The new IAM: nailing shut the door on the Trojan horse

Cloud, mobility and bring-your-own-device (BYOD) computing are providing so many new potential ingress points to your network that it’s getting near impossible to keep up. The solution, as David Braue finds, lies in reconsidering your exposure, revisiting your IAM strategy – and picking your battles carefully.

It must have seemed like the right thing to do at the time, but it certainly didn’t end up that way.
‘It’, in this case, was a strategy for introducing a bring-your-own-device (BYOD) policy that would let employees use their own smartphones and tablets in the workplace. All employees had to do was load an agent for the corporate mobile device management (MDM) software onto their phones, which would allow the corporate IT division to track the devices and, if irretrievably lost, erase the data on them.

The company’s IT team bought 15,000 licenses of the appropriate software, advertised the program to users, and waited for the requests to come in. Eventually, however, just 400 users consented to install the software on their devices; the others, seeing no need to conform, simply ignored it and the organisation was left holding the bill for 14,600 unused MDM licenses – as well as a real challenge as to how to handle the remaining users.

Such are the trials and travails of companies seeking to adjust to the new, user-driven BYOD trend whilst maintaining critical control over the security of their corporate data. Fully 40% of workers in the Asia-Pacific region – 838.7m of them – will become mobile workers by 2015, and they will expect the flexibility to use whatever devices they want to get their job done.

Caught between conflicting pressures – users’ demand for personal freedom, and shareholders’ and corporate regulators’ demand for protection of company information – many companies are going through what Ian Yip, NetIQ’s identity, security and governance business manager, likens to the Five Stages of Grief.

“We’re up to somewhere between bargaining and acceptance,” he says. “This is a good thing, because it means we are ready to compromise and work with the business. Every organisation will get to acceptance in varying degrees, but it will mean going in with your eyes wide open.”

Australian companies are behind the curve when it comes to dealing productively with BYOD, however: IDC’s recent Continuum Survey 2012 found that Australian CIOs are struggling with incomplete BYOD frameworks lacking integrated security and IAM capabilities, among other things.

The human element. The groundswell of support for BYOD computing is disrupting existing identity and access management (IAM) frameworks and created massive security issues they never saw coming.

The devices themselves are proving incredibly adept at circumventing the obstacles put down to prevent their use: mobile operating systems with built-in Facebook and Twitter capabilities, for example, can now spread corporate secrets in milliseconds using direct APIs that won’t even be picked up by content filters judiciously patrolling Web site access.

Mobile devices can wirelessly connect to the heart of corporate networks and wreak havoc within minutes. Seemingly innocuous productivity tools like Dropbox and Evernote instantly sync content from the corporate network onto cloud services whose very existence may violate corporate obligations around data privacy and sovereignty. And well-meaning users can run up new virtual machines in Amazon EC2, then push gigabytes of corporate data into an unknown and uncontrollable cloud environment within minutes.

“Mobility is increasing the complexity of IT security, and users are relying on tools for business to remain productive in spite of the IT organisation,” says Simon Piff, associate vice president for IDC’s Asia-Pacific Enterprise Infrastructure Research group.

“A lot of the time you will find that your organisation is using a cloud service that you know nothing about. That’s why the need to secure the human is going to increase: you’ve got to think of smart ways of embedding IT security into [users’] psyches that doesn’t impede their ability to do business.”

The new IAM. Corporate raiders never had it so easy – but what can companies do to staunch the exodus of corporate data from their grasp?

With outer security perimeters now easily breached, conventional wisdom now suggests the best approach for companies is now to refocus their efforts not just on keeping the nasties out of their network, but ensuring they can’t access any data they shouldn’t be able to do when they get in – nailing shut the trap door, so to speak, to keep the soldiers from sneaking out of the Trojan horse that’s already parked in your courtyard.

“There’s only so much you can do to protect the perimeter,” Piff says. “The real question is: what are you going to do to protect your data?”

That means shifting the focus of IT investments away from building barriers, towards developing fool-proof and flexible IAM frameworks that can reconcile today’s flood of new devices and applications with the users that are using them.

If all data is encrypted at rest on the company network and in the cloud, after all, it becomes much easier to control who has access to the keys to get it. Yet transposing IAM into today’s leaky-sieve environments is tricky: many companies bought IAM suites years ago, when IAM was all about single sign-on, opening and closing user’s network accounts, and facilitating access to internal business applications.

The world has moved on, and so have the requirements for a viable IAM framework, which these days must be able to track large numbers of employees, business partners and customers across a furry of devices.

“Things change quite quickly, and what we’re seeing now is a disassembly of those big suites,” says John Havers, CEO and founder of IAM service provider First Point Global, who estimates that only 10% to 20% of Australian organisations have a broad enough IAM infrastructure in place to meet contemporary challenges.

“Auditors are asking to see what measures those organisations have to ensure only the correct people, with the right privileges and right job roles, have access. So organisations are thinking about how to keep a handle on who’s accessing what in their organisations and extended organisations. But it’s a difficult problem to solve.”

First Point Global has worked to address the problem with an IAM governance platform that aggregates data accesses and correlates users’ activities into a centralised identity and access warehouse. “That’s the starting point for knowing who’s in the zoo,” Havers says.

IAM everywhere. Ironically, the cloud may prove to be the saviour for companies struggling to implement effective IAM: to boost accessibility and usability, some vendors are now offering cloud-based IAM frameworks designed to handle the many touchpoints of the new security model.
Gartner has flagged this trend as an increasingly important aspect of the IAM market, which it has flagged as growing from $US9.9b in 2010 to be worth $US11.9 billion by the end of 2013. Gartner expects cloud-based IAM will attract market entries from unexpected quarters such as virtualisation and grid computing.

“The ability to host these platforms in the cloud will be a driver for pushing out good IAM across organisations that previously may not have been able to afford it,” says First Point Global’s Havers.

Another game-changer is privileged access management, which extends IAM frameworks by monitoring and regularly changing access credentials for accounts with strong access privileges.
This provides an extra layer of protection within IAM frameworks, minimising exposure to password breaches and reducing the chance that outdated credentials may give ex-employees access to corporate systems.

Security providers of all stripes are working to update their IAM visions, with industry leaders like Symantec and RSA peppering the market with point solutions each addressing specific new challenges; down the track, expect these solutions to be brought together into integrated application suites.

In the end, says NetIQ’s Yip, regardless of the features of the new technology the endgame remains the same: “You can’t deal with BYOD by dealing with BYOD,” he explains. “It’s about managing mobile employees, not about managing tablets or phones.”

“You need foundational pieces to do identity management and user provisioning, and to be agile – so you can give access when you want, and take it away when you don’t want people to have it.”



Join the CSO newsletter!

Error: Please check your email address.

Tags Ian YipNetIQIAMcloud mobilityFirst point global

More about Amazon Web ServicesContinuumDropboxEvernoteFacebookGartnerIDC AustraliaNetIQNetIQRSASymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts