spots of thoughts: ian and friends rant, rave, and ruminate
Author: Ian Glazer
Ian Glazer is a senior analyst for Burton Group’s Identity and Privacy Strategies service. He covers identity audit, user provisioning, controls management, and privacy. Prior to joining Burton Group, Ian was senior director, of program management at Approva Corporation, director of identity strategy at Trusted Network Technologies, and senior product manager at IBM where he was a top-ranked product manager on the IBM Tivoli Identity Manager team, heading provisioning offerings for small and medium businesses. Ian is a strong advocate for industry standards and efficacy. He was a contributor to OASIS Provisioning Services Technical Committee and is a co-inventor of the patent pending Web Services Federated Provisioning. Ian is a frequent speaker and panelist at identity leadership events and is an active blogger identity management and security issues.
To grow your skills, you must know your skills. Problem is, that’s harder than it sounds, if only because we rarely carve time out of our hectic lives to do so. Might as well use these next few minutes to do so, and this post will give give a technique to help you along.
We cannot think about our skills in a vacuum. It’s a well researched fact that humans are horrible at assessing their own skills. We often inflate skills we do not have. We downplay skills we do have. Simply put, we lie to ourselves about the strength of our skills.
We need inner honesty. We need outside voices. We need feedback… in order to examine these skills we have and those we don’t.
If you want feedback, it helps to have a bit of structure to shape the conversation. If you want to evaluate your own skills, it helps you to focus if you have a bit of structure as well. So what then should that structure be?
A few months ago, I had the honor and pleasure to sit down with one of the most awesome people in Privacy, Michelle Dennedy, Chief Privacy Officer at Cisco, and record one of her Privacy Sigma Riders podcasts. We were in Austin. We were pumped to finally get together. We were heavily caffeinated. And we didn’t actually record anything… save for the last 25 secs of what was a 45 minute conversation. Fail… fail… fail!
So semi-undaunted, we tried again in November. This time we had professionals helping out… and we needed it. Good news is we actually got it recorded! Michelle and I wander about topics of ethics, empathy, how privacy and identity are related, and IDPro, the professional organization for identity management.
(Thanks to Kim Cameron for prompting me to write this down. Special thanks to Chuck Mortimore for his insight and probing questions and who helped me improve this.)
In the identity industry, there’s been a lot hype these days around self-sovereign identity. The latest permutation in the quest for user-centric identity, self-sovereign revisits the laudable goal of enabling people to be in better control of how information about them passes to enterprises and organizations (but now with added blockchain.) To be clear, increased individual control is an important goal and one that incredibly sharp people have been working on for 15+ years, going back to InfoCard and Higgins.
Before I discuss why self-sovereign has a real chance at widespread adoption, it’s important to understand why identity technologies and approaches get adopted in the first place. At least, three things are required:
People who will use the identity system
Organizations willing to consume identities from the system
Significant and relatively equivalent value for both groups
You need a lot of people to use an identity system for mainstream adoption. You get those people by providing enough value to them either in hard currency (e.g. you give them a cut of what their personal data is worth, extend discounts in lieu of currency, or free services) or in efficiencies (e.g. never fill out an account registration form ever again) or in security (e.g. your account will be harder to hack) or in privacy (e.g. your data will never be resold or your data is anonymized.)
In Part 1 of this series, I discussed the types of attackers who can weaponize your identity systems, use them to cause harm. In Part 2, I introduced the design goals of the Maturity Model as well as the disciplines needed to implement the Maturity Model. In this post, I’ll discuss each of the 5 levels of the Maturity Model and controls you should put in place to achieve those levels.
Level 1 – Managed
This level is table stakes. It optimizes your organization’s existing security controls for identity systems. I believe it helps make compliance with things like GDPR easier but it is in no way a “cure all” for regulatory burdens. To achieve Level 1, you’ll need a combination of access control, data protection, and audit:
2FA for admins
No developer access to production data
No program-lead access to production
No insecure data transfers
No insecure data staging
Data encrypted in transit
Audit all admin system configuration changes
Audit user access to systems
Some of things to note… 2FA for admins is just good practice in every setting, especially if you do not have a privileged account management procedure in place. We often hear about “no developer access to production” but in an era of DevOps, you want your developers in production… but that doesn’t mean they need to access to production data, just the production systems themselves. Similarly, while developers get a lot of attention, one constituency that doesn’t are program leads. People like me should not have access to production. If you oversee an IAM program, you should not have any sort of administrative access to your production systems. Sure, you are an end-user of those systems, like everyone else, but you should not have any other privileges.
Probably not a lot of surprises in the Data Protection section, but we still see people getting tripped up by staging data insecurely.