Identity is the Key to Security

Audits and Certification Not Enough When Managing Identity

John Delk
VP - Product Management, Marketing and Sales Operations at NetIQ
Boris Ivancic 
Vice President and General Manager - Asia Pacific and Japan at The Attachmate Group

John Delk VP - Product Management, Marketing and Sales Operations at NetIQ and Boris Ivancic Vice President and General Manager - Asia Pacific and Japan at The Attachmate Group

Security is big business these days. With our old approach of blocking everyone at the border failing — mainly because no-one knows where the border is anymore — a risk-based approach is driving the way businesses think about their information and systems security.

At the heart of that change is a focus on access and identity management. John Delk, the Vice President of Product Management, Marketing and Sales Operations at NetIQ, told us that companies are trying to solve the same problems.

"Does the right user have the right access to the right information, and only that? At its heart, it's an identity powered problem."

Although there are many different slants and perspectives to the security discussion, this is a fundamental truth that spans different industries and use cases.

When looking at which sorts of companies are ahead of others when it comes to managing identity and access, Delk observes that organisations operating within regulated industries where there are stricter compliance obligations appear to be ahead of less regulated ones. However, part of that is understanding the balance between the IT and business elements so that a solution that is both technically viable and useful to the business can be achieved.

"Certainly, the fact that we are increasingly regulated with SOX, PCI and privacy acts, we see customers spending a lot more time and energy figuring out the balance between the IT role in that and the business role. Best practice is clearly saying how can I empower the business with IT as an enabler".

Over recent years, large organisations have increasingly turned to regular audits as a way of measuring their compliance with all the obligations they have across different regulations. But, as Delk puts it, "compliant doesn’t equal secure".

"One of the reasons for that is that you have silos," Delk told us. "As you go through an exercise and your attestations, you're only thinking about your silo. One of the benefits a vendor can bring is to make you think about it in a more holistic way".

Another challenge that Delk has observed is a disconnect between the IT team, business operations and the C-suite. When it's done well there is a common thread according to Delk, He said "There has to be a business stakeholder - there has to be ownership. That's clearly a starting point".

Delk said that IT needs to be more effective at helping the business better understand the problem, and at giving them the means to solve the problem. That's an important distinction because it focuses IT as the enabler but gives the business the tools needed to take ownership.

An important element is communication. Often, IT presents problems and solutions in IT terms and not in ways the business can understand. For example, when asking the business about appropriate systems access, IT might use the names of systems, programs or database tables. However, the business needs information presented in terms such as "can access sales reports" or "can enter sales transactions".

Read more: CIO priorities haven't 'changed dramatically' since the GFC: NetIQ

Where IT can help is by then using the data they gather to identify high-risk users.

"If I can tell you that, of the hundred users you're supposed to certify, 20 of them are higher risk because they access applications from multiple points in the network, or they use it outside the firewall or they've accessed it at two o'clock in the morning. All of these things push them up to the top of the risk meter".

Two-factor authentication has been touted as a tool for managing the authentication part of access but Delk sees context as being equally important. So, it's no longer about something you know and something you have. Where you are and what time you are using your credentials become an important element of the identity and access management solution.

This sort of information means the business can identify, in their own terms, where the risks lie rather than IT trying to infer what is right and wrong. This assists with breaking through the complexity that comes from having hundreds of systems with dozens of different roles within each one. Multiplied by thousands of users, the number of potential different combinations creates an extremely complex problem to solve.

Delk says that there are industries we can look to when trying to manage this level of complexity.

"Telcos have dealt with these kinds of scale issues for many years. The reality is that you start to think about correlation. How can I take the behaviour I'm seeing and attach some context to it? What thresholds are important? What's the norm? Telcos are very good at knowing what the norm is on a given day or time and then they alert if something occurs outside that," he added.

It's important to note that many recent mega-breaches have been the result of third-party contractors having their access compromised. This is often compounded by credentials being cloned or reused. As a result, contractor user credentials accumulate access to systems that aren’t needed. This was one of the issues identified as a result of last year's Target breach and may have been a factor in the recent Home Depot breach.

Adding further complexity is the distributed nature of IT. In the past, when all the key systems lived inside a data centre and users accessed applications with company-supplied equipment, it was easier to manage access. But today, we operate in a BYOD world with applications that are sourced from third parties, with data centres no longer local but managed by external service providers and increasingly transient workforces.

"The perimeter is gone. We have to accept that we're part of the Internet. We know that we're going to have folks inside pushing data out and accessing systems outside. We've rushed to some of the cloud implementations and then figured out that we wish we had more of an enterprise-centric control point," said Delk

As a result, companies are now looking to control identity and access centrally rather than cede that out to the cloud, according to Delk.

Until recently, access was seen as a binary assignment - you either had access or you didn’t. But Delk sees a more nuanced approach emerging - an approach he described as "chunkable".

As more people are using social credentials, such as Facebook, Twitter or Google, to access services, there's a use case emerging where users can use those credentials for a limited level of access.

Basic access to a service can be achieved using a social credential but for a customer to complete a transaction they need to "upgrade" to a more robust credential where their name and payment details are verified.

Boris Ivancic, the Vice President and General Manager for Asia Pacific and Japan at The Attachmate Group - NetIQ's parent company, told us that another of the business's focuses is on data in motion.

"In the past you'd have a particular application and a particular section within a company that was responsible for access. Now, with more people using third party partners and vendors and service providers, that data now becomes more accessible to multiple people outside the traditional way it was used. The issue is how do we protect that data. How do you protect it when it’s in transit to a third party service provider? What happens to that data when it's there and how do we ensure that there's no leakage?".

For example, in healthcare, a doctor might use corporate systems to access health records while working in a hospital but then access the same systems and data on a personal tablet as they make their rounds. As a result, there need to be processes and systems in place to ensure that the people can access the right data at the right time without compromising security and confidentiality.

What's clear is that we are in a constant state of flux when it comes to identity and access management. The use of external services, such as social log-ins, the increasing mobility of the workforce and popularity of cloud services and external service providers means that companies will need to maintain focus on access and identity.

And while audits can be a helpful tool, there's a strong need to integrate identity and access management into the fabric of business operations, and for IT to do a better job of communicating and enabling so that the business can make smart decisions that take into account context so that data is accessed appropriately and anomalies are detected.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags directors for CSO Australiaexternal servicestwo-factor authenticationAttachmate Groupsystems securityTelcosecurity discussionauditsPCIEnex TestLabSOCKSNetIQsecurityBoris Ivancicprivacy actsJohn DelkManaging IdentityCSO Australia

More about AttachmateCSOEnex TestLabFacebookGoogleHome DepotNetIQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place