Independent. Dynamic. Involved.
nlen

The trends and customer challenges in identity & access management

By John van Westeneng CISSP CISM

This blog is based on the same named presentation presented by Corné van Rooij (RSA) and John van Westeneng (Traxion) at the RSA Security Summit 2014 in Amsterdam.
In our increasingly cloud-based, mobile world, traditional identity and access solutions can no longer keep up. We are experiencing an identity crisis. Organizations need solutions that empower the business and connect trusted users to sensitive resources, regardless of where these users are coming from and regardless of where the resources reside.

The third platform

The third platform is the one of consumerization. Compared to the second platform the shift from identity and access perspective is the impressive revolution of a new type of identity, the consumers. Due to the massive increase of users, apps and devices the 3th platform definitely changed the way we handle identities and in general how we practice information security.

Besides the effect of the 3rd platform several major trends are disrupting how we practice information security.

First, the adoption of cloud-based IT infrastructures and the pervasive use of mobile devices and mobile applications means that security organizations are being asked to secure what they don’t own, manage, or control.
Just a few years ago, a typical scenario might have been remote access offered to a limited set of employees, using a laptop that was provided by the company, over a VPN connection that allowed access to a limited set of key internal applications like email and sales force automation. Now, we have almost our entire workforce, using their own tablets and smartphones for business purposes, accessing applications that live in the cloud, over untrusted wireless networks and the internet. We used to describe the disappearing perimeter as a security concern – today we have almost no boundaries or a perimeter that has effectively been turned inside-out. And the expectations for securing this environment are the same or more strict.

We’re also in the midst of a transformation of how we conduct business. Leading organizations are seeking to take advantage of these technology advances – building new applications that are delivered through these new access models. They are using more data than ever before to make decisions and aggregating public and private data to create new value. They are interacting with a much more diverse supply chain, and employing a much more extended workforce. At the same time, these employee and supplier relationships are increasingly more temporal – assembled as needed and frequently dissolved when no longer required. All of these changes place more strain on our ability to adequately secure the interactions between people and information.

Finally, in response, the threat landscape and attacker tactics have fundamentally changed, resulting in adversaries that are more formidable than ever before, and who can’t be stopped effectively using today’s tools and methods.

Regarding the threat landscape and attacker tactics, both IBM and Verizon have published reports describing how attacks have evolved. Verizon has distinguished 9 patterns over the last 10 years. IBM defined 10, including one called undisclosed. Looking at those patterns, 7 out of 9 are identity and access related. From session hijacking, privileged access control to misuse of certificates, i.e. cryptographic material.

What does this imply? Regardless of what we do in our network security layers, we need to take advantage of technology that secures our application layers. That enables cloud, mobile, social and big data.

Appetizers and take aways
Based on all those trends, threats and developments it is clear that we have to evolve our security, identity and access best practices. We must assure that whatever we spend our money on is future proof and can be justified. Solutions like role based access control, a central identity repository and enterprise SSO are either outdated, cannot provide the correct security mitigations or cannot be justified from a business case perspective. The point is that those ‘legacy’ technologies do not give the answers on the questions being provided by the mega trends mobile, social, big data and cloud.
So which are? And what dependencies do they have? What should you take into account when you are implementing them?

Standard building blocks, not standard solutions

One of the main drivers of cloud is the need for cheaper and easier access to IT resources. To achieve that standardization of IT components and functions is a number one requirement. Not standard solutions but standard building blocks. Building blocks or modules to build your custom solution with. But also re-usable building blocks.
From security perspective standard building blocks means:
– predictable security functions,
– standard security interfaces,
– easier but possible limited integration capabilities,
– ease of update/renewal.

To achieve this, start defining standard building blocks in your architecture, infrastructures and applications. Include security functions and required interfaces. E.g. externalize authentication services from applications on all platforms. Develop and implement a federated access control infrastructure able to connect those standard based security components. Ensure you support mobile apps in all possible modes (native, hybrid and web). Ensure you support API based backend’s to enable all those ‘consumer-enterprise’ based frontends.

Hybrid, responsive applications

The nearby future is … apps. Development platforms are becoming more and more available. Supporting all kind of platforms. Why use a website if you can have an app. Including specific functions, not limited to a browser.
From a security perspective the following dependencies and challenges are foreseen, something you should take into account developing your apps:
– Identity & authentication: Personalization in a native app requires identification; standard (SAML or OAUTH) based interfacing towards externalized authentication web apps provide this capability.
– Vulnerability control: a native app can be checked and does have a signature. Webapps don’t have this capability.
– Security policies: ensure your organization is ready for the any time, any place, any where principle. specifically from a security policy perspective.
– API security: If an app requires content assure you have secure api’s published. API brokers are available which are specialized in publication of secure APIs supporting security standards like HTTPS, REST, SAML, OAUTH, and others.

Questions that remain: Do you have the option not to invest in (mobile) application development? How can we prevent ourselves not to fall in the same pit as we did with desktop application development in the 90th and the years after that?

Containerization

In relation with context based access, which is addressed later, separation of data on devices is a topic we all are doing or looking at. Using encrypted folders or app wrappers we are able to separate enterprise data from private data. The next step is dual persona mode on your private mobile device. A private persona container and in case of BYOD an enterprise persona container.

Containerization is an enabler for the use of any device in a ‘protected’ enterprise world. It really is the Holy Grail for BYOD. No device management, no private – end user information in danger in case of wipe or monitoring of the device by the enterprise. The end user is in charge of its own private container. So no privacy issues… He can use its enterprise data and apps in a secured container. It is absolutely an enabler because the enterprise doesn’t have to manage the device and is able to provide full segregation of information capabilities.
Access to the container is of course protected with a proper authentication mechanism. The container itself is encrypted.

The status of the technology is that it is available on all types of devices, including the windows desktop via virtual desktop technologies. Both Apple (in iOS) and Samsung (via KNOX in Android) are providing capabilities in there OS’s to support this.
However still a couple of challenges are remaining:
– Navigation and usability
– Separation of data residing in the container
– Relation to DLP and data protection, so when can I use the data outside of the container?
– Relation to access to the container in an offline mode
– Enrolment of containers and the privacy around data wipe or container wipe
– Container roaming over devices

A prerequisite for this next step in containerization is having your own (enterprise and device independent) app store. Another one is a user and device aware access control layer being able to provide only those apps that the user is able to use on his device, in its container in that specific context.

So, Identity and Access is, again, the next step in being able to provide secure access to your information. Containerization doesn’t solve this. A well thought strategy on how you are going to provide access to your information is required. Containerization is just one of the mitigations.

Context based authentication

Without context. An identity is just an identity. Providing access to information based on the identities context is providing access based on knowledge. And that … is what access is currently about. Before providing access we want to know who you are, what device are you using, what is your location, does your behavior correspond with previous activities, location and time.

Context based access is access based on knowledge. The big question currently is, how much context aka knowledge do we have that we can (or may?) use to decide if the user should have access.
Knowledge on the identities context enables us to make better decisions. Besides that it gives us the possibility to make life easier. It gives possibilities to ask the user less to provide by himself. And that implies that the usage bottleneck will be lower, i.e. your service will be used easier and earlier.

The next step in this evolution of access will be knowledge based access pattern based on behavior and intelligence. Being able to answer questions like: why do you want to have access, what are you going to do with the information provided after you got access, how are you going to use it, with whom are you going to share it, how are you going to share it, can you protect it, what did you do with it before and other patterns will give us the possibility to define real smart and dynamic, risk based access profiles. This is context based access at the next level.

Before getting there assure you have your identity management, your (federated) access control infrastructure with its externalized authentication services and required related services (i.e. classification services, information protection services, etc.) in place. Assure that you are in control of your application landscape. Btw. This will only succeed when we are able to externalize identification and authentication services from applications and/or services. Building on your federated access control infrastructure is a prerequisite. There is a relation with building your cloud, guiding your application development, etc. Classification services are the second prerequisite. Classification of data. Of device. Of location and of course, classification of user.

The identity broker

Since the end of the 90ties the amount of digital identities people have is growing enormously. For each application a new account, i.e. a new identity. With the introduction of Facebook and other social media, and standards like SAML and OAUTH more and more applications are able to use your ‘social account’ instead of letting you create a new one. On the one hand this is nice, on the other some challenges or even issues arise. Because of this and besides this, new security risks are on the horizon.
From the end user perspective:
• The use of ‘one account’, e.g. Facebook makes you dependent of this one account. This results in a higher impact whenever this account is being compromised / stolen?
• The use of ‘one account’, e.g. Facebook binds you to Facebook as a service provider. The question is at what moment can you leave them, suppose that is in order?
• The use of ‘one account’, e.g. Facebook does give some privacy related issues. Are you able to enforce which information is being provided towards the service provider?
• The use of ‘a Facebook account’ does limit the strength of authentication if you don’t provide additional authentication methods. But then, what is the added value of a Facebook account?

What happens if your ‘one account’ is changing? Does this impact the way you are known in the other, connected, applications?

In this category: Google, Salesforce, Microsoft, Yahoo, Twitter can be mentioned as well.

Are there any alternatives? If so, which, what are the side effect of those alternatives? Can we or should we take countermeasures already and in what way can we use those alternatives?
In general an alternative is the use of specialized (commercial) authentication providers. DigiD(?), Vasco’s MyDigiPass.com, and of course the Dutch eID when it has arrived.
Depending how you as a consumer make choices the enterprises will follow. Using a specialized authentication service provider will further enable our digital community.

The identity broker is one of the missing pieces in this access infrastructure. After authentication on one of the authentication services being connected to the identity broker, the identity broker aggregates and propagates information and provides this information to the applications connected to the identity broker. The identity broker, specifically in the hybrid context (e.g. combining both consumer owned IDPs and social focused IDPs is one that is required to enable the new era of identity management.

Attribute based access control

Attribute based access control or ABAC is the standard mechanism to exchange information in such a way that you can use that information for identification and authorization questions in your applications. ABAC gives you the possiblity to be flexible, providing exaclty that piece of user information that is required for a specific application.

Privacy

Discussing the context based access and attribute based access control take away before, brings us to the discussion of privacy. What can or do we know of a user? And what are we allowed to do with it? Companies who are or wants to sell our behavior is one topic in this. Google and Facebook who have built billion imperium’s on our behavior, are selling our behavior and thus our privacy already.

More and more it becomes clear we need to protect our privacy. We must become aware that our privacy is our last part of our (digital) identity. We should be able to protect and control our (digital) privacy. But…, how?
The concept of ‘Privacy by design’ delivers awareness on this topic. A guideline how to use privacy. Looking around in the Netherlands we are becoming aware that something must be done.

As a nice example the new to be designed and developed ‘eID stelsel’ does keep privacy by design in mind. As an end user you are in control over who may receive which piece of digital identity when. The designers of the requirements of ‘eID stelsel’ did have a look at services like Qiy. They understand this privacy by design aspect. And this is good news.

Next step is an EU directive on this. Final step is that we as European users demand from anyone that the (digital) identity is in charge. No matter the business model… as you know when you don’t pay for a service, you pay with your privacy… This is a challenge we are all facing. For this we must learn from our German neighbors. Due to their history they are more aware and are keener on protecting their privacy.
The main purpose of privacy by design is to ensure that individual persons have control over their own personal data and for organizations to get a sustainable competition position. This can be achieved with the 7 fundamental privacy by design principles.

The 7 fundamental principles on the website privacybydesign.ca are:
• Proactive instead of reactive; preventive instead of regenerative
• Privacy as standard
• Privacy integrated in the design
• Full functional – positive sum instead of zero-sum
• Security from start to end – protection during the full identity lifecycle
• Visibility and transparency – keep it open.
• Respect for the privacy – keep the user central.

From Identity & Access perspective we can summarize this to the following principles you should take care of in each IAM implementation:
• Understand which information you are using, modifying and copying to which system, which country and which organization.
• Understand who owns the information, i.e. the person, the organization, the customer, etc.
• Understand which legislation counts.
• Define IAM design principles related to who is allowed to do what, with what.
• Create a corporate directive on what your organization is allowed to do with person information.

For more information on privacy by design there are several initiatives. For example see the College Bescherming Persoonsgegevens website on privacy by design.

How it comes together

To summarize, the 4 mega trends Mobile, Cloud, Social and Big data, will impact how we develop, host, manage applications. It will impact the way we manage identities and authorizations. It will impact the way we handling privacy. It will impact security policies, governance and mitigations. It will impact the way we provide access to information and how we value information.

So… having said that, the 4 mega trends impacts the whole (application, information and security) landscape. In this new era the user must be positioned centrally. Being capable to choose who is seeing which identity information when. We as community must develop and implement user friendly privacy legislation and become responsible regarding what to do with user information.

Besides that the enterprise must be able to provide access to its application and services based on trusted and possible externalized services and information, as user friendly as possible. Additional knowledge (e.g. on security threats, current and future company risks, application development issues) is required to assure enterprises, and possible you as architect or business owners, take the right decisions at the right moments.

Your next generation identity and access services must be capable of delivering that. Not tomorrow, today!

Download here the related presentation

In a next blog I will elaborate on the use cases and related security policies, tip and tricks.

If you have any questions or comments feel free to contact me at John.van.Westeneng@traxion.com