IT Focus Area: security
March 13, 2014
Identity and Access Management: Defining the New Security Perimeter
Editor's Note: Sirius and Forsythe are now one company. Sirius acquired Forsythe in October 2017 and we are pleased to share their exceptional thought leadership with you.
One of the staples of a good espionage thriller is the main character’s ability to change identities. Whether it is to gain access to a secret facility, perform a daring rescue or slip quietly past security, the character’s ability to become someone else is a highly refined art.
High-profile data breaches are demonstrating that cyber attackers have become equally adept at assuming identities in the real world, and companies are paying the price.
The Ponemon Institute’s 2013 Cost of Cybercrime study reported the average annualized cost of cybercrime incurred per organization was $11.6 million, a 26 percent increase over 2012.
Users and their identities are the most vulnerable link in a network, but solving identity and access management (IAM) issues is difficult for many organizations. For today’s chief information security officers (CISOs), the challenge is managing the identities and privileges of an increasingly diverse group of users—including employees, partners, and customers—that use a multitude of devices to log into systems both inside and outside the enterprise.
In the past, the administration of access to information technology (IT) systems was essentially an internal activity. The IT department created the systems, provisioned the access and distributed the devices that could be used to work within that closed environment.
Today, that intimate corporate network is now a globally connected web of users and devices that are accessing IT environments wherever, whenever, and however they choose.
The strain of BYOD and cloud-delivered IT
Forrester Research estimates that by 2016, 350 million employees will use smartphones, and 200 million of them will bring their own. Controlling every device to create an effective network security perimeter is no longer a viable option.
Additionally, many new business software purchases are of service-enabled software (commonly referred to as software-as-a-service, or SaaS). The ease with which these services can be procured by individual business units—without the aid of IT—can quickly result in chaos, and back doors to the enterprise opened by the "shadow identities" cloud-based user accounts create.
As data centers become more distributed and the traditional network perimeter dissolves, what can we use to protect enterprise data?
The common denominator
In the absence of the traditional security perimeter, identity is the common denominator.
John Hawley, Senior Director of Business Strategy at CA Technologies, points out:
“We can leverage new identity standards to fill the gaps left by the disappearance of the traditional perimeter as we know it …the value now lies in securely connecting users to distributed business services, using identity as the new perimeter” — John Hawley at CA Technologies
Companies are looking to confirm the identity of users and to make sure that the right people have access to the right resources at the right time, and for the right reasons. Because it has become virtually impossible to control the network security perimeter, the devices, and the applications, they’re shifting their focus to centralized identity management and authentication services that can control access to business services—regardless of location or end-user device—and help them secure each door into the fragmented IT environment.
The fundamental challenges of IAM
There are five key components to identity management: provisioning, access management, governance and recertification, federated identities/single sign-on, and privileged user management. Overall, for IT the first two are mature, stable aspects. Organizations understand how to provision users and give them basic access to the systems they require.
It is properly managing and restricting access, and gaining the right visibility into identity and access activities and events they are now struggling with. This is understandable, given the changes that have occurred in enterprise computing over the past few years.
One significant example is the shift to “the new Workspace.” In the past, when IT was setting up access to restricted systems, it had only one location to consider: within the enterprise. Users who wanted to access corporate data had to be on-premise, where security systems were tested and hardened. That was OK, because they typically did their work from an assigned space within a specific location.
Today, users may be working from the office, from home, in a car, a coffee shop, an airport or a hotel room. Even within the office, they may be using a shared space (i.e., “hoteling”) rather than working from an assigned port. Each of these cases presents a different set of access circumstances that pose the same question:
How can you be sure the person attempting to access corporate data is who they appear to be?
Within the office, in an assigned location on a corporate-issued device, it is relatively easy. At the local coffee shop, on the other hand, a stolen password or hijacked access of a user logging into a tablet can be extremely difficult to detect until the damage is already done.
Further complicating matters is the move to the hybrid data center, where data or applications may be split between internal and cloud-based resources, and access management is being shared between multiple locations. If either the enterprise or the cloud provider systems or policies are not as robust as they should be, users can end up with access to areas in which they do not belong.
Additionally, enterprises are sharing more data and access to systems with their partners and customers in the interest of efficiency. As the needs of the business broaden access requirements, identity handling becomes critical.
