A Maturity Model for De-Weaponizing Identity Systems – Part 3

In Part 1 of this series, I discussed the types of attackers who can weaponize your identity systems, use them to cause harm. In Part 2, I introduced the design goals of the Maturity Model as well as the disciplines needed to implement the Maturity Model. In this post, I’ll discuss each of the 5 levels of the Maturity Model and controls you should put in place to achieve those levels.

Level 1 – Managed

This level is table stakes. It optimizes your organization’s existing security controls for identity systems. I believe it helps make compliance with things like GDPR easier but it is in no way a “cure all” for regulatory burdens. To achieve Level 1, you’ll need a combination of access control, data protection, and audit:

  • Access Control
    • 2FA for admins
    • No developer access to production data
    • No program-lead access to production
  • Data Protection
    • No insecure data transfers
    • No insecure data staging
    • Data encrypted in transit
  • Audit
    • Audit all admin system configuration changes
    • Audit user access to systems

Some of things to note… 2FA for admins is just good practice in every setting, especially if you do not have a privileged account management procedure in place. We often hear about “no developer access to production” but in an era of DevOps, you want your developers in production… but that doesn’t mean they need to access to production data, just the production systems themselves. Similarly, while developers get a lot of attention, one constituency that doesn’t are program leads. People like me should not have access to production. If you oversee an IAM program, you should not have any sort of administrative access to your production systems. Sure, you are an end-user of those systems, like everyone else, but you should not have any other privileges.

Probably not a lot of surprises in the Data Protection section, but we still see people getting tripped up by staging data insecurely.

Audit too comes with little surprise. Know what admins are doing to your systems and know who it using your systems. Continue reading “A Maturity Model for De-Weaponizing Identity Systems – Part 3”

A Maturity Model for De-Weaponizing Identity Systems – Part 2

In the first part of this series, I discussed different kinds of attackers and why they attack our identity systems. I also discussed how they can weaponize our identity systems, turning what is meant to deliver services and do good into something that can be used to cause harm. In this part I’ll talk about the goals of the model, the disciplines needed to do this work, and the levels of maturity.

Goals of the Maturity Model

When coming up with this maturity model, I had 4 goals in mind:

  1. Defend against all attackers
  2. Balance protection and productivity
  3. Achieve greater transparency
  4. Promote data provenance

Defend against all attackers

Since all 3 kinds of attackers can weaponize identity systems, we have to defend against every time of attacker: Bulk, Single Data Subject, and Successor. However in order to do this requires that we have specialized defenses against each type. Said differently, a generic defense is in effective. In fact, one can think of this maturity model as a specialization of existing security controls for identity systems, but more on that later. Continue reading “A Maturity Model for De-Weaponizing Identity Systems – Part 2”

A Maturity Model for De-Weaponizing Identity Systems – Part 1

It’s no secret that we, as identity professionals, are the custodians of some of the most crucial information in our enterprises. We hold information about employees and customers in our identity systems in order to deliver them services that range from productivity to entertainment to personal health and wellbeing.

And as professionals, none of us want to build systems that can harm other people. Certainly, none of us want to build systems that can be used to harm ourselves. At the core of our professional code of ethics is the spirit of “do no harm.”

Now it is true that if our identity systems are of value to us and to our employers, then they are of value to attackers.

Who are these attackers?

There are two kinds of attackers: bulk and single data subject attackers; let’s look at both.

Bulk Attackers, as the name implies, want bulk data… they want all the data. Why they want all the data can vary widely. They might be interested in a single vendor’s customers. Or they might be interested in everyone in a region who shares a medical condition or ethnic heritage, or employer. They might be setting up for a later spear phishing attack. They might be putting the pieces together for an ethnic minority oppression campaign or a voter suppression campaign.

On the other hand, Single Data Subject Attackers are only interested in a single data subject. They are focused just one individual. Why? They might want to take control of a celebrity’s mobile phone for the lulz or leak personal photos to the web. They might be interested in dox’ing an adversary. They might want to make an ex-spouse’s life a living hell.

Continue reading “A Maturity Model for De-Weaponizing Identity Systems – Part 1”

Professionalizing Identity: What happens next?

Apologies for not getting this out sooner.

After having a great time at #CISNOLA I recovered a bit. In that time I got a lot of feedback on my micro-keynote on professionalizing the identity management industry. Lots of of very encouraging feedback.

There was a common theme to these conversation – I signed the pledge; so now what happens?

From a long term perspective, I simply don’t know.

On a shorter timeline, here’s what I do know.  Kantara is going to leave the pledge page open for a few more weeks. Around July or August, Kantara will convert the pledge list to a working group.  This discussion group will explore what a professional organization for our industry should look like. I have recommended that that working group spend the rest of the year identifying what the organization ought to look like, what it should do, what it should not do, etc.  My hope is that around the beginning of 2017 the organization gets going in earnest.

Well that seems like a long time to wait you might say. True. But we’ve gone 30 years without a professional organization – 180 more days isn’t going to kill anyone.  Having gone through the creation of one organization already, I am in no rush and I think the Kantara leadership is of a similar mindset.

In the meantime, what can you do? Send your colleagues to the Kantara pledge page. Talk with your peers about what you want to see in a professional organization for our industry. Find similar organizations that are doing interesting things and brings those things to the working group when it starts.