What identity management strategies should enterprises be deploying to ensure they can meet the security challenges of an increasingly connected and cloud-based business environment?
- Make sure those who need data or services get the right access
- Integrate customers' IAM components in standardisation processes
- Good governance ensures a consistent approach to risks and compliance
- Set up or outsource a process to verify employees' and contractors' identities
- Provide a smooth authentication system that doesn't affect users' experience
- Catch up with the latest developments in identity federation processes
- Address the sin of conceit and move the IAM to being cloud-ready
The key to successful identity management is to make sure that those users who need access to data or services are provided with such access, writes Lee Newcombe, CISSP, member of (ISC)2 and managing consultant at Capgemini. The corollary of this is that those users who are not authorised to access data or services have their access attempts prevented and, ideally, logged. Perhaps not surprisingly this is more difficult in practice than in theory!
So what are the difficulties? Firstly, different operating systems and applications support different forms of authentication with different credentials repositories and communicate using different protocols. You must also consider the business problem of managing granular access to sensitive information; the more selective or exclusive the access the more work is involved by your business managers in keeping the user entitlements up to date including the age-old provisioning problem of dealing with new starters and leavers. An additional problem when considering collaboration across organisations is that the data or service being accessed will be on the other side of the organisational divide from those users seeking access. Finally, a problem that is becoming more pronounced with the move to cloud-based services is that of data privacy - do you really want to put personal details of your staff or customers outside your own security barrier?
Enterprises could implement a federated identity management approach whereby the organisation providing the data or service trusts the authentication measures in place at a collaborating organisation. Using such an approach, there is no need to share the personal details of the user requesting the access, only an assertion from the trusted party that the user is authorised to make the request. It is, of course, necessary to ensure that appropriate contracts are in place between such collaborating entities covering agreed security controls and the rights to monitor and audit compliance with the agreed controls. Enterprises should segment their data such that the data and services to be shared are physically or logically separated from those that they want to keep private. Furthermore, enterprises should maintain a cohesive audit trail of access to their data, regardless of where the user resides. Finally, please remember that these recommendations are far from exhaustive!
As enterprises attempt to reduce identity and access management (IAM) complexity for their internal environments and standardise on protocols, products and processes, the movement of applications and infrastructure to the cloud has often been done without sufficient regard for managing identity and access, writes Gregg Kreizman, research director at Gartner. The same IAM functions are needed for the cloud; however, they are just not as readily available as abstracted services exposed through standards. Rather, each IAM function - administration, access (authentication and authorisation), and intelligence - is usually delivered independently by cloud application providers often without regard for integrating with their customers' IAM components.
Federated authentication has shown to be the most mature, useful, standard capability for the cloud, but it is far from perfect. Standardisation for administration and authorisation had false starts and new standards are only emerging now. Standards for identity intelligence to support even basic audit needs are non-existent.
Include IAM requirements during SaaS selection and procurement. Enterprise IT and security planners should get in front of the SaaS selection and procurement processes to ensure that available enterprise IAM standard capabilities can be leveraged with the service, and gaps in those capabilities can be identified.
Push the SaaS providers and IAM Vendors. The battle does not have to end after the procurement is done. If IAM requirements don't make it into the SaaS procurement decision, or if these requirements are trumped by higher-priority business requirements, enterprises should continue to press noncompliant SaaS providers to deliver secure interfaces to support integration with enterprise IAM components and with other third party applications leveraged by the business.
IAM vendors are increasingly aware of the gaps in standardised IAM interfaces and protocols for cloud-based applications. Work among SaaS providers, vendors and standards bodies must accelerate and will be driven by those who hold the purse strings.
Offline images and templates: The speed of virtualisation is made possible by preparing offline templates of Guest OS in advance which then can be used for new systems. These offline images must be patched regularly to make sure new systems are up to date from the first power on. Make sure the patching and configuration systems can handle these offline images.
In summary, DC virtualisation has great benefits and is good for green and cost effective IT. However, CIOs should be aware that with greater powers come greater responsibilities and they should demand better controls from their IT and security professionals.
