By Mark Coderre, OpenSky GRC and Security Services Practice Director
What Has Happened to IAM? … Continued
In my last post, I discussed Identity and Access Management as a key control of key controls that is very relevant for today’s changing IT landscape. In this entry, I will go further into how we can alter our IAM strategy to meet new challenges and change conventional approaches for more secure methods.
Passwords carry inherent risk, period. Think of the way they are stored, duplicated, lost, cracked, written down, and put in “free” tools with who knows what origin. They are clumsy and come from a day of single mainframes and dumb terminals. Passwords are a liability too. Password authentication of applications is especially hazardous – the provisioning and retention processes breeds risk. We will continue to see large scale compromises as long as this key control is dumbed down to a password.
There are alternatives. They are not as easy to implement, but they are necessary. Consumers can authenticate with consumer-oriented solutions, employees can use smart cards or mobile based one-time password generators (we manage to carry a badge and a cell phone for other purposes), and applications can authenticate with certificates.
What’s behind an identity anyway? Another sign that Identity and Authentication are a public topic is the US Presidential Directive of 2011 that defined a National Strategy for Trusted Identities in Cyberspace (NSTIC). I had the opportunity to go to the White House Office Building, at the invite of Howard Schmidt, in 2012 and speak on a panel to kick off this critical initiative.
The directive does an excellent job of laying out the business needs of numerous sectors, including healthcare and finance. The approach is to build an ecosystem of identity providers with common trustworthy mechanisms, certifications, privacy features, and protocols. People would be able to establish an identity with the provider(s) of their choice, leverage those strong credentials with consumer centric usability, and take the credentials with them as they travel the internet.
Kantara is another important organization. They have defined the certification component at the levels of assurance aligning in principle with the NIST 800-63 document mentioned in my previous post. Note: I am a member of the NSTIC Steering Group (IDESG) Management council. I also participate with the NSTIC and Kantara healthcare workgroups. Speaking of healthcare, HIMSS made a statement around personal access to health records on line at “LOA 3” and other groups are supportive.
No we haven’t gone to the dogs, yet! Fast Identity Online (FIDO) is another organization of interest. Take some time to look at their work. I call it “human authentication.” I share this with clients and in other identity circles, because they have established a common API for implementation around your resource authentication layer. This common API supports a growing variety of “human form factors.” There are biometric solutions as well as proximity oriented solutions that address a wide variety of use cases – all the way from buying snow tires right down to the operating room where gloves require alternatives to thumbprints. If you’re familiar with the fingerprint reader on the Samsung S5 cell phone – that’s FIDO. I attended an update on their efforts during the RSA 2015 Conference in San Francisco and they are making fantastic progress.
As I mentioned earlier, we have a challenge with authentication in email. For years, we’ve had the opportunity to implement signature-oriented email solutions, but they’ve languished. I anticipate that as consumer authentication matures, and naturally bonds with your mobile phone, a linkage to sending messages with signatures will roar back to life. In the meantime, we need something that fills the gap and also covers B2B and application created emails. This gets into the topic of Domain-based Message Authentication, Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF). These protocols are another tangential topic, but should at least be linked to your IAM strategy for cohesive end–to-end risk management. I highly recommend you look at them as a means of tactically “authenticating” the source post office for email. We’ve been victimized by email through phishing and spear-phishing. These are effective protocols and need to be part of every organization’s roadmap. Given the large breaches across sectors, spear-phishing will become increasingly difficult to spot. This is especially true when you consider that threat actors are accumulating a 360° profile about you and me.
Bottom line is: every IAM strategy is a user case where consumer outreach via messaging is required – you need to secure that channel too.
Anyhow – there’s a lot here, and a lot of organizations are working the leading edge of innovation. I participate in many of them and hope to see you there. If you have a challenge attending I’d be happy to bring your ideas to light. Write me….
Source: Sky Chat IT Blog