A Maturity Model for De-Weaponizing Identity Systems – Part 3

In Part 1 of this series, I discussed the types of attackers who can weaponize your identity systems, use them to cause harm. In Part 2, I introduced the design goals of the Maturity Model as well as the disciplines needed to implement the Maturity Model. In this post, I’ll discuss each of the 5 levels of the Maturity Model and controls you should put in place to achieve those levels.

Level 1 – Managed

This level is table stakes. It optimizes your organization’s existing security controls for identity systems. I believe it helps make compliance with things like GDPR easier but it is in no way a “cure all” for regulatory burdens. To achieve Level 1, you’ll need a combination of access control, data protection, and audit:

  • Access Control
    • 2FA for admins
    • No developer access to production data
    • No program-lead access to production
  • Data Protection
    • No insecure data transfers
    • No insecure data staging
    • Data encrypted in transit
  • Audit
    • Audit all admin system configuration changes
    • Audit user access to systems

Some of things to note… 2FA for admins is just good practice in every setting, especially if you do not have a privileged account management procedure in place. We often hear about “no developer access to production” but in an era of DevOps, you want your developers in production… but that doesn’t mean they need to access to production data, just the production systems themselves. Similarly, while developers get a lot of attention, one constituency that doesn’t are program leads. People like me should not have access to production. If you oversee an IAM program, you should not have any sort of administrative access to your production systems. Sure, you are an end-user of those systems, like everyone else, but you should not have any other privileges.

Probably not a lot of surprises in the Data Protection section, but we still see people getting tripped up by staging data insecurely.

Audit too comes with little surprise. Know what admins are doing to your systems and know who it using your systems. Continue reading “A Maturity Model for De-Weaponizing Identity Systems – Part 3”

A Maturity Model for De-Weaponizing Identity Systems – Part 2

In the first part of this series, I discussed different kinds of attackers and why they attack our identity systems. I also discussed how they can weaponize our identity systems, turning what is meant to deliver services and do good into something that can be used to cause harm. In this part I’ll talk about the goals of the model, the disciplines needed to do this work, and the levels of maturity.

Goals of the Maturity Model

When coming up with this maturity model, I had 4 goals in mind:

  1. Defend against all attackers
  2. Balance protection and productivity
  3. Achieve greater transparency
  4. Promote data provenance

Defend against all attackers

Since all 3 kinds of attackers can weaponize identity systems, we have to defend against every time of attacker: Bulk, Single Data Subject, and Successor. However in order to do this requires that we have specialized defenses against each type. Said differently, a generic defense is in effective. In fact, one can think of this maturity model as a specialization of existing security controls for identity systems, but more on that later. Continue reading “A Maturity Model for De-Weaponizing Identity Systems – Part 2”

A Maturity Model for De-Weaponizing Identity Systems – Part 1

It’s no secret that we, as identity professionals, are the custodians of some of the most crucial information in our enterprises. We hold information about employees and customers in our identity systems in order to deliver them services that range from productivity to entertainment to personal health and wellbeing.

And as professionals, none of us want to build systems that can harm other people. Certainly, none of us want to build systems that can be used to harm ourselves. At the core of our professional code of ethics is the spirit of “do no harm.”

Now it is true that if our identity systems are of value to us and to our employers, then they are of value to attackers.

Who are these attackers?

There are two kinds of attackers: bulk and single data subject attackers; let’s look at both.

Bulk Attackers, as the name implies, want bulk data… they want all the data. Why they want all the data can vary widely. They might be interested in a single vendor’s customers. Or they might be interested in everyone in a region who shares a medical condition or ethnic heritage, or employer. They might be setting up for a later spear phishing attack. They might be putting the pieces together for an ethnic minority oppression campaign or a voter suppression campaign.

On the other hand, Single Data Subject Attackers are only interested in a single data subject. They are focused just one individual. Why? They might want to take control of a celebrity’s mobile phone for the lulz or leak personal photos to the web. They might be interested in dox’ing an adversary. They might want to make an ex-spouse’s life a living hell.

Continue reading “A Maturity Model for De-Weaponizing Identity Systems – Part 1”

Why is the Identity leg of the stool missing?

[Many thanks to Gerry Gebel for giving me the nucleus for this post]

In the midst of the ongoing privacy and security conversation, I pointed out last week that identity is the missing leg of the security/privacy stool. Identity is both a means of expressing privacy requirements and a necessary set of security controls, as well as a key to delighting customers and driving business engagement. A colleague pointed out that while security and privacy might be different halves of the same coin, identity is the coin itself. I’m not sure I fully agree with that but it gets to sentiment I have.

The use and protection of identity data has strong footing in both the privacy and security worlds. And yet identity and identity management professionals are not a first class member of the conversation. Why is that? One reason, in my opinion, is because we didn’t expect the industry to stand alone for the duration.

The inevitable absorption into business process that never happened

Speaking as an identity professional, I don’t think we claimed our seat at the table because, in part, we didn’t expect to be around IT for so long. 10 to 15 years ago there was a thought that identity would be subsumed by larger, adjacent business process engines. Human resource management, for example, should have absorbed identity management, at least for employee identity. I still remember the Catalyst In San Francisco where the Burton Group identity team (I was just a newbie in the audience at the time) had Oracle and SAP talk about their plans (or lack there of) for synergy between HRMS and IAM. What was clear to Burton Group was that the systems that managed your job role and responsibilities ought to be managing that in both on- and offline worlds.

Employee identity really ought to be a function of HR and an extension of HRMS’s. In doing so, identity professionals would become the technical arm of HR. Some companies tried this. Some companies put their technical role management programs within HR. Although some companies tried this approach, for political/organizational/cultural reasons, those approaches did not last