Door John van Westeneng, CISSP, CISM.
Updating your IDM strategy was never more important that in the current situation. We all understand that IDM is the cornerstone of our organizations business, IT and security processes. IDM has developed from an efficiency and control solution to a business enabler. We seem to understand what IDM can provide to our businesses. Or at least what it could provide to our businesses. Looking at how IDM is implemented in your organization, is it as expected? Does it deliver what it promised? And are you able to maintain it in an efficient and cost responsible way?
Having said that, why do we need to update our IDM strategy? I want to share some of the thoughts we shared on a seminar we had last week with approximately 20 of our multinational / corporate most of all international oriented customers.
Building an IDM strategy we always take 6 pillars into account: organization, governance, compliance, information, processes and technology. The market developments that are making a difference all act on those 6 pillars. Looking at the most important ones they can be summarized to the following: Mobile, Social media, Cloud and Hacking. Others, like big data, could be mentioned as well. For this blog I keep it to the 4 mentioned.
Mobile and IDM
Mobile will impact IDM on three levels: the IDM end-point, mobile app security and the API authentication level. With the acceptance of mobile apps in the enterprise more and more demand is created that IDM processes (e.g. request and approval) can be managed using a mobile end point. This however does have effect on the authentication scheme on IDM portals and mobile apps. Which, of course, should be at least two factor authentication. In practice this implies that one factor will be biometric functions like Apples Touch-ID or others (face recognition, voice recognition, etc.).
The second level is that mobile app itself. More and more apps are developed, in and outside of the enterprise. The security architecture used for mobile apps are becoming more and more standardized and known. That requires facilities like mobile app Single Sign-on, containerization, MFA for mobile apps, and others. This demand implies that IDM has to be able to provide answers. Single Sign-on based on standards like OpenID Connect and/or OAuth 2.0, containerization technology that is able to support secure access using so called verifiers from Google, Microsoft, OKTA, Safenet and others. And last but not least integration of multi factor authentication, which includes the use of biometric capabilities of the mobile end-points.
The third level is API security. Most of the mobile apps will use some API to communicate with the backend. Securing those APIs, e.g. authentication and authorization, is a mandatory requirement. Authentication of APIs can be done using certificates or security tokens (based on SAML, OAUTH, …). In all cases the difficulty is to assure the validity of the certificate or security token. The trust model used is essential. It has to be future proof, sustainable and safe. The authorization model will evolve to an attribute based access control model. It has to- since the authorization question to be answered becomes more and more based on the users characteristics, which are dynamic, i.e. context dependent.
Social media and IDM
Social media is one of the developments that could feed your business demand. Specifically from Online Marketing perspective, prospect registration of social media can be of interest. There are however some attention points that you have to take into account. First of all, social media is owned by a couple large American vendors. Not the user but the vendors own the social media information. This implies that they determine what can be done with the users’ data. This is rather scary if you think about this. You are not doing business with the user but with the social media vendor ‘owning’ the users’ information. Before you are going to use social media identity information think about the following aspects:
- do you want to pay for this information if the vendor decides you have to pay for it?
- what is the trust level of this information? can it be used for identity proofing?
- how can social media be of help in addition to your normal security measures?
- do you have permission to use this information? from both vendor and user?
- what privacy aspects are relevant? In which jurisdiction?
- what happens if the social media vendor decides to use your (!) data for its own purpose?
Using social media will add information to some specific IDM related processes like identity proofing, secure conditional access and pre-registration. It will never replace them.
Cloud and IDM
Cloud is one of the most interesting developments going on. An enormous amount of organizations are changing their IT strategy from “SAP unless and Microsoft unless” to “Cloud unless”. Or better stated from suite to specific IT functions. This brings new IDM related demand from an access control perspective, a provisioning perspective and last but not least from an access policy management perspective. Another development that Cloud brings is Identity Management as a Service. Starting some years ago our customers start looking at this specific form of IDM. At that time the market was immature, low profile and providing mostly access control related functionality.
Looking at the current situation the market has evolved. Vendors as OKTA and Microsoft are really building IDM as a Service. It is easy, it is fast to deploy and it enables the business in a way that is never seen before (from IDM perspective at least). The IDM solution is build in hours instead of months. The applications are connected in minutes instead of weeks. At least as long the application is in the vendors application catalog. If it isn’t, you need your local system integrator which can implement and connect it. IDM as a Service has arrived and is here to stay. It will direct you as a business in a process standardization dilemma. Making the choice between the service and the custom model. Standard, sustainable versus flexibility, expensive. System Integrators like Traxion are providing you with the necessary guidance on what model to choose. We therefore expect hybrid IDM environments evolving for the next 5 to 10 years to 100% cloud based IDM environments.
Data breaches / hacking and IDM
Last development I want to discuss that will have effect on the way you have to deploy/implement IDM are the latest breaches and hacks. Looking at the Sony hack, Anthem, the Kaspersky bank hack, JSF consortium, Home depot and others, they all have some things in common. Interesting is that the approach seems more or less the same, i.e. following the kill chain. The kill chain contains a couple of steps. The first one is to get access as a normal user and then explore the environment getting access to other users as well. The second step is to elevate the access rights to an admin level. Using that to get in to the environment. The third step is to explore, do the actual attack, the exfiltration and intrinsic using stealth techniques to leave no traces behind. What has this to do with your IDM strategy? Well the first step can easily be solved by introducing multi factor authentication. The second step can be solved by proper certificate management (for SSL and SSH). Last but not least you have to get rid of cached credentials (used within your windows environments). Implementing these measures will make the chance on getting hacked to the point of an actual data breach occurring significantly smaller.
Your IDM strategy
So, there are a lot of angles why you should update your IDM strategy. In summary we see the following (new) demand:
- Organization: support of federated partners, the supply chain and devices.
- Governance: the impact of cloud applications in relation to ownership and change management processes.
- Compliance: new EU data protection legislation; support for upcoming security measures, e.g. enterprise data protection, information rights management, data leakage prevention, multi factor authentication, risk based access control.
- Information: Attributes in relation to syntax, quality of data and ownership.
- Processes: joiner/mover/leaver in relation to customers, federated users; support for mobile end-points and social media support.
- Technology: support for hybrid IDM architectures supporting on premise web-, legacy, mobile and cloud applications.
Please feel free to contact me if you want to know more about our services or want to discuss your IDM strategy.
John van Westeneng, CISSP, CISM