Accenture Security Blog
Insightful commentary on using security to enable enterprise growth while minimizing risks and defending against sophisticated cyber attacks.
The Cloud is many things and it is particularly one thing for those who approach it with the eyes of the computer revolution of the 20th Century: the Cloud phenomenon appears as an ever more slick incarnation of the out-sized computer, sitting somewhere remote and isolated, capable of everything, ever-present.
To the hammer, everything looks like nail, the saying goes, and that is how people tend to see the tools and technologies around the Cloud, and by doing this, the conventional observer misses the fact that the Cloud is not (and can’t be) a technological compound, but essentially reflects historical and sociological changes, a different context to the one where some of us learned to use the Personal Computer.
This is particularly the case with almost esoteric disciplines like Identity and Access Management (I&AM). To the techno-centric practitioner, I&AM is frozen in time at the moment somebody invented “provisioning” and “role management”, and since then the most important change has been that the number of I&AM vendors in the market has boiled down to a hard core of massive monolithic offerings which compete more on size and difficulty of implementation than on effectiveness and business value.
Equally, when thinking of the Cloud, I&AM specialists think more of complex platforms and software libraries that are offered to consumers in the well-known Software as a Service model (SaaS).
This conception is actually an obstacle for the progress of the Security disciplines, and of Identity and Access Management itself, as people limit their work to usage models that have very little to do with Identity and the possibilities of the Cloud.
Following the SaaS model, we see updated strategies from technology vendors trying their hands at sub sets of the art, for example in the areas of “risk based reporting” and “compliance”. These offerings have one thing in common, which is the lack of understanding of the over-arching importance of Authentication capabilities, over and above every other aspect of the Cloud.
Traditional thinking focuses on Unique User IDs, password management, well-defined roles and “user provisioning”, when not on risk-based reporting and application access control, but all of this will give way to new forms of identity management that will challenge at the same time the monolithic “platform” approach, and the niche vendor approach.
These won’t be vanquished by a new technology, the “next big thing”, but fundamentally by a new way of doing things in this space.
What is new in the world of identity stems from post-industrial, globalised commercial exchanges and human movements. The same forces that cross and cancel national boundaries, that transform the family and local life, radically transform business and enterprise structures.
The global, transnational enterprise is also global in the sense that it represents the existence and reproduction of identities that are vastly mobile and rootless, lacking firm context and defined loyalties. These “identities” are abstractions of biological persons, i.e. “equal individualities” which are entities with very little history and references to begin with.
In this context, no individual appears entirely validated, but only as a fragment of a legally existing person, and only as a function of a partial activity in the economy or as part of an organisation. In the global network, the activities of the individual are indirect and partial, or even better, the shadow of a real individual.
For this fundamental, non-technological reason the monolithic individual does not exist, and for this reason in dealing with identity we are not facing a definable object, but an activity. Professor Chadwick , a prominent British scholar in the specialty of Identity Management has formulated synthetically this with the formula: “ It does not matter who you are but what you can do”.
In this context, the global corporation can’t rely, and should not rely on unique validators or stable identities, but on stable roles, defined routes and managed channels of communications. As I have said in other posts, the key to Cloud value is a “variety of identities”.
Unique, flat, general and shared network spaces with stable identities are a dream of the past.
Now, in this context, something is still missing, and is still difficult to grasp if we stay with the techno-centric perspective. For the individual as a person, his “identity” continues to be unique and coherent, even if it is partial and unstable for the multiple organisations, contexts and realms he or she moves in. For the organisation identity is fragmented, dispersed but still falsely understood as unique and defined.
This is the contradiction that we live in, the ideological framework that makes us think of Security as a profession bound to protect and defend; while it would be clear to all that we are missing the point and not responding to an historical challenge with such attitude. In fact, understanding that it is sociology and history which drive change and not technology would lead us to see that the whole promise of the new era is rooted in indirection, on mediation. For sure the machine is the instrument and the mediator, but the machine is only responding to the expansion of human action. It is this mediation that actually allows for anonymity and hence creates the context of fraud and crime (in so much as it underpins the context of freedom).
