printer friendly version

Too complex, too rigid, too expensive and out of date?

Hi-Tech Security Solutions spoke to Charlie Stewart of SuperVision Biometric Systems about the current state of identity management and the directions it is likely to take in the future.

To begin, Stewart quotes a recent Gartner report on identity management (IdM), confirming that there are deep-rooted problems within current solutions that create and control identity within IT systems.

“Identity management is not ageing gracefully. Enterprise IdM systems, designed to centralise management of the information used to authenticate employees and authorise their access to enterprise resources, have matured. Unfortunately, the business environment in which centralised management of identity made sense is fading away just as the technology necessary to support it has become widely available. Tweaks to the existing IdM architecture will not solve these problems. What is needed – and emerging – is a new IdM architecture based on new principles.”

A flaw at the core?

Stewart thinks the problem is even worse than the bleak picture painted by Gartner: “Fundamentally, most IdM solutions are flawed at their core. The way in which identities are created is still reliant on traditional passwords – sometimes used in isolation, sometimes in association with PINs and so-called smartcards. No matter how competent the management system may be, the unavoidable fact is that it will be inherently insecure: everyday, these traditional authenticators get lost, forgotten, shared and stolen.

“This is critical because the highest imperative for IdM is to secure IT systems by controlling and monitoring who can access them and what they can do within them. If that was not the case, we would simply let everyone access everything and do whatever they like with it.”

Trust, but verify

Letting everyone in an organisation access any information they want and then letting them do with it what they please is not widely regarded as being a good thing. Why is that? Well, Ronald Reagan was fond of saying, 'Trust, but verify' – particularly in the context of disarmament talks with the Soviet Union. The key issue here is that we do not trust everyone in the organisation – let alone business partners and contractors who may access our systems on a daily basis.

Stewart sees this as, “A basic frailty within the security of corporate IT systems. We do not trust people so we search for ways to control and monitor what they are doing. The trouble is, we do not do it very well. We still rely on cards, PINs and passwords (CPPs). Their weaknesses are a major reason why insider fraud – by co-workers, partners and contractors – has now become the biggest threat to organisations in terms of economic crime.”

Getting back to IdM basics

To secure and accelerate business processes. For Stewart, this statement defines the objectives of an IdM policy and the solutions that implement it. Security has to be the first objective, but it also has to serve the second part of our definition: to accelerate the processes that are being secured. At SuperVision, we believe that biometric sign-on is the foundation for meeting these twinned objectives: eliminate all cards, PINs and passwords by replacing them with fingerprint biometrics as the basis for identifying people within an IT system. Modern fingerprint biometrics are a fast, accurate, secure and convenient way to verify people’s identity.

The AAA approach: assess, assign, adhere

In terms of meeting the objectives of security and speed, Stewart reckons organisations should consider taking three initial steps on the road to an effective IdM policy:

Step 1: Assess the ID profile of each person. Create a strong means of identifying people within the organisation. A combination of biometric technology and methodology allows us to provide certainty of identity. We suggest that this has to be the leading priority in terms of achieving what you want from any IdM solution.

Step 2: Assign responsibilities and access rights – allocate authority. This means deciding who can access an IT system – via fingerprint sign-on – and defining what they can do once they have accessed it. Importantly, this may not be as difficult as it has been in the past. The reason is because of the third step which acts as powerful deterrent to internal abuse of IT systems and the data they contain.

Step 3: Adhere with compliance. In effect, this really happens by itself. It is unlikely that someone will abuse an IT system if they know their actions are being logged in what we call an identity chain that automatically records who did what, where and when. This builds non-repudiation and, if necessary, court-room substantiation. The perception of detection looms large when it is your fingerprint that signs-you on and authorises your activity within an IT system.

In some ways, the knowledge of an identity chain almost removes the need for an IdM solution and strengthens the significance of trusting, but verifying. Because biometric identification can create such clear visibility of what we are doing, does this mean we can be trusted to do no harm?

Is the thought of being caught an IdM solution in its own right?

Stewart supports his thinking by saying: “In risk management circles, the perception of detection is generally recognised as being the most effective deterrent to insider fraud and the abuse of IT systems. Traditionally, the difficulty has been to heighten this perception amongst those insiders who intentionally abuse systems. Biometrics certainly raises the perception to new heights – after all, it is your fingerprint.”

The changing demands on IdM

Rather damningly, the Gartner report highlights the fact that, “The IdM problem has changed while the solution has not. The old problem was to distribute information about enterprise employees from a central authoritative identity repository owned by the CIO to enterprise application systems also owned by the CIO, to support authentication and authorisation of employees.

“The new problem is to gather information about enterprise employees, contractors, partner personnel and customers from multiple identity repositories, some owned by third parties, and distribute that information to enterprise and third-party applications, some hosted on-premises and some by third parties or in the cloud to support the use of enterprise applications by employees and third parties as well as the use of third-party applications by enterprise personnel.”

Stewart’s take on this is that, “We are still putting the ox in front of the wagon. Instead of worrying about distributing identities, we should perhaps be thinking about them in terms of where they already reside: at the end-point – with the user. Perhaps the solution is already at our fingertips but we have not yet understood the enormous significance of that simple fact.”