Over the past decade there has been a tsunami of identity and access management technology, writes Mike Small, member of London Chapter ISACA Security Advisory Group and senior analyst with KuppingerCole. This technology has not realised the business benefits that were hoped for. Furthermore - the move to outsourcing and the cloud means that technology and some processes are no longer under direct control.
While management implements technology and executes processes, governance sets the policies, procedures, practices and organisational structures that ensure the achievement of strategic goals. Good governance ensures that there is a consistent approach to risks and compliance across different lines of business and multiple laws and regulations. It can reduce costs by avoiding multiple, ad hoc, approaches to compliance and risk management. Identity and access governance ensures, in a consistent and efficient manner, that only people authorized have access to their confidential and regulated data.
The governance process comprises three major phases. The initial phase is to understand the business needs and obtain approval for a plan of action. A key objective of this initial phase is to get executive sponsorship, this sponsorship is critical to the success of any identity and access project. The second phase is to define the organisational needs and to produce a set of metrics and controls. The third phase is to monitor the controls and manage divergence.
For identity and access governance these include:
- Information classification - you can't protect what you don't know you have.
- User identity - What percentage of employees have had their identity checked? What is the percentage of "orphan accounts"?
- User access - are access rights appropriate? What percentage of systems have a formal process for assigning and approving access rights?
- Privilege management -privileged users can bypass normal controls. What percentage of systems have formal management of privileged access in place?
- Monitoring - can you monitor who has access to and who has accessed what? Can you trust your monitoring systems?
Good identity and access governance ensures that there is a consistent approach to privacy and compliance across different lines of business and multiple laws and regulations.
The idea that you can connect you your business IT based functions like e-mail, file storage and applications anywhere does raise the issue of how you can protect your data and the subject of controlling access said IT functions and company data is a big one, writes Peter Wenham, member of the BCS Security Forum strategic panel. So let's settle for the time being on the issue of identity management.
In the traditional company, access to a company network and thus its resources and data is generally via a user-name and password set up by the IT department and based on a formal request from either HR or a person's line manager. HR in this case carrying out the identity management process via the usual hiring routes (CV, interview, references etc.).
But is this process any different in the cloud world? I argue that for formal employees of a real company, the process is the same even for out-stationed employees. Where this traditional process can start to break down is where the out-stationed employee is not an employee but a contractor perhaps used just once for a specific job or engaged on an ad hoc basis. Here the contract engagement process would be required to cover off verification of a person's identity, but what about moving to the whole bid and acceptance process to online, perhaps even being fully automated?
As we don't yet have, not in the UK any way, a national identity scheme there is no other way to verify a person's identity than for a company to set up an HR and/or contract process though this function could be outsourced both of which are valid strategies.
Identity management is being taken seriously by IT security managers in the Corporate IT Forum, writes Dani Briscoe, research services manager at The Corporate IT Forum. We are beginning to see the inclusion of identity management officer roles in information security teams, as two thirds have implemented an identity (and access) management strategy and most of the rest are planning to follow.
With cloud still in the relatively early days of adoption, before defining and adapting an IDM strategy for application to the cloud, members are focused on the complex issues and challenges that moving and storing data in the cloud brings.
At a Forum workshop in July 2010 members discussed the issues they were experiencing as they moved to a cloud based e-mail solution. The majority were moving to a Microsoft solution and finding that the authentication was not up to the standard that they expected. Some who were operating in a single sign-on environment had negative feedback from their home and mobile workers due to the extra levels of authentication required to access the new system.
An overwhelming majority of organisations, who recently discussed data in the cloud, did not store customer data. Before tackling the challenge of authenticating users, corporations want to be happy with the data that they store and the security surrounding it. In a recent discussion around external access into SharePoint environments the majority of authentication strategies were guided by the sensitivity of the data; sensitive data was either not stored or required two factor authentication. Moving to the cloud would not change this strategy and would, if anything, require a stronger more stringent solution.
Since RSA's security breach in March 2011 some members have admitted to expediting their exit strategy from their SecurID token solution. The majority of the responding members said that the breach had had an impact on their organisation with an increasing number now wanting to move to a tokenless authentication strategy; some members had already migrated away from the RSA solution to realise cost and time benefits.
Ultimately IT Security managers will want to ensure that their corporate data in the cloud is as safe as the corporate data in their own datacentre on site. Providing a smooth authentication solution that doesn't affect the users' experience will go a long way to keeping users and their data secure.
Identity management is a key process in Information Security within various national and international security standards and best practices, writes Vladimir Jirasek, senior enterprise security architect at Nokia, non-executive director CSA UK & Ireland and Steering Group member, CAMM. At the same time, it is one that has transformed so dramatically over the past 5 years that many IT and security professionals have been caught out and need to catch up with the latest developments.
Identity management strategy over past 20 years has been to manage accounts carefully for both internal and external users by an organisation. "We cannot trust other organisations to do identity management for us." has been the excuse not to try new methods. However, the costs of managing external accounts, such as contractors, outsourcing partners, service providers or collaborators, have soared to all time high.
My belief is that the key principles for enterprises, when it comes to architecting their future-proof identity management systems, should be:
- We only manage identities for our employees and contractors working as employees, i.e. those people we have direct contract with
- If we trust external organisation to work with our data we should trust them to manage their accounts and identities
- We should contractually oblige the 3rd party organisation to maintain identity processes at the required level and provide evidence of such
If organisations employ these principles the identity federation becomes a natural choice to make.
The technologies and standards to support identity federation are readily available. Standards such as SAML, OAuth, OpenID and Browser ID are here to support organisations and make integration with their partners as easy as Plug'n'Play.
Organisations should also invest in allowing federation to their customer facing services. It is entirely reasonable for customers to expect to use their Gmail, Facebook or MS Live ID identity to shop on your eCommerce website. It is clear to many that those eCommerce websites that allow for identity federation, with major consumer identity providers, have higher basket to purchase ratio.
Now, let's look at the future of identity management. There has been lots of talk around NSTIC (US National Strategy for Identity in Cyberspace) and KANTARA Initiative (formerly Liberty alliance). The future of identity management is going to give more control to the people, which will naturally lower the number of identities and credentials everyone has. For example, an enterprise will not create credential for their new employees but rely on their trusted cyber-identity. Such an identity could be securely stored and managed by employee's mobile phone which would mediate the login to company systems. Such a vision is obviously some years away yet: however, the foundations that organisations can build for identity federation would be reused in the future. I have covered this topic during a recent ISC2 webcast.
In summary, organisations should act now and invest in identity federation processes and solutions that will allow them to integrate and support current and future authentication and authorisation standards easily in the B2B and B2C channels.
Moving to the cloud poses a number of challenges to businesses, IT and information security, writes Adrian Davis, ISF principal research analyst. We at the ISF have investigated these challenges and come up with the seven deadly sins of cloud computing - one of which we termed "conceit". The sin of conceit is linked to the issue of whether the IT infrastructure of the enterprise is "cloud-ready" or not. Enterprises may assume that their IT is cloud ready whereas in fact, it isn't. One of the key infrastructure components is identity and access management (IAM) - and it is one of the components that is often least cloud-ready or cloud-aware.
Ongoing ISF research - both in the context of traditional enterprise IAM and in the context of the cloud environment - has yielded four important objectives of any IAM strategy going forwards. First, standardise the enterprise IAM framework so that it can easily link to cloud apps. Second, plan and evolve the framework to become federation-capable through the adoption of SAML2 and associated protocols. Third, select and work with cloud providers who support federated IAM and SAML2 - thus you can easily add a new cloud provider without having to manage multiple user accounts, passwords and all the issues associated with them. Fourth, don't attempt to solve all the problems at once.
These three objectives will help to address the sin of conceit and to move the IAM to being cloud-ready and cloud-aware. Meeting the objectives will require investment and time - and may require an enterprise to fundamentally overhaul how it manages user identities across multiple platforms and systems.
This fundamental overhaul may include the adoption of technologies such as reduced (or single) sign-on or federated IAM or may involve outsourcing identity management to relieve the burden of user management and capitalise on investment and expertise from outside the enterprise.
This was first published in October 2011