In seeing this, the controlling “protecting” technocratic spirit tries to turn against the basis of the historical period and tries to cancel anonymity as if it were some accidental unwanted feature of the present. This ignores the fact that both computing power in the hand of the individual and indirection of personal activity are the foundations of the digital global market. This market is indeed the product of uprooted, universalised, generic, global indirect activity that is not materially linked to the biological person (to the tax payer, the home owner, the corporate worker), but only indirectly and voluntarily so.
Is it not the case then that linking back the activities in the network to the “real biological person” is not only impossible but also counterproductive? Or better said, is it not the case that actually very successful business models always arise without such linking?
Here is my thesis: fragmentation of the identity is not a problem if a) when the person has the power to decide when and how to act through the network; b) if multiple identities, i.e. levels of action are acceptable for the business models; and c) if a variety of identities (and channels) are acceptable for commercial exchanges and human interaction in general.
The false perspectives disappear once we understand that technologies create their own “noise”. Indirection and abstraction create indirect mediated action and abstract, uprooted shadows of the individual.
In this context, is it a serious stance to abhor the unnamed anonymous “hacker” that is enabled precisely by the techniques of remote computing? Is it a meaningful stance to decry the risks of “attacks” to data just when we expose data to the global networks? Let’s be serious for a moment: the risk of fraud and impersonation is a derivative of multiple layers of indirection in commercial transactions.
For sure the way “forward” is not just to plan the rest of our lives as a war against masked aggressors and never exotic hackers, but to adapt to this new context. For sure there will be new protocols, new assurance levels, new risk taking strategies, and a variety of identities on all sides, across all boundaries.
More specifically, a variety of identities means: parallel or shared identities (or as Mike Neuenschwander would say: Personas); and simultaneously, concurrent flows of collaboration managed by the person and not by the enterprise or the Government.
What is the new model? Let’s put the answer in the negative for now:
Identity Management is not and can’t ever be a gubernatorial discipline to bring order where there is chaos, to simplify where there is complexity or to reduce options where there is freedom. Quite the opposite: Very soon I&AM will cease to be seen as part of Security and become just one more art of business risk taking.
We know the volume and diversity of attacks on corporate and government networks, smartphones and applications is on the rise - SPAM, phishing scams, mobile devices, advanced persistent threats .
Yet, a large number of companies still do not have procedures in place to cope with the immediate issue of being a victim in a computer security incident. They are unable to marshal the correct responses that would curtail the damage as events unfold over time.
Just over a month ago .. 
July is always a good opportunity for identity and security professoinals to step away from their projects and sharpen the proverbial saw. That's because two of the industry's premiere conferences on these topics are back-to-back in the latter half of July.
First, the Cloud Identity Summit in Keystone Co. kicks off on July 18th. Hosted by Ping Identity, the conference features an impressive gathering of professionals from the world's leading cloud companies, including Microsoft, Google, Salesforce.com, and Accenture.
I'll be there again this year (see last year's presentation here), this time holding a 3-hour workshop on "The Challenges of Consumer Identity in the Cloud." The workshop will focus on real-world application of Internet identity standards (specifically OAuth, OpenID, and SAML) by large companies. The goal is to discuss best practices in using these standards and also provide input to the authors of the standards. The material for the workshop is based on work Accenture has done with a number of companies over the last year. I'll also be joined by a few of my engineering friends from Cerner, Drew Clippard and Matt Randall, who have spent the last year working with OAuth and OpenID in both consumer and B2B scenarios.
The following week, Gartner's Catalyst Conference runs from July 26-29 in San Diego. I'll do a bit a bit of speaking there, too -- but mainly in the lobby, as the conference doesn't offer integrators any stage time. Nevertheless, a great conference in a great location, so I hope to see you there!
By:
Alexander Bolante
I think Federation is, in fact, one of the hot topics being discussed by enterprises today – and I would think it's primarily driven by SaaS.
Hearing what others are saying about current/emerging trends in this space, I'd sum them up as –
1. Services and infrastructures moving to the cloud i.e., which impacts identity-enabled apps both on and off premise
2. Mobile access to enterprise services i.e., and the need to secure enterprise apps accessed via smartphones and tablets
3. Consumerization of IT i.e., enabling integration with social networking tools, internet identities, etc
And looking across what some of my current clients are commonly evaluating, I'd say that does include:
Enabling cloud computing
- Securely accessing and providing cloud services (public/private)
- Leveraging internet identities (e.g., Facebook Connect or supporting emerging standards like OpenID, OAuth, SPML)
Extending support for mobile computing
- Supporting lightweight devices to access enterprise resources (e.g., RESTful interfaces, broad(er) platform support)
- Leveraging devices to identify/authenticate user
One example I’m currently tackling with a large NA Retail client is “HW tokens = single point of failure” i.e., keys to the kingdom
- Meaning, some of the most high value resources are only protected by a single form of "strong" credential-based authentication.
- When these forms of authentication are broken/circumvented e.g., stolen credentials, session hijacking, rogue insiders, the security level falls
- e.g., Access request -> password -> protected resources
So today, many clients are now considering "layered and risk aware" approaches to Access Management/Federation i.e., more “complete” solutions
- e.g., Access request -> password -> device -> location -> session, context & app data -> verify ID -> protected resources
I'd be interested in hearing what others (cross-industry, SI's and vendors) are seeing as well. Are we seeing over-engineered solutions? Or adoption for and driven by much of the above?
Why is malicious software still seeping into corporate networks? Why is there a mad dash by organizations to prevent "data loss"? And why are mobile devices the new hot bed for Cyber insurgency?
Part of the answer lies in the sophistication of cyber vectored threats which by some have been nicknamed: “Advanced Persistent Threats”. In these attacks, the source (’bad guy’) is characteristically geographically dispersed. The opportunity: compelling and worth while. The result is a motivated adversary that makes it hard for us (‘good guys’) to predict the planning, execution and escape of an attack.
Hope is not lost as we race to stay one step ahead……
In a recent article in SC Magazine, Dan Raywood points to the critical change that is occurring in the Information Security market. He quotes Paul Simmonds, former CISO of AstraZeneca and board member of the Jericho Forum, as saying:
“The issue is on the move outside the perimeter, which is driven 100 per cent by business and the IT administrator is playing catch up, as is security”.
http://www.scmagazineuk.com/jericho-forum-identity-and-access-management-need-to-be-separated-in-the-business/article/199154/
Simmonds suggests that the main challenge with Identity and Access Management is the difficulty if not impossibility of containing the identities within the perimeter as business drivers lead to a fragmentation of access routes and business channels.
To counter this, Simmonds recommends the separation of access management and identity management via the use of “claims based security.”
The merits of claims-based mechanisms can be discussed but, to begin with, it is important to focus on the two things that are being highlighted here and will be even more important in the immediate future: first, the perimeter is disappearing, or has disappeared altogether, and second, identities are fragmenting and access routes (even for company staff) are multiplying and changing in nature.
In essence: identity is fragmenting, thereby compounding the previously known “de-perimetrization” of IT environments. To address this it is essential to re-balance and re-focus security moving from the emphasis on Protection and Enforcement to Trust Definition and Trust Allocation. In terms of Risk it is essential to adopt perspectives geared towards Risk Taking and Risk Sharing.
Too many documents and statements coming from the consultancy business just repeat the language of risk avoidance and the criteria of “risk appetite”, as if we were permanently talking only to IT departments, which, as Simmonds says are only “catching up”.
A risk avoidance position does not convey the voice of the business leader or the risk taker.
A risk avoidance position can generate only a minimalistic investment curve, meaning that it will support an expedient solution to “get away with it”, to evade the consequences of the audit process, not aiming at expanding the business, growing the market or increasing the variety of users.
