Since I first became the research director of the Security & Risk team more than five years ago, security leaders have lamented the difficulty of aligning with the business and demonstrating real business value. Over the years, we’ve written an enormous amount of research about formal processes for aligning with business goals, provided key metrics to present to the board, and developed sophisticated models for estimating security ROI. Yet for many, demonstrating real business value continues to be a significant challenge. If it wasn’t for the 24 hour news cycle and a parade of high profile security breaches, chances are good, that security budgets would have been stagnant the last few years.
Once a month I use my blog to highlight some of S&R’s most recent and trending research. When I first became research director of the S&R team more than five years ago, I was amazed to discover that 30% to 35% of the thousands of client questions the team fielded each year were related to IAM. And it’s still true today. Even though no individual technology within IAM has reached the dizzying heights of other buzz inducing trends (e.g. DLP circa 2010 and actionable threat intelligence circa 2014), IAM has remained a consistent problem/opportunity within security. Why? I think it’s because:
Most parents cheerfully mark the key milestones in their child’s path to adulthood: first step,first word, first school, first sleepover, first broken bone, and so on. But for many parents, no milestone causes as much anxiety as “first-time driver,” which is bestowed on all USA-based teenagers upon their16th birthday.
While surviving the experience of having our child become a driver may seem far removed from the world of access governance and entitlement certification, I found some parallels between managing a teenaged driver and managing the access rights and IT privileges of the end users in your organization. You can read more about it in my latest report, “Wake-Up Call: Poorly Managed Access Rights Are A Breach Waiting To Happen,” but here is a quick preview.
A common problem facing parents of teenaged drivers and IT organizations is that they have properly authorized users but often lack visibility into actual usage of those access rights. In the case of the teenaged drivers, parents often seek data around vehicle usage (Where did it go? At what time and at what speed?). For IT security professionals, organizations can no longer rely purely on static lists of authorized users and their access rights. So, just the way parents can impose mileage restrictions (reading the odometer to limit the distance a car can go in a given night) or fuel restrictions, an IT security team cansupplement access governance processes with additional usage data such as:
1. Has the employee accessed the application/system during the last certification period?
2. How often did the employee use the given entitlement?
Today we see two basic flavors of cloud IAM. One archetype is the model offered by Covisint, VMware Horizon, Symplified, Okta, OneLogin, etc.: these vendors provide relatively tight integration, but less capable identity services based on their respective firm's own intellectual property. Because of the above, these offerings clearly have a short implementation time. The other camp of vendors believes in providing hosted services of "legacy" IAM products: CA Technologies coming out with CloudMinder, Lighthouse adding their own IP to IBM TIM/TAM, Simeio Solutions blending OpenAM and Oracle's identity stack with their own secret sauce, and Verizon Business using NetIQ'sIDM stack as a basis for their hosted offering solution.
With only 4 stack players in Identity and Access Management, it is always welcoming news to see a new company joining the space. Quest Software is on a shopping spree: it acquired e-DMZ (privileged identity management), Völcker Informatik AG (provisioning), Symlabs (virtual directories), and now BiTKOO (XACML entitlement management). Forrester expects that in reaction to its main competitor NetIQ taking over Novell’s IAM portfolio, Quest will expand significantly into the non-Windows, heterogeneous IAM space. Forrester further expects that Symantec and to some degree Intel will follow suit, as both of these companies announced cloud-based IAM offerings.
Security Researchers in the UK say that the 3-D Secure (3DS) system for credit card authorization, a protocol that was "developed by Visa to improve the security of Internet payments," has significant security weaknesses. It is used by both of the ginormous card brands, known as "Verified by Visa" and "MasterCard SecureCode."
This could be a big deal.
In a recent paper, the researcher calls out 3-D Secure as a security failure that was pushed on consumers by financially incentivized merchants because, "its use is encouraged by contractual terms on liability: merchants who adopt 3DS have reduced liability for disputed transactions. Previous single sign-on schemes lacked liability agreements, which hampered their take-up."
According to the authors:
"3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants, and customers - given a gentle regulatory nudge."
While waiting for the pan-out of the Cisco System's acquisition of Securent, I can't help but wonder how Cisco is going to develop the Securent technology in its future products. Will the Securent policy engine (PDP) be used 1) as a main point for policy management and enforcement for network equipment, OR 2) will they continue using the product along the 'Securent-intended' path: enforcing fine grained application level policies by integrating policy enforcement points into applications, OR 3) managing fine grained authorizations on the network layer (without the need to open up applications), similarly to BayShore Networks, Autonomic Networks, and Rohati Systems? Without a comprehensive identity and access management offering (IAM), Cisco will probably be fit best to do 1) and 3) described above. This seems most consistent with Cisco's background and culture.
IBM acquired Encentuate for an undisclosed sum. This underscores the validity of Forrester's prediction that the enterprise single sign-on (E-SSO) market in identity and access management (IAM) will grow from E-SSO's $250 million in 2006 to $2 billion in 2014 - a CAGR of 28.5%. What are the likely implications of this acquisition in the E-SSO marketplace?
1. After CA and Novell, now IBM will have a fully integrated IAM suite in which E-SSO will be first acquired, but later an organically grown product offering - provided that IBM is successful with integrating not only technologies, but the Encentuate engineering, support, and sales resources. Past experience with similar acquisitions show that this often sounds easier than it actually is.
2. Other E-SSO vendors (ActivIdentity and especially Passlogix) will lose some of their market share and will need to ramp up investment in product development to be able to keep their leading edge in product functionality.
Overall, IBM's move signals that E-SSO has become a mature and viable technology which - in conjunction with user account provisioning - will continue to drive the IAM market growth.
With Google, IBM, Microsoft, VeriSign, and Yahoo! joining the OpenID Foundation, we may actually feel that something in federated access management is going to change. It is finally not the case of a vendor proposing a new standard – and adding to the cacophony of federation standards – but a set of moves towards a simple technology that today can alleviate password management woes at service providers.
Technology aside, OpenID will greatly help with reducing and removing the legal obstacles in the way of identity federation’s proliferation. When payment-grade, commercial, and trusted identity provider service becomes a reality – VeriSign’s joining the OpenID camp clearly points in that direction – and software-as-a-service companies (like salesforce.com), accept OpenID authentication from these trusted identity providers, then enterprises can truly start thinking about outsourcing password management identity management processes. When required, strong authentication integration with OpenID can rely on VerSign’s VIP or other vendors’ strong authentication acceptance network.
Part of a successful Identity Management (IdM) project is a successful role discovery and mapping phase. Many organizations -- after having mapped and optimized their business processes -- turn to role design and management solutions (VAUU RBACx, BHOLD, Oracle's BridgeStream, and others). While these solutions give a great initial insight into the existing role structure, they are not the only source of role interrelationship information. Role design can build
many other sources: demographics mined from helpdesk tickets from users requesting access, job descriptions, quality management systems (it certain cases this is wishful thinking...), and increasingly from Enterprise or Desktop eSSO solutions (PassLogix, ActivIdentity, CA). eSSO solutions store multiple login credentials for users to multiple applications. As such, extracting account linkage, mapping and correlating user IDs between user repositories based
access information built by end-users is much more reliable than any artificial role mining logic, usually based