Analytics and intelligence are key
The bottom line is that basic user provisioning and access management—for example, person X needs access to file Y, and a system administrator verifies rights and either provides or denies access—is no longer enough. If you are an executive and concerned about the possibility of targeted attacks or insider threats, that won't provide you with the context you need.
In today’s security landscape, advanced identity management in the form of analytics and intelligence is the key to analyzing and understanding identity and access events. These solutions help you convert technical identity data scattered across multiple enterprise systems into centralized, easily understood, business-relevant information. This capability enables data around user activity to be understood in the broader context of the organization’s overall security posture, and can transform IAM into a strategic initiative.
During IT research firm Gartner’s 2013 IAM Summit, it was predicted that by 2020, identity analytical and intelligence (IAI) tools will deliver direct business value in 60 percent of enterprises, up from less than five percent today. This will include logging and log management, behavioral attributes about who is accessing what, and “identity nodes” around users and administrators.
Governance is your friend
Industries such as banking, finance and health care are heavily regulated, and have what may seem like an onerous burden of governance that requires them to be able to demonstrate (on demand) who accessed what and when. However, many of these organizations have discovered this to be a tremendous asset to their identity management efforts.
No matter what industry you are in, it is important to have controls in place to ensure users have the right access. For example, someone who transfers from finance to sales is unlikely to need continued access to the enterprise’s financial applications. Access governance and recertification solutions help provide the visibility and control you need to understand what you have in your environment and who has access to it, and to establish a continuous process to ensure that every individual has the right access to do their job, and nothing more.
Protect your privileged accounts
Privileged accounts provide virtually unlimited access to system resources, making them an attractive target for cyber attackers. Uncontrolled access to these accounts can easily lead to security breaches such as advanced persistent threats and compliance violations.
In the past, privileged users tended to be a single person with root access to applications; today, applications are distributed across locations and can have many privileged users. Accounts are often shared, with multiple people knowing the credentials for a single account on a system or application. As a result, it is more important than ever to know who has access to which systems, and what activities each individual user is engaging in.
Privileged identity and access management solutions can provide the control, auditing, and compliance needed to manage privileged and other shared accounts. They can track account access to individual users, secure resources to comply with regulations like Sarbanes-Oxley (SOX), HIPAA, and Gramm-Leach-Bliley (GLBA) enable system owners to periodically revalidate accounts and automatically revoke access or lock accounts, which is particularly helpful when an employee with access to critical data leaves the organization.
Federated single sign-on: proceed with caution
Everyone wants easier access to systems and applications, and requiring users to manage multiple usernames and passwords reduces productivity. Single sign-on (SSO) and federated identity address this problem by integrating applications with existing identity stores and eliminating the need for multiple usernames and passwords. Employees, customers and partners get convenient one-click access to the applications they use most, whether SaaS, on-premise or legacy.
This was far less risky when all systems were internal and IT had full control over how they were accessed. In today’s world, the price of one password providing access to all in-scope systems could be providing attackers with a tunnel to get into those systems.
Organizations implementing SSO—especially to resources with sensitive data—need to implement risk-appropriate authentication methods. It may be necessary to require separate sign-ons for certain systems, especially cloud services with weaker controls. Solutions that provide SSO to all target systems may prove to be too expensive. It is best to identify the tactical and strategic approaches that can address the issue over time and according to your budget.
Managed services reduce the burden
Successfully resolving IAM issues often comes down to two requirements: personnel and budget. Organizations may not have the appropriate in-house staff to perform the monitoring required to act quickly, the budget to hire additional people, or both. This is where a managed services provider (MSP) can help.
MSPs have the technology and people in place to provide the type of 24/7 monitoring that is needed, at a reduced cost. They can be your “eyes and ears,” identifying problems and anomalies as they occur, and either passing the information along to the internal team or resolving issues themselves. Having a managed services provider allows internal resources to focus on more strategic objectives, and relieves the burden of having to constantly update and maintain monitoring tools and systems.
Realize the value of identity and access management
The need to safeguard distributed applications and mobile, cloud, and social interactions across the enterprise has made implementing a better identity and access management strategy a challenge that must be met. IAM technology can generate the intelligence about identity and access activities you need to increase your understanding of broader security events and advance your overall security posture. With a robust program that incorporates IAM solutions and services that align with the needs of your business—without significantly increasing cost or risk—you can fill the gaps left by the traditional security perimeter and more effectively protect your enterprise data.