While we need to recognise the relevance of protective measures, it is wrong to centre the Security on Risk Management alone, even if the argument from the side of risk and compliance is prevalent among practitioners and analysts. This is only a fragment of the Security disciplines present and future.
When Security practitioners adopt the prevalent Risk avoidance and Trust enforcement perspective, they are just following the fears and the current misunderstanding that can be found in the market in respect to Security in general and I&AM in particular. Some experts compound the problem when they transport this emphasis to the Cloud.
In a way, Risk-focused advice is using exactly the same language used in the past around compliance, governance, attack-and-defence based security, and transporting it to modified circumstances. Why use the notions of “counter-attack” and “rapid response” as if all of Security depended on warfare scenarios and not on the transformation of Security as an enablement force?
On the traditional ground of Risk Avoidance and Trust Enforcement Security professionals become followers, not leaders.
My point is that we need to abandon the protection centred, techno-centric stance. Security is not an attack-defence position. In particular, Security is not primarily and not fundamentally about defence!
To progress from here we need to open up of the concepts of Security. This is reflected in my recent presentation at the Gartner I&AM Summit on March 10th 2010.
I suggested a framework to position Security as a set of disciplines to define, allocate and manage trust, not primarily, not fundamentally and not only as a bunch of “weapons” to “defeat” an “attack”.
The following diagram illustrates the correlations between Trust and Risk Management in the new framework:
For too long the Security disciplines have been dominated by a focus on Protection and Enforcement, anchored on the perspective of Risk Reduction and Trust Enforcement. In the future Security must adopt a new framework correlating Trust and Risk Management.
By:
Alexander Bolante
Over the past seven years, I’ve designed and implemented a number of Identity Management solutions with scope and size varying from small-medium to large-complex enterprise deployments. From these experiences, I’ve realized there are still a few common pitfalls to avoid across packaged IDM solutions:
1. Don’t just implement your IDM solution on your organization’s standard vendor stack. Strongly consider implementing your IDM solution on the IDM vendor’s middleware and platform stack.
HW sizing guides are meant to provide guidelines/baselines, but not exact specs for your IDM deployment. The same applies for a vendor certification matrix – while a vendor’s IDM product might be certified or supported on a different vendor’s middleware or platform stack, that doesn’t automatically imply it’s the ‘optimal’ configuration. It’s common for an organization to already have infrastructure standards (e.g., we only use WebSphere Application Server for J2EE apps), but you need to carefully consider that your IDM solution may be harder (for the vendor) to support if deployed across multiple vendor stacks.
More important, it’s often difficult just to bring your IDM deployment up to par with common practices from other implementations – the more unique the configuration of your IDM deployment, the more challenging it is to support that configuration. For example, consider implementing Tivoli Identity Manager (TIM) on WebSphere App Server (WAS) with IBM DB2 all on IBM pSeries boxes. Given your IDM implementation is ‘blue’ all the way through, IBM is typically able to better support your configuration because all support would be (technically) internal to IBM – working across product support teams. If implemented on Oracle RAC on a HP ProLiant box, you’d now have to extend that support to Oracle and HP respectively.
2. Don’t undermine your IDM infrastructure footprint and start performance tuning early on.
Most, if not all IDM products are implemented on a two- to three-tier architecture: you have to consider database servers (data tier), middleware/application servers (app tier) and often web servers (web tier) including any network infrastructure changes connecting all three tiers (e.g., where should I use a HW load balancer vs. SW load balancer plug-in). Additionally, each tier requires its own performance tuning, pruning, cleaning and regular maintenance. At its core, there are multiple performance bottlenecks to consider in your infrastructure:
· Start with server or system resources (e.g., over clocked CPU, maxed out memory, resource contention, insufficient space)
· Tune your way up from data tier to app/web tier (e.g., database servers typically require specific optimizer tunings, predefined indexes and table pruning while application servers typically require proper JVM/heap size allocation, connection pooling and message queue thresholds)
If all infrastructure components aren’t tuned to sing in harmony, you’ll find it harder and more costly to keep the lights on. Each vendor typically has their own dedicated wiki, forum, or support site specifically for sizing and tuning best practices – that’s always a good place to start.
