Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/10/2012
02:59 PM
Gunnar Peterson
Gunnar Peterson
Commentary
50%
50%

Scaling The Twin Peaks Of Identity And Access Management

Scaling identity's twin peaks -- IAM -- is not easy, but it is possible. This post looks at the pitfalls and keys to success

Identity and access management (IAM) systems present three gnarly challenges to the enterprise.

First, access management is concerned with authentication, authorization, access control, and attribution. These are effectively online services that take center stage while the system is being used by the user or service.

Second, identity management services like provisioning are concerned with preparing the system for use. These services focus on the life cycle management process, like account registration, propagation, and deprovisioning.

These two disparate concerns -- online access management and offline identity management -- are often lumped together in an information security team, yet their staffing models, processes technologies, and overall project risk have little in common. Identity management systems like provisioning have a heavy set of audit and compliance requirements, and they must map business rules, often from HR, and policies to long-running workflows. Access management systems, in general, are more technical in that they require deep integration into application runtime, working within the SDLC to wire up access management to work with app server containers and code.

Neither of these, working with HR and business process or with developers in the SDLC, is home territory for many information security teams. Of course, identity management and access management services must work together -- the identity management system must feed the access management system with the freshest, most consistent, and specific information to get the job done -- and this presents us with the third grand challenge: interoperability.

Anyone who has hiked in the mountains knows the concept of a "false peak." At the bottom of the trail you fixate on a mountain top, you eventually sweat your way up there, ten only to discover that it is not the top -- it just looked that way at the bottom. Merely getting an identity management system and an access management system up and running is not good enough. Running these two systems in isolation won't amount to a hill of beans unless they work together; specifically, the identity management processes must feed and manage the accounts that the access management system uses to make its decisions. This sounds simpler than it is.

Interoperability challenges come in several forms. At the most basic level there is connectivity and communications. Distributed application smay use Active Directory, LDAP databases, mainframes, Unix servers, and a whole host of other technologies. Can your provisioning system talk to each one?

Identity data must be synchronized or replicated, and this is where naming, data representation, and account and attribute ownership issues arise. The IDM must navigate a variegated naming and data landscape. For naming and data issues, either all systems must follow the same standard (highly unlikely), or in-depth mapping, transformation and cleanup processes must be worked into the provisioning systems to ensure consistency.

For account and attributes that are used across systems, the ownership is Balkanized. Organizational ownership battles occur over who is allowed to update, create, and delete accounts and attributes. The identity management team is in the center of the ring for these challenges and must build toward something that can both satisfy cross-organization stakeholders and scale in the real world.

Finally, the identity management team must clearly understand how the application is using the accounts and identity attributes. Which attributes are used for authorization inside the application? Is it a group, a role, or something more granular? The offline provisioning processes must provide the online authentication and authorization systems with data at the right level of specificity to enable the access management systems' policies to be workable and meet their goals.

Scaling identity's twin peaks is not easy, but it is possible. Keys to success include:

1. No Silver Bullets: Do not assume that there is a magic product or suite that can solve all of your IAM challenges. In fact, assume there is not one.

2. Think Top-Down: It's important to have a top-down view, an architectural view of IAM, and how the pieces relate

3. Execute Bottom-Up: But top-down is not enough (see No. 1). The top-down view must be carved out into projects that can work bottom-up to deliver the top down vision

4. Avoid The False Peak: Focus on interoperability, with identity and access management services working together.

With these four points in mind, the enterprise can avoid false peaks and be prepared to make progress on the IAM trail.

Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...