Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

1/30/2019
09:15 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

Should All IAM Be CIAM?

CIAM vendors are right that traditional IAM isn't going to cut it for customer-facing solutions - but their sound premises have led to the perverse conclusion of keeping in-house IAM systems suboptimal. What if the power of CIAM could help employees realize better usability and security too?

Identity-management vendors are increasingly sounding the alarm that it's not enough for businesses to purchase identity access management (IAM) solutions; they also have to invest in specialized consumer identity access management (CIAM) solutions for their customers. The reasoning goes like this: customers behave differently from internal business users; they are identified on systems differently, have different needs, are more unpredictable and demand more.

In particular, CIAM vendors urge that it is wrong to extend the same traditional IAM systems to consumer-facing portals because the latter lack the usability that consumers have come to demand.

Employees as second-class identities? "Workplace IAM benefits from having a captive audience -- employees will tolerate poor performance from their authentication systems. However disruptive it may be, they have little recourse but to cope with the system," blogs Sven Dummer, a product-marketing director at CIAM vendor Janrain, in pitching CIAM as a complement to traditional in-house IAM. "Customers are not so forgiving and are likely to stop using a brand app or software platform if it doesn't meet their expectations for easy, fast and reliable access."

Dummer goes on to argue that CIAM scales better, profiles user behavior better and requires IT-security teams to be ready for anything on the open Internet -- and he is not alone in making this argument. To wit, it makes no sense for the IT and security teams to treat customers or other external users in the same semi-lackluster way that they treat employees and other internal users.

This argument, while founded on some solid premises, misses the bigger picture -- that enterprise IT security is falling short of the mark when it comes to meeting in-house security and usability demands. If the justification for CIAM deployment is to improve the customer's user experience anyway, then rather than ensuring that the organization doesn't treat customers as poorly as they do their own employees, the focus should instead be on ensuring that the organization treats its employees at least approximately as well as it treats its customers.

Overlapping CIAM with IAM After all, in a March 2018 report, Gartner identified the "increasing overlap" of CIAM features with traditional in-house IAM features as the top trend driving CIAM design -- particularly as:

  1. B2C IAM deployments approach 70%
  2. Effective CIAM deployment requires a ground-up security architecture that can support it
  3. Customer-facing mobile CIAM interfaces frequently have to access company data commonly managed by an in-house IAM system

Forrester, for its part, has pointed out that -- counter to Dummer's assessment -- poor and unintuitive usability in enterprise IAM solutions will lead to employees quietly thumbing their nose at security controls -- instead constructing and exploiting risky and subversive workarounds (to say nothing of the other risks of poor employee morale). (See: IAM Heads to the Mobile Cloud.) Report after report and headline after headline in cybersecurity agree that, at the end of the day, users -- whether internal or external -- just want their stuff to work, even if it means sacrificing security and data protection. (See: iOS 12: How Apple Keeps Getting Mobile Security Wrong and Uber Loses Customer Data: Customers Yawn & Keep Riding.)

Consequently, if CIAM's flexibility, usability and security are deemed superior for wild-card consumer use cases, why not apply CIAM systems or principles in-house? Why not make things better for everybody?

Reconciling CIAM with in-house demands This proposition bears a wrinkle, however. Andras Cser, one of the co-authors of the aforementioned Forrester report, has previously pointed out that CIAM lacksthe endpoint controls of traditional in-house IAM, where every user and every device are known and approved.

At first glance, this appears to be a huge weakness in CIAM because of the increasing proliferation of endpoint-focused attacks. (See: DHS: Millions of Smartphones Infected With Severe Embedded Vulnerabilities.) Nonetheless, it is a bit of a red herring. As Verizon Business pointed out in its annual Data Breach Investigation Report last year, web-application attacks targeting endpoint devices (including attacks that do not rely upon stolen credentials) have represented the most common attack vector leveraged against enterprise data. Indeed, in 2017, malicious web applications were more than five times more likely to be the cause of a data breach than a physically lost or stolen endpoint device. (See: Data Breach Increase Shows Endpoints Are Under Attack.) Therefore, absent those few attacks that rely upon physical access to an endpoint device (and, in some cases, even then), the loss of strict endpoint control that comes with CIAM implementations can potentially be more than made up for by the focus on controlling access to web applications themselves -- a focus that IT security teams need to have anyway. (See: Unknown Document 742114.)

To be sure, CIAM is not mutually exclusive with the enterprise-security strategies that typically ought accompany traditional in-house IAM. And there are yet further ways to firm up CIAM deployments -- while keeping them flexible enough for common usability.

  • IAM vendors themselves espouse the need for multifactor authentication (MFA) as "industry standard."
  • By the same token (pun unintended), single sign-on (SSO) with federated access can improve usability while relieving employees of having to remember too many ever-changing passwords.
  • Web-app attacks on endpoints can be further avoided or mitigated with basic anti-malware software, improved firewalls and more attentive IP-address lookup and filtering.
  • Regardless of identity-management strategy, common endpoint vulnerabilities can be resolved by pushing out automated software updates, upgrading legacy devices and improving both security training and security culture throughout the organization. (See: Endpoint Security: 3 Big Obstacles to Overcome and Personal Security Begets Enterprise Security.)
  • Most importantly (yet often overlooked), security teams should work with the business side to identify top usability concerns, map out user system interactions from start to finish and identify time periods when systems may be under the most strain from given departments.

Related posts:

— Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.