3. Research the maturity of not only the product, but also product integration across the stack and with third party products
While new releases boast architectural enhancements, feature innovations and performance improvements, they’re still dot 0 releases, which means – compared to other releases that have had a chance to stabilize and improve over time – you should expect to encounter bugs during your deployment (or upgrade), some that may take more time to resolve than others as they would be net new. So bake in ample time into your project plan to account for these potential deployment challenges.
The ability or need to integrate with third party products is obvious, but stack inclusion is equally important. You need to first understand whether the products included in a vendor’s IDM stack/suite enable you to develop a comprehensive IDM strategy. For example, if you’re considering developing authentication, SSO, federation and fraud prevention/detection, consider Oracle’s IDM 11g stack already provides OAM, OESSO, OIF and OAAM respectively to address each capability; this includes pre-configured integration libraries to enable unified access management.
4. Complete your fit/gap analysis, ensure your requirements have been vetted with IDM product experts and wash, rinse, repeat as major patches/fix packs come available
Of the previous three challenges mentioned, this is typically the most controllable – yet somehow the most common across IDM implementations. If your IDM requirement states, “Must be able to run on Internet Explorer 6.x” for some reason, double-check the version of the IDM product you’re deploying actually supports IE 6.x, otherwise you need to figure out the appropriate countermeasure (e.g., do you request a hotfix from the vendor, or do you wait for the next major patch to support it, or other alternative)?
In some cases, your fit/gap analysis will also drive new/future opportunities (e.g., in this case, considering the well-known security flaws of IE 6.x, you could use this as a driver to upgrade your IE 6.x platform).
5. You fill in the blanks…
This is by no means meant to be a definitive set of best practices. In fact, I encourage you to share your experiences internally on Accenture’s IAM Wiki or via vendor forums for the IAM community at large such as the below:
Oracle Identity Management Forums
http://forums.oracle.com/forums/forum.jspa?forumID=47
IBM Tivoli Security Management Forums
http://www-128.ibm.com/developerworks/forums/dw_forum.jsp?forum=259&cat=15
By:
Shan Gu
There is a great deal of debate over whether IT compliance actually improves Security in a given system or if it gives organizations a false sense of confidence in the Security of their systems. But I’m not here to add to that debate. Let’s take the position for a minute that using IT compliance as a starting point and applying sound security practice does in fact improve the Security posture of an organization and/or system. What happens to that posture as we move into the Cloud as systems start relying on distributed trust? When new attacks are created which rely on collection of multiple individually benign data attributes which combine to form a trusted identity?
Modern day compliance standards rely on the assumption that a system has control over all of the data stored within it. Compliance focuses on the protection of business data such as health or financial information and identity data are treated as a subset of that business information. The actual establishment of trust and assurance thereafter is rather a side effect. Furthermore, sensitive data are identified based on what can cause immediate damage when compromised in relative isolation (ie. credit card information, social security number, medical history). But in a world of distributed trust, the data exchanges that assert and establish trust are just as sensitive and by collecting several individually innocuous pieces of information about a person can enable an attacker to hijack that person’s identity. This is where the current model of “protect my kingdom” type of compliance and security falls down and in fact any kind of centralized enforcement fails.
I believe that the solution also lies within the nature of the problem. The Cloud cannot be centrally managed and standards are difficult to enforce, however it also more closely approximates human social interaction. Each system is responsible for operating within its own accepted level of risk. Trusts are established between parties that provide enough information to each other which justify the risk of that external dependency. By providing a framework to describe risks and mitigating factors, we can help systems make better decisions about whether to accept those risks and determine which other systems to establish trust with.
