Sadly, few are completely successful.
“The ideal in the physical/logical convergence is that I can’t log into my computer and access digital resources because the system knows I haven’t entered the building yet. Similarly, if I am tagged as being in the building, a red flag is raised if ‘I’ try to log on remotely.”
This is where a modern identity management solution comes into play as the central point of control and management for all identity-related functions, says Pillay. Whether it’s for permanent employees, contractors or visitors, this central management system must form the core of your privilege management. Even if your contractor database (for example) is on a different system, the processes and access privileges are determined by the identity management solution that reads information from the contractor database.
This is more complicated in federated environments across buildings and geographies, but it can be done with the right application. An addition to this application would be to also enforce escalating authentication requirements. For example, to access your email requires a password, but to authorise a payment or to gain access to the server room requires an additional verification, such as biometrics.
This is critical to your governance and compliance, which means the full-blown identity access management system and the automation of all your on-boarding processes, adds Bywater. Once you have that we get all the fantastic stuff like starting a transaction on one device and continuing it seamlessly on another in another location.
Horn adds that these types of projects often fail because of their size and complexity. The ideal is to start with privileged access management to your most important ‘crown jewels’, and then expand the process in manageable chunks.
The human factor
As with the physical security industry, no matter how fantastic your technology is, you are still faced with a significant threat and weakness in terms of what people do. One common area of weakness is passwords. People use the simplest passwords they are allowed to, reuse passwords and somehow aren’t afraid to share passwords with others when convenient.
De Kok says that is a simple fact of life and identity management vendors and IT administrators need to find ways to deal with that while ensuring their security is at the level they require.
Enforcing password changes every 30 days is one way of doing it, according to Bywater, while also ensuring they use strong passwords by requiring numbers and special characters etc.
However, Pillay notes that many companies find their staff being increasingly frustrated by 30-day password changes and this can be extended to 90 days (every three months) or even more when using adaptive risk authentication.
The adaptive part means understanding where the access request is coming from and what device etc. If the request is coming from a known device and location, that gives you a lower risk profile and a password alone is enough to assign trust. When the request is from an unknown location and/or device, the system will automatically increase the risk level and could require additional authentication measures, such as a one-time PIN (OTP) sent to a cellphone or a biometric.
Single sign on works in a similar way, notes De Kok. The user’s access is granted, but since the system is connected to the rest of the
security ecosystem, if any deviations in
behaviour or suspect behaviour are detected, a flag can be raised. The result may, again, be asking for additional verification via OTP or biometrics, or even denying access.
“You still get the convenience factor, but the user does not have to remember many different passwords, and the company still has the assurance level that suspect activities will be detected and dealt with. Of course, behavioural monitoring (or behavioural biometrics as it’s referred to elsewhere in this publication) doesn’t only apply to humans.
Before the breach
The world is only too well aware of the numerous data breaches that have occurred, including in Africa, that have only been discovered months or even years after the fact. The reality today is that you are a target for criminals. You or your company may not have much to offer individually, but your information can assist in targeting high-value marks, or it could be assigned a value when sold together with thousands or millions of other personal information records.
In the past, most local companies kept these breaches quiet (if they even realised they had happened), but the Protection of Personal Information (PoPI) Act will change that. The issue, according to Horn, is how are you going to react when it happens (or when you realise it happened)?
The key here, says De Kok, is to have the systems in place that monitor what happens on your network and with identities – since hacks often occur when a low-level employee is compromised and the hackers, once inside, work their way up to gain access to a higher-level employee’s credentials until they can do whatever they came to do.
The most important thing is to have a mitigation strategy in place. How will you handle it? Who will handle it? Horn notes that your IT department will be unlikely to have the skills to investigate a breach, which means you will spend money on forensic audits and so on.
Unfortunately, both Pillay and Bywater agree that there is no product or solution that will protect a business 100%. It requires constant attention and planning to keep things on the level. This includes patching software regularly, from those annoying far-too-regular Windows patches to other applications use in business every day.
