IAM Proves You Are Who You Say You Are
But people complicate this process of identity and access management.
Cybersecurity is a human problem. Bad people use good technology for the worst purposes. Good people sometimes simply make mistakes or take inappropriate shortcuts. In the unfolding, complex cyber ecosystem, nowhere does human meet machine more directly than with identity and access management, or IAM.
Yet this direct connection is fraught with risk. Everyone must log in, but no one wants a lengthy process. Consequently, the more that IAM is automated, the more that people—who pose the weakest link in the cyber realm—are removed from the equation. Herein lies the problem: The easier processes become for users, the more complicated processes become for systems themselves.
IAM is a multiheaded monster, encompassing identity verification, credential and privilege management, authentication, authorization and access controls, cryptography and user behavior analytics. That laundry list boils down to the critical notion that IAM is difficult to implement. Homeland Security Presidential Directive 12 serves well as Exhibit A.
In 2004, the U.S. Department for Homeland Security issued this policy, more commonly referred to as HSPD-12, as a common identification standard for federal employees and contractors. It mandated use of the personal identity verification (PIV) card in civilian agencies across the government and the equivalent common access card (CAC) across the Defense Department. This year, the Office of Management and Budget (OMB) published a report probing how well agencies complied with the law as well as other initiatives. The report showed that PIV adoption, particularly for privileged users, still is incomplete or deficient in many agencies.
But for all its implementation shortcomings, IAM remains important. One major barrier to executing a robust IAM program is the fundamental yet flawed human factor. Those who are putting programs in place must address the notion that people, above all else, seek convenience. This means that technology must be as convenient as it is fast, or people will find ways to bypass systems or take shortcuts. A huge obstruction to PIV and CAC adoption has been convenience. Users simply do not want to plug a card into a computer just to begin doing their work.
Furthermore, the constant expansion of the network also grows its attack surface, which in turn complicates administrators’ attempts to provide a consolidated and secure IAM system. Consider the burgeoning field of cloud computing, the prevalence of mobile devices, the plethora of big data systems and the growing ecosystem of point products—each requiring its own identity and password. Taking in that big picture, it is not difficult to grasp the scope and dynamic nature of the problem.
Where is the starting point, then, for trying to tackle such a big and seemingly intractable problem? It certainly makes sense to learn as much as possible about current technologies and associated policies and practices. It also makes sense to glean knowledge about solutions that can bring structure, centralization and discipline to the Tower of Babel plaguing many organizations.
Remember, though, that IAM’s purpose is to control access to systems and especially to data. Knowing data storage locations, classifications, flow between systems and suitable levels of access is a big undertaking. This information comes from an inventory of systems and data, but according to the OMB report, many agencies lack a complete inventory, or they might have no inventory at all.
Without a handle on the precise number of systems, managers cannot possibly know where their data lives. Determining who has access and who does not must begin with a detailed inventory of all systems, software and data. This process includes identity management systems and enables a structured analysis of the scope of the problem: determining who has access to data and what they are allowed do with it.
With a solid inventory, planning a rational IAM implementation is possible. Maximize what is available, eliminate redundancy, and remember that convenience always wins. For example, if a single sign-on capability makes life easier for users and reduces the attack surface, then logic offers that it is possible to enhance convenience and security. That way, everybody wins.
Don Maclean is chief cybersecurity technologist for DLT Solutions in Herndon, Virginia. The views expressed are his own.