Todd Peterson, from One Identity, delivered the second part of the AusCERT 2017 opening keynote. One Identity may sound like a new business but it’s an offshoot from Dell EMC and Quest Software.
“If you think about all the attacks coming in, they boil down to identity,” said Peterson.
While your user account, said Peterson, might seem to be quite useless to an attacker, once a threat actor has access to a system on the network, whether that’s through remotely accessing a system or by using a physical attack vector such as compromised USB flash drive, they will attempt to move laterally through an organisation. During that exploration, they will seek weaknesses in the barriers between systems to exploit.
“If you can control who has access to what and you know who they are, you can cut off a lot [of attacks] at the knees,” said Peterson.
Peterson says it comes down to four “A”s; authentication, authorisation, administration, and audit.
Authentication is about how you get onto a system and prove who you are. Authorisation deals with what you are and aren’t allowed to do. Administration is the set-up of those components. Audit is not a mandatory requirement, said Peterson, but is important as it allows you to ensure that everything is operating according to the rules you set up.
When identity and access management (IAM) works well, it means the right people have the right access to the right resources when they need them with appropriate governance in place from wherever the data or application is needed.
When Peterson asked the audience how many people felt that had all that in order, very few hands went up, suggesting this is still an area security professionals are struggling with.
“It’s a lot easier said than done,” added Peterson.
The complexity comes, he said, from the way businesses acquire systems over time. Each application brings with it its own identity management regime and getting all these to integrate is difficult. We’ve moved from systems that were locally housed and closed to more open systems held in servers that are offsite. In parallel, there are more compliance obligations than ever.
For many enterprises, this has led to identity enrolment and management processes that are handed through email, spreadsheets and other manual processes. And this means mistakes can be made.
The scope of effective IAM, said Peterson, comes down to three things.
- Identity governance ensures you have complete, business driven, processes for who can access data and privileged information. It marries visibility and control with administration.
- Access management puts systems in place that allow users to access the resources they need to do their jobs wherever and whenever they need in a convenience, secure and compliant manner.
- Administrative or privileged account management is in place with granular controls and effective monitoring.
Peterson conceded that this might all seem “pie in the sky” for some businesses but he was adamant it could be done.
They key, he said, was to focus on successful outcomes. When IAM is done right, there is effective governance, it is business driven, it is modular and integrated so it can fit into existing tools and systems, and be cloud ready. Rather than being rigid, it is adaptable so it can accommodate the systems and services you choose in future.
Critically, it needs to not only deliver value, but IAM needs to deliver value quickly so it is a benefit and not an impediment to getting things done.
When it comes to technology and tools, Peterson said “It’s about more than buying the right technology. Even the best technology, if it’s implemented poorly, isn’t going to work. And the worst technology, that is implemented well, might actually do the job”.
The key factor, he said, was about the processes and systems you put around the technology.