So, what lies ahead?
Identity and access management, whether controlled by an application or handled on a spreadsheet in HR will remain a crucial aspect of every organisation’s security going forward. And while the complexities of privileged identity will only increase as companies adopt more flexible workforces and working methods, including remote and mobile access requirements, the difficulty of handling the question of trust (or privileged access) is simply going to increase if you don’t have a handle on it.
Again, it starts with good governance in terms of processes and policies, which are mapped to your assets to determine who gets access to what, when and where. Horn sees Blockchain becoming an integral part of the identity and access management field in future as a reliable and trusted method of assigning and ensuring trust. But this is still a development for the future.
From RSA’s perspective, De Kok expects to see more focus on the behavioural trend, making the allocation of privileges more seamless than ever. However, this will require organisations to collect more data about people and their activities, which starts intruding into the privacy realm, which is another kettle of fish.
“We already know who you are and what access you have, so the next thing is to see how you are using it,” adds Pillay, echoing the expansion of behavioural monitoring.
“If you don’t understand the user, you are looking for problems in privilege allocation,” adds Bywater.” We also expect to see a significant increase in the integration between various identity and security products and services to provide the end user with a full picture of their security posture and potential weaknesses.”
Pillay ends by noting that one of the primary trends in this industry is that more organisations are going to be looking at security holistically with a ‘security now’ perspective, because taking a ‘security later’ approach is going to be an extremely costly approach in future.
Entitlement is entitlement
Garith Peck, regional security solutions lead at Oracle Africa adds his comments to the round table discussion.
Trust: When understanding trust in the IAM world, we first need to distinguish between identity and credentials. Trust in identity management begins with the authoritative source of truth. For internal use, cases that can be the company HR or contractor database. For a consumer use case, the authoritative source of truth can be CRM or a similar customer database. In a federated environment it can be multiple reputable organisations such as telcos, and in some countries, national identity providers.
Privilege management: Security frameworks mandate the practices of minimum privileges. Organisations should automate, review, attest and revoke those privileges when required. This must be done with continuous visibility and verification. Sensitive actions should be monitored and audited.
As far as integrating into the IoT world, we refer to IoT actors as non-carbon identities. This means that best practice and methodologies that organisations apply to human identities should be extended to IoT. Most of machine-to-machine interactions are based on web services and APIs. Having secure gateways for these web services and APIs is the recommended approach.
Single sign-on: SSO is not just a convenience, but also a security control that offsets storing credentials in a non-controlled manner. SSO has evolved from exchanging credentials to exchanging trusts. In 2017 it is a mature technology relying on open standards and federation and it should be applied to IoT by default.
Convergence: We do see convergence between physical and logical access and Oracle has already delivered such projects. For example, we worked with a financial services institution for this exact use case. They are using our Identity Governance Solution to assign and limit access to the floors and rooms in their buildings based on user roles and rights, the same way as they would for IT resources. Entitlement is entitlement regardless of physical or logical access.
Future developments: Our view at Oracle is that companies are losing the cyber war every year and it’s getting worse. Companies are relying too heavily on humans to protect their computer systems, which are under attack by highly sophisticated computer-generated threats. We have to re-prioritise and think about how we defend our systems, because if it’s our people versus their computers, we’re going to lose the war. It has to be our computers against theirs.
We have seen convergence of monitoring and audit functions with identity and access management. Historically, secure monitoring was IP or event based, with cloud computing and mobility this has changed and users are the final frontier.
Oracle has recognised this shift in the security landscape and in our customers’ needs. Not only do we need to protect our own cloud, but our customers are looking for modern techniques to help them provide consistent security controls across cloud and on-premise environments. A 2016 Right Scale study said enterprises plan to use an average of six cloud services to run their workloads. More than ever, coordinated security management is needed. These are some of the major developments we see in the market.
Hi-Tech Security Solutions thanks all our participants for their time and input.