Identity is the Key to Security

Audits and Certification Not Enough When Managing Identity

John Delk
VP - Product Management, Marketing and Sales Operations at NetIQ
Boris Ivancic 
Vice President and General Manager - Asia Pacific and Japan at The Attachmate Group

John Delk VP - Product Management, Marketing and Sales Operations at NetIQ and Boris Ivancic Vice President and General Manager - Asia Pacific and Japan at The Attachmate Group

Security is big business these days. With our old approach of blocking everyone at the border failing — mainly because no-one knows where the border is anymore — a risk-based approach is driving the way businesses think about their information and systems security.

At the heart of that change is a focus on access and identity management. John Delk, the Vice President of Product Management, Marketing and Sales Operations at NetIQ, told us that companies are trying to solve the same problems.

"Does the right user have the right access to the right information, and only that? At its heart, it's an identity powered problem."

Although there are many different slants and perspectives to the security discussion, this is a fundamental truth that spans different industries and use cases.

When looking at which sorts of companies are ahead of others when it comes to managing identity and access, Delk observes that organisations operating within regulated industries where there are stricter compliance obligations appear to be ahead of less regulated ones. However, part of that is understanding the balance between the IT and business elements so that a solution that is both technically viable and useful to the business can be achieved.

"Certainly, the fact that we are increasingly regulated with SOX, PCI and privacy acts, we see customers spending a lot more time and energy figuring out the balance between the IT role in that and the business role. Best practice is clearly saying how can I empower the business with IT as an enabler".

Over recent years, large organisations have increasingly turned to regular audits as a way of measuring their compliance with all the obligations they have across different regulations. But, as Delk puts it, "compliant doesn’t equal secure".

"One of the reasons for that is that you have silos," Delk told us. "As you go through an exercise and your attestations, you're only thinking about your silo. One of the benefits a vendor can bring is to make you think about it in a more holistic way".

Another challenge that Delk has observed is a disconnect between the IT team, business operations and the C-suite. When it's done well there is a common thread according to Delk, He said "There has to be a business stakeholder - there has to be ownership. That's clearly a starting point".

Delk said that IT needs to be more effective at helping the business better understand the problem, and at giving them the means to solve the problem. That's an important distinction because it focuses IT as the enabler but gives the business the tools needed to take ownership.

An important element is communication. Often, IT presents problems and solutions in IT terms and not in ways the business can understand. For example, when asking the business about appropriate systems access, IT might use the names of systems, programs or database tables. However, the business needs information presented in terms such as "can access sales reports" or "can enter sales transactions".

Where IT can help is by then using the data they gather to identify high-risk users.

"If I can tell you that, of the hundred users you're supposed to certify, 20 of them are higher risk because they access applications from multiple points in the network, or they use it outside the firewall or they've accessed it at two o'clock in the morning. All of these things push them up to the top of the risk meter".

Two-factor authentication has been touted as a tool for managing the authentication part of access but Delk sees context as being equally important. So, it's no longer about something you know and something you have. Where you are and what time you are using your credentials become an important element of the identity and access management solution.

This sort of information means the business can identify, in their own terms, where the risks lie rather than IT trying to infer what is right and wrong. This assists with breaking through the complexity that comes from having hundreds of systems with dozens of different roles within each one. Multiplied by thousands of users, the number of potential different combinations creates an extremely complex problem to solve.

Delk says that there are industries we can look to when trying to manage this level of complexity.

"Telcos have dealt with these kinds of scale issues for many years. The reality is that you start to think about correlation. How can I take the behaviour I'm seeing and attach some context to it? What thresholds are important? What's the norm? Telcos are very good at knowing what the norm is on a given day or time and then they alert if something occurs outside that," he added.

It's important to note that many recent mega-breaches have been the result of third-party contractors having their access compromised. This is often compounded by credentials being cloned or reused. As a result, contractor user credentials accumulate access to systems that aren’t needed. This was one of the issues identified as a result of last year's Target breach and may have been a factor in the recent Home Depot breach.

Adding further complexity is the distributed nature of IT. In the past, when all the key systems lived inside a data centre and users accessed applications with company-supplied equipment, it was easier to manage access. But today, we operate in a BYOD world with applications that are sourced from third parties, with data centres no longer local but managed by external service providers and increasingly transient workforces.

"The perimeter is gone. We have to accept that we're part of the Internet. We know that we're going to have folks inside pushing data out and accessing systems outside. We've rushed to some of the cloud implementations and then figured out that we wish we had more of an enterprise-centric control point," said Delk

As a result, companies are now looking to control identity and access centrally rather than cede that out to the cloud, according to Delk.

Read more: CIO priorities haven't 'changed dramatically' since the GFC: NetIQ

Until recently, access was seen as a binary assignment - you either had access or you didn’t. But Delk sees a more nuanced approach emerging - an approach he described as "chunkable".

As more people are using social credentials, such as Facebook, Twitter or Google, to access services, there's a use case emerging where users can use those credentials for a limited level of access.

Basic access to a service can be achieved using a social credential but for a customer to complete a transaction they need to "upgrade" to a more robust credential where their name and payment details are verified.

Boris Ivancic, the Vice President and General Manager for Asia Pacific and Japan at The Attachmate Group - NetIQ's parent company, told us that another of the business's focuses is on data in motion.

"In the past you'd have a particular application and a particular section within a company that was responsible for access. Now, with more people using third party partners and vendors and service providers, that data now becomes more accessible to multiple people outside the traditional way it was used. The issue is how do we protect that data. How do you protect it when it’s in transit to a third party service provider? What happens to that data when it's there and how do we ensure that there's no leakage?".

For example, in healthcare, a doctor might use corporate systems to access health records while working in a hospital but then access the same systems and data on a personal tablet as they make their rounds. As a result, there need to be processes and systems in place to ensure that the people can access the right data at the right time without compromising security and confidentiality.

What's clear is that we are in a constant state of flux when it comes to identity and access management. The use of external services, such as social log-ins, the increasing mobility of the workforce and popularity of cloud services and external service providers means that companies will need to maintain focus on access and identity.

And while audits can be a helpful tool, there's a strong need to integrate identity and access management into the fabric of business operations, and for IT to do a better job of communicating and enabling so that the business can make smart decisions that take into account context so that data is accessed appropriately and anomalies are detected.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags Enex TestLabTelcoPCIauditstwo-factor authenticationNetIQBoris IvancicAttachmate GroupCSO Australiadirectors for CSO Australiaprivacy actsexternal servicesManaging IdentityJohn DelkSOCKSsystems securitysecurity discussion

Show Comments