The Evolution of IAM

Many businesses have users in high-risk locations, users connecting with risky devices such as computers in an Internet cafe, and other users who themselves are not yet known. As a result, their business now requires much more from identity and access management than ever before.

To provide secure connections to this mix of constituents, many enterprises have heterogeneous Identity and Access Management (IAM) solutions – consisting of several vendor products, numerous interfaces and identity data elements with significant impact.

During a user login, the typical IAM solution can now determine…

  • Who do you claim to be?
  • How well can we confirm that?
  • Are you allowed in?
  • Do I know and trust your device?
  • What attributes are associated to your identity?
  • Should you be accessing the system at this time?
  • Are you authorized for that transaction specifically?

Their IAM solution provides business empowering flexibility and graduated security for company assets.

The Need for Threat Modeling for IAM Architecture

OpenSky works with enterprises across multiple industries that have complex IAM architectures to maintain.  They must ensure the user experience is appropriate for the particular amount of risk.  They must keep this system working and keep it secure.  Doing this can be challenging, especially with a complex interdependent mix of many processes, data stores, flows and trust boundaries.

To help do this, companies have talented security architects who oversee the IAM system. Naturally, the architects’ focus is on functionality, component integration and performance.  As architects, they’ve had to interconnect different vendor products and original systems across different security zones, implement security controls on different compute platforms, and achieve the desired user experience.

It is common to focus on security functionality and go light on the non-functional security review. This becomes similar to any other business project, a review for attack vectors and vulnerabilities inherent to the design is required by several practitioners that are objective and focused on the threat.

IAM strategy can be defined by conducting threat modeling to strengthen the design resilience. This is important as IAM systems are a key control for cyber-resilience and, therefore, a natural attack target for a persistent threat.


Threat Modeling

Threat modeling is the exploration of the threats to which your environment is vulnerable—in this case, the company’s IAM system.

There are several established threat modeling methodologies out there and threat modeling tools available, both commercially and open sourced.  A simple threat modeling approach that provides a good, repeatable fit for many organizations. OpenSky leverages Microsoft’s Threat Modeling Tool 2014 which Microsoft provides free of charge.

A typical threat modeling exercise starts with a capture of the IAM contextual architecture consisting of its processes, flows, data stores and trust boundaries.  For each element in the system, existing security controls, such as, encryption, source authentication and levels of system privilege, are defined as properties of the element. In enterprise architecture terms, the contextual level of detail is vendor agnostic, and connects the conceptual vision approved by stakeholders to the technical detail typically documented and used by engineers. The contextual detail aligns everyone involved in delivery and allows threat modelers and threat modeling tools to assess natural attack vectors.

The SOA[1] Policy Administration Points (PAP), Policy Decision Points (PDP) and the Policy Execution Points (PEP) can be captured in the threat model to help illustrate the importance of the trust boundaries.

Typically, material differences between the original architectural design and actual implementation (as built) of the IAM systems are also identified. Again, this is the value of modeling at this level – it’s the common view between designers and builders.

Based on the contextual architecture diagram, the potential threats are presented, organized by Microsoft’s Security Development Lifecycle (SDL) STRIDE categories of threats: Spoofing, Tampering, Repudiation, Information Compromise, Denial of Service and Escalation of Privilege. OpenSky recommends and leverages STRIDE in combination with OCTAVE in our general approach for threat modeling. These methodologies are described on the OWASP site:


Each threat can be evaluated and mitigation strategies developed. For example, the Adaptive Risk Agent may be spoofed by an attacker which could lead to information disclosure by the Challenge Question Store. The mitigation strategy could include the use of authentication between the Adaptive Risk Agent and the data store.

Going forward, architects can track the status of each threat – not started, needs investigation, not applicable and mitigated – and adjust the priority.   Any changes may be recorded within the tool to manage enhancements and maintenance activities over time.  This helps create a traceability matrix of controls to threats. As organizations shift from compliance to threat-oriented security programs, demonstrating the priority and value of control investments and maintenance is crucial. (Note: Traceability Matrixes and how to track them to enterprise risk management are a topic of a future whitepaper.)

Client Benefits

Threat modeling and the related discovery process yield a number of benefits for the company.

The direct benefits include:

  • An independent list of threats that lead to a set of beneficial questions about the security of the IAM solution
  • A mature and reasonable process for analyzing and maintaining the security posture of the IAM solution and controls
  • A process for sound, joint prioritization and decision making related to the most important improvements to make to the security controls

Additional benefits of a threat modeling exercise may include:

  • An improved understanding of the true as-built state of the IAM solution
  • Improved collaboration and shared responsibility for the security posture of the IAM environment

As identity and access management evolves in enterprise security organizations, threat modeling has emerged as an important tool for security architects. Threat modeling provides valuable information to design the critical IAM systems for cyber resilience.  It is a straight-forward way to validate the security of your IAM architecture and provides a process for prioritization and sound decision making to enhance the security controls.

John Fehan is a Senior Consultant with OpenSky.  He interrogates technical innovation for business value and realizes this value within initiatives that executives can understand and support. He defines network and cyber security architectures that deliver business-enabling services.  He leads highly skilled teams—dissolving organization pushback, resolving technical issues, and wrapping solutions with effective governance and operational support.

Mr. Fehan has been working in IT for 20 years. He earned his bachelor’s degree in electrical engineering from Duke University and served in the US Army. 

[1] OASIS Service Oriented Architecture. www.oasis-open.org

Threat Centric Identity and Access Management

Source: Sky Chat IT Blog


Tags: ,

Leave a Reply

Your email address will not be published. Required fields are marked *