A framework and common language for describing the trustworthiness of a given system can enable owners of consuming systems decide whether or not to interact with it. The framework should describe as start:
- How identities are initially established and verified?
- How identities are refreshed and assurance revisited over time?
- How are users authenticated in runtime? Levels of assurance of that authentication?
- How are identity related attributes protected at rest and in transit?
- How is data integrity ensured?
- For a given identity, what are some other assurance factors (ie. this customer has maintained an account in good standing for 3 years)?
This framework will then support ancillary services such as trust ratings for systems. The natural evolution of things will presumably ensure that the systems who exercise the most due diligence in handling identities grow while systems which are less diligent either dwindle or survive to serve very specific purposes with low trust requirements. The availability of this data to consumers will enable them to make informed decisions when deciding on which systems to interact with. Certification standards will further differentiate those systems which have invested in formal reviews of its mechanisms and help consumers make the price vs. risk decisions.
The future is not in continuing to iterate on a set of hard and fast rules on what data to secure and how, but rather providing a common way of describing risk for business and consumers so that they can make informed decisions on who they interact with. Evolution will take care of the rest.
By:
Alexander Bolante
In a few weeks, I'll be presenting with Eric Leach, Director of Oracle Product Marketing, on a live Oracle Security Online Forum to talk about and demonstrate how Oracle Identity Management solutions combined with Accenture's delivery expertise helps our clients "Build a Comprehensive Identity Management Strategy."
A few other session highlights -- Shawn McGann, one of Accenture's resident Access Management SMEs, will be co-presenting with Mark Karlstrand, Oracle Senior Product Manager, to showcase how Oracle and Accenture "Externalize Security to Build a More Complete Extranet Security Strategy."
Ryan Beal, one of our key Identity & Access Governance Solution Architects, will be presenting how Accenture addresses "Business Centric Compliance" in today's challenging regulatory environment using Oracle Security solutions like Oracle Identity Analytics.
I highly recommend you take advantage of this unique opportunity to hear our experts in this space, who will also be available for a Live Q&A during the sessions. See below for details!
Oracle Security Online Forum
Live Date/Time: February 24, 2011 | 9:00 a.m. - 1:00 p.m. Pacific Standard Time
Join us for the Oracle Security Online Forum, where leading industry executives and Oracle product experts will come together to discuss security trends, best practices, and proven solutions for your business.
Security professionals, IT executives, IT architects, identity management and database specialists, data architects, IT administrators and auditors will all benefit. Don’t miss this unique opportunity to hear:
- Mary Ann Davidson, Oracle’s Chief Security Officer—on industry-leading standards, technologies, and practices that ensure that Oracle products—and your entire system—remain as secure as possible.
- Jeff Margolies, Partner, Accenture’s Security Practice—on key security trends and solutions to prepare for in 2011 and beyond.
- Vipin Samar, Vice President of Oracle Database Security solutions—on new approaches to protecting data and database infrastructure against evolving threats.
- Tom Kyte, Senior Technical Architect and Oracle Database Guru—on how you can safeguard your enterprise application data with Oracle’s Database Security solutions.
- Nishant Kaushik, Oracle’s Chief Identity Strategist—on how organizations can look to Oracle Identity Management solutions to help them reduce fraud and streamline compliance.
Additionally, Oracle security solution experts will be on live chat throughout the event to answer your toughest questions.
Attend this online event and find out how you can take a proactive approach to secure your enterprise.
Register Now!
Next >>
|
Bill Phelps is an executive director in Accenture's Technology Consulting practice. He has spent more than 20 years in technology se...
|
Jeff Margolies is a Senior Director in the Accenture Technology Consulting Security business. He is the global lead for Identi...
|
Mike Neuenschwander is a Senior Manager in the Accenture Information Security Practice. A recognized thought lead...
|
Walid Negm is a member of Accenture’s Technology Labs where he has global R&D responsibility to help accelerate the adopti...
|
Carlos Trigoso is an Enterprise Security and Identity & Access Management architect. The main part of...
|
|