End-point security? We just need to use it

“Securing the end-point is certainly a buzz topic in all sorts of discussions around IdM – ranging from governance, risk and compliance (GRC), to data loss prevention (DLP) and information security management systems (ISMS). Apart from the fact that we are drowning in a sea of acronyms, very few people seemed to have grasped that users already have identities and that biometrics provide a simple means to verify them. The solution is already at the end-point in the form of fingerprints.

“It is also generic, it is a commonality shared by all end users, but at the same time, it is also unique. We all have fingerprints but no two prints are the same – they are universal and unique.

“To phrase this in the complex jargon that characterises a lot of IdM thinking, it is a parallax paradox. Nevertheless, if you think that biometrics is just an unproven technology without an associated methodology, then you will not see their immense power as the de facto foundation for managing identity.”

PLAT. People, locations, activity and time

PLAT translates into four questions: who, where, what and when? Stewart thinks these simple queries could be the keys to unlocking and simplifying how we manage identity in the future. Who is accessing the system? Where are they? What are they doing? When are they doing it?

Right now, there are not many – if any – IdM solutions that can provide definitive answers to these questions. Stewart is most emphatic about this: “The very best they can do is to say that a particular password, PIN or some plastic card has signed-on. Do not be deceived into a false sense of security by so-called strong passwords and second-generation authentication. They are all based on antique identifiers and are fundamentally insecure. They are being exploited simply because they are so simple to exploit. Lost, forgotten, shared and stolen are their universal characteristics. How can you even hope to manage identity if you cannot accurately identify people?”

Where are we now?

Where we are now is not pretty. Gartner is saying that, “IdM systems do not meet enterprise requirements for low-cost, high-quality identity because an IdM system is not a factory that produces identities; it is a warehouse that stores and distributes identities. An IdM system only works if it is hooked up to an identity source – and it is the source of identities, not the IdM system, that determines the enterprise’s cost and quality of identity.”

Can we really have gone so far down the IdM road before it has dawned on us that identities are not created by these systems: they already exist? Equally, have we not understood that in order to manage an identity you have to be able to authenticate it and its attributes. “There is always two parts to this,” says Stewart. “The first is the need to identify people – to verify who they are. The second part is to verify what they are.

“For us, the who part is sorted – you do it with fingerprint biometrics: job done. The second part is a lot trickier when you are dealing with people on the outside of the organisation. It is all very well for a system to be able to accurately identify Jack de Ripper, but that is not very helpful unless the system understands what Jack is.”

Where should we be going?

Stewart sees a need to separate IdM into two distinct components: one for internal identities that covers employees, partners, contractors and associates, and one that handles external identities – consumers of the organisation’s products and services. “Right now, one size does not fit all. We have one group of identities that we are close to and are known to us – the internal identities that we can authenticate biometrically and whose attributes we can verify through existing HR processes.”

IdM is too expensive

How does 4,9 billion Euros sound? Does that sound expensive? For the sake of localisation, Stewart says. This is what one fraudulent insider cost a major global bank in 2008. Jerome Kerviel’s illicit IT activities at Societe Generale were mainly founded on the fact that he used co-workers’ passwords to conduct some 1000 unauthorised trades on the futures market.

“R45 billion went down the drain in recovery costs because an internal risk management team of some 2000 people could not control the password abuse of just one junior trader. Makes you think. Or does it? Perhaps we have become so accepting of outmoded CPPs as a means to identify people that we cannot see the wood for the trees.”

Another recently published heavyweight report reaffirms the conventional wisdom that, 75% of the time, data security incidents are attributed to insiders. Produced by Forrester Consulting, The Value Of Corporate Secrets: How compliance and collaboration affect enterprise perceptions of risk, is a thought leadership paper commissioned by Microsoft and RSA, the security division of EMC.

Stewart says, “Yet again, we are hearing that insiders pose the biggest threat. For me, it is significant that the report highlights the fact that organisations focus on preventing IT accidents, but insider theft is where the money is being lost. We all know that bad times breed bad crimes – big recessions go hand-in-hand with big upswings in insider fraud.

“As the Forrester report says: ‘Data security incidents related to accidental losses and mistakes are common, but cause little quantifiable damage. By contrast, employee theft of sensitive information is 10-times costlier on a per-incident basis than any single incident caused by accidents: hundreds of thousands of dollars versus tens of thousands.’ Surely, IdM solutions have to be competent enough to address this problem? But as long as these solutions rely on CPPs, expect no change in the patient’s condition.”

Is your IP becoming a more attractive target for insiders?

To make matters worse, Stewart says that yet another report – this time from Verizon – shows that the number of insider breaches is rising, caused largely by insiders who collude with cybercriminals, granting them access to critical systems.

“What is particularly interesting is that the 2010 Verizon Data Breach Investigations says that at one time stolen payment card records sold for up to $15 each on the black market. Now, credit card data – once the most widely sought after of all stolen data – has dropped to about 20 cents per record.”

Consequently, according to Bryan Sartin, director of the Verizon Business Investigative Response team, “Intellectual property is gaining more attention than payment cards.”

Stewart says, “That chilling comment should be a very troubling warning bell to everyone involved in IdM. Verizon is saying that there is more motivation to steal IP because it promises a better return for the insider. In terms of the impact of insider fraud, it looks as if things are going to get a lot worse if we continue to rely on CPPs.”

Share this article:

Further reading: