Identity & Access Management

2013 and 2014 were major years for IAM awareness in both government and industry.  The Snowden leaks helped teach government agencies the value of limiting individual access to vast troves of information.  In the private sector space Target’s credit card breach cost the company 46% of its fourth quarter profits and litigation for more than 140 lawsuits (Radichel, 2014).  Although Target’s breach might have been stopped by any number of mitigation efforts, proper IAM would have limited the ability for the intruders to spread from the billing system used by the HVAC company to the more sensitive parts of the network.

The attention received from the breaches has resulted in an increased level of attention on the topic from all levels.  Some parts of the industry such as Staminus Security and NorseCop have responded with security theater (Gallagher, 2016 & Fisher, 2016) while other parts of the industry have taken a thoughtful look at making sure only the right people have access to the right amount of information. 

For local IT IAM often takes the form of a Microsoft Active Directory server or some LDAP variant.  LDAP v3 is described in RFC 4511 released in 2006 and includes a number of key features, namely bind, unbind, unsolicited notification, search operation, modify operation, add operation, delete operation, modify DN operations, compare operation, abandon operation, extend operation, intermediate response message and start TLS operation.  In general these commands are initiated through TCP or UDP port 389.

While RFC 4511 has served the industry well for creating functioning authentication protocols in the nearly full decade since its release has seen a great deal of growth and development.  In December of 2015 the VP of Technology for Advancer Corporation penned his IAM predictions for 2016 giving us an indication of how far the field has developed.  His seven predictions include:

 

  1. Cyber security has become the religion, equally for government and businesses.

  2. Cloud IAM to spread towards provisioning capabilities.

  3. Spreading of IDM systems on on-premise as well as cloud.

  4. Cloud will enable greater utilisation of IAM products by small enterprises.

  5. Safeguarding and securing super users through PAM.

  6. Managing of identity through secure user identity management and access governance will enhance.

  7. Businesses will stay agile by adding more layers of IAM into their IT infrastructure.

(Mittal, 2015)

In addition to SaaS, PaaS and IaaS companies to include Centrify are now talking about Identity as a Service (IDaaS).

All of these technologies are extensions of the need to be authenticated within cyberspace.  For individual users sites such as LastPass step in to help them manage their online identity across a myriad of websites.  SSH, bitcoin and bitmessage all operate using cryptographic keys to ensure sender and recipient identification during transmission. 

For the average user this effort really hits home in the area of social media.  As of 2011 facebook began forcing https connections to reduce the man-in-the-middle attack vector (Stackoverflow, 2011).  Google also adopted https in 2011 to reduce snooping on user search queries (Google.com, 2011).  The robustness and popularity of social media caused Gartner’s research team to predict in 2013 that future customer identities would be based on social media (Gartner Inc., 2013).  Today the spirit of that prediction holds true as social media sites are integrated into sharing economy sites such as AirBnB and educational sites such as Khan Academy.  Google’s developer websites now include easy to follow guides for leveraging their identification services into emerging technology (Google.com, 2016).

In mobile computing just like traditional machines identification management begins with authenticating on the device itself.  Fingerprint readers are now serious features on smartphones.  Although phones do have inherently insecure networking components (Anthony, 2013) they do enable a second layer of IAM, two factor authentication (2FA).  2FA on smartphones works because the phone itself is a part of two separate networks.  The SMS messaging service built around the purely cellular technology is in many ways a separate network from the data connection on the phone itself.  Because of this an attempted login over https can be verified using an SMS message.  Circle finance requires authentication before conducting bitcoin transactions and major social networks now offer 2FA as part of their authentication services.

In the cloud IAM has become a must have as cloud features have grown in popularity and potential.  Google for business accommodates several layers of cloud sharing options with respect to files hosted on Google Drive.  By default they are only accessible to the author.  The default for sharing is to have it shared across the entire organization.  Additional options exist for public read only, public edit and organization read only.  Because the system is cloud based it can respond quickly to new features suggested by user feedback.  Google’s products aren’t the only ones with these features.  Similar access control and identification measures are implemented into dropbox and owncloud and are considered a standard feature set when developing similar tools.

As we move more and more things to the cloud and big data becomes more of a reality for businesses IAM will continue to be a significant part of the organization’s IT strategy.  In the business world Sony’s 2014 breach attributed to an insider threat is a critical example of how big data matched with poor IAM can cause serious problems.  While 2013 and 2014 were significant years for IAM awareness today the industry has matured, but only time will tell of the pace of maturity across the spectrum has kept up with the pace of innovation from malicious actors.

 

 

 

References:

Anthony, S. (2013, November 13). The secret second operating system that could make every mobile phone insecure | ExtremeTech. Retrieved April 12, 2016, from http://www.extremetech.com/computing/170874-the-secret-second-operating-system-that-could-make-every-mobile-phone-insecure

Fisher, C., & Jude, A. (2016, February 4). Hot Norse Potato | TechSNAP 252 | Jupiter Broadcasting. Retrieved April 12, 2016, from http://www.jupiterbroadcasting.com/93496/hot-norse-potato-techsnap-252/

Gallagher, S. (2016, March 11). After an easy breach, hackers leave “TIPS WHEN RUNNING A SECURITY COMPANY”. Retrieved April 12, 2016, from http://arstechnica.com/security/2016/03/after-an-easy-breach-hackers-leave-tips-when-running-a-security-company/

Gartner, Inc. (2013, February 5). Gartner Says Half of New Retail Customer Identities Will Be Based on Social Network Identities by 2015. Retrieved April 12, 2016, from http://www.gartner.com/newsroom/id/2326015

Google.com. (2011, October 18). Making search more secure. Retrieved April 12, 2016, from https://googleblog.blogspot.de/2011/10/making-search-more-secure.html

Google.com. (2016, April 12). Google Identity Platform  |  Google Developers. Retrieved April 12, 2016, from https://developers.google.com/identity/

Mittal, R. (2015, December 18). IAM Tech Trends to watch out for in 2016. Retrieved April 12, 2016, from https://www.linkedin.com/pulse/iam-tech-trends-watch-out-2016-rajesh-mittal

Radichel, T. (2014, August 5). Case Study: Critical Controls that Could Have Prevented Target Breach. Retrieved March 29, 2016, from https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

Stackoverflow. (2011, January 27). Force HTTPS on Facebook? Retrieved April 12, 2016, from http://stackoverflow.com/questions/4723983/force-https-on-facebook

Why Cloud Security Is Hard

    When I interviewed the head of one of the most successful Ubuntu based Linux Distributions a few weeks ago we talked about how he factors security into the project’s goals.  The metaphor he used in the interview was that security is like swiss cheese.  There are naturally going to be holes in the product, but it doesn’t become a problem unless there are too many holes allowing something to pass through, or get in too deep.  As the head of the project he’s the one ultimately responsible for its security.  I know who to reach out to if I find a bug or something goes wrong.

    One reason why Cloud Security is so challenging is because it’s often hard to know who to reach out to when holes are found.  One of the worst practices still seen in the industry is storing people’s information unencrypted.  When a local realty site asked for some personal information before they showed me a listing and then sent the information plain text to me over email I was really glad I used a burner email address (one reason why it’s good to own your own domain).  

     I called the company up and told them they weren’t following good practices and needed to encrypt my data or remove it.  The real estate market requires a broad range of skills.  Computer security isn’t one of them.  As polite as the realtor was on the phone he didn’t understand why he needed to change anything on his end.

     Irena Bojanova is a wonderful contributor to the IEEE and her article on Addressing Cloud Security provides a good overview of the trade offs involved in different types of cloud implementation.  SaaS puts the onus of security on the hosting company while PaaS and IaaS move the security requirements (minus physical security) closer to the customer.  Security is so important in the cloud that it will change the way I implement my projects significantly.

     I’m perfectly capable of setting up a LAMP server in the house and getting the port forwarding to allow outside access, but encouraging that traffic into my LAN isn’t something I want to own.  If all I need is a LAMP server I’ll often host at DigitalOcean.com because they make it easy to get it running in under a freakin’ minute!  When I host with them it’s basically a PaaS setup.  But if I run the LAMP server on DigitalOcean I get full control over it, and a lot of the responsibility for securing it.  Most of the time I don’t want to deal with the hassle–even if WordPress does do automatic updates (insecure plugins are still a good sized attack vector).  In that case I’ll build a site using Squarespace.com.  Squarespace does all the coding for me so all I really have to do is worry about layout and content.  When I went to launch jfroecker.com I decided to go with them because I’d never have to troubleshoot a denial of service attack or a code injection gone wrong.  That piece of mind makes a big difference.

    Google’s record of finding and patching bugs is impressive and so there’s some data I’ll host on google drive because of their ability to protect the content at least as much as my password will allow.  As one of the world’s largest data repositories they’re often called upon to comply with subpoenas for information and as much as they patch holes, they also comply with their legal obligations to assist law enforcement.

     There’s no perfect solution to security in the cloud.  It’s like swiss cheese.  There are going to be holes, but before you go throwing your data up online you might want to take a look at how deep and how big those holes are.