TECHNOLOGY and COMMUNICATION

This past weekend I returned from the annual RSA conference in San Francisco.  While, I may be slightly biased by my area of interest, I saw and heard more emphasis on the criticality of effective Identity and Access Management this year than ever before.  2014 was widely referred to as the The Year of the Breach.  Last year over 1 billion personal data records were stolen and the companies whose networks were compromised include some of the largest and most recognizable, including Apple, Home Depot, JP Morgan Chase, K Mart, and Staples.  In every case, compromised user credentials played some part in facilitating the breach.  For Target, whose own breach occurred at the very end of 2013, the associated costs to the company and its shareholders is now over $150 million.  Compromised user credentials are by no means the only problem thats lead to these incidents, but they play a central role.  Some of the other factors include targeted phishing attacks (spear-phishing) which accounted for 30% of all attacks on commercial networks last year. Malware, which is often used in conjunction with targeted attacks increased by 60% last year and is growing by ~4000 new threat variants per minute.

 So what has changed?  Mobile and Cloud computing along with the ever increasing need to allow customers and partners greater access to information and richer user experience, has meant extending access to data and services as well as establishing Digital Identity "Trusts" with 3rd party Identity Providers such as Google, Microsoft, Facebook and others. Instead of targeting hardened networks and application infrastructures, the bad actors, are exploiting users' identities to gain “legitimate” access.  They will then pivot to other systems or users, eventually gaining the credentials and access they need.  As an example, in the Anthem Blue Cross breach, hackers obtained multiple identities and the credentials of different employees, through phishing attacks. These included credentials of system administrators which allowed them access to steal millions of customer and employee health insurance records.  Premera Blue Cross experienced a similar breach and as a result these insurers are now facing numerous class action law suits where plaintiffs are claiming the organizations failed to provide "due care" in the protection of their user identities and credentials.

Identity is now a primary attack surface.  Amit Yoran, President of RSA, the security division of EMC Corp. addressed this in his opening keynote presentation where he stated that "Identity and Authentication are paramount to security... we must know who is accessing what, in real time, in order to stop attacks earlier in the kill chain".  Protecting this attack surface is hard because identities must be trusted in order to provide access and allow users' credentials to be securely passed between applications. At the core of this challenge is the fact that traditionally, companies have not designed Identity and Access management platforms as an attack surface.  These systems have been protected behind complex "defense in depth" architectures within the network core where they provided basic access provisioning services.  In the new paradigm, we must combine the effectiveness of traditional legacy controls, such as minimum password complexity and routine password change, strong multi-factor authentication, and end to end encryption of authentication, with new identity and access models such as claims-based authentication and secure token services.  The key strength of these services is componentization of Identity into multiple parts, the unique attributes comprising an identity, held by the Identity Issuer or Authority and the "Claim" or statement, which identifies the user and their relevant attributes such as name, preferences and privileges.  The "claim" is then secured within one or more "tokens" which can be validated by systems which share a common trust.  The exchange of tokens also securely facilitates federation of identities and access rights (including Single Sign On) between applications and across networks, relieving the need for repetitive user entry of credentials, enhancing the user experience.  The preceding is often referred to as part of the "Zero-Trust" security model, reflecting the fall of networks' perimeters.  In order to allow for necessary standardization and interoperability of this model there has been a good deal of disruption among specifications and standards with the aim of settling on a widely adopted, no-compromise approach to the need for highly distributed Identity and Access Management. The new OpenID Connect and JavaScript Notation (JSON) web token architecture, have so far, been the most widely adopted.

Visibility, the capability to effectively monitor access, in real-time, is another key capability, necessary for Identity and Access Management.  Threat intelligence and access data must be continually monitored.  This requires that Identity and Access log data and other analytics flow continuously, in machine readable format, to monitoring and detection platforms for analysis and that appropriate alerting and response occurs for anomalous activity. Among the 1200 new information security startups, receiving $7 Billion in new capital funding last year, are companies whose technology and services provide Identity and Access Intelligence.  These technologies bring together identity and access information, with varied event data which is mined using algorithms, to identify potentially threatening or business-impacting activity.  Whether its erroneous actions which threaten the integrity of production data or malicious activity which suggests pending data loss, these systems allow for much earlier and more granular detection of unusual behavior and access attributable to specific identities.  This technology and its capabilities become even more critical as the Internet of Things (IoT) explodes to over 100 billion connected devices by 2018.  Many of these types of devices will have addresses on corporate networks and user identities connecting to them as another point of entry.  Appliances with the capability to monitor and analyze activity (at near wire speed) among these ever increasing devices and identities, will be a necessity to maintain confidentiality and integrity of data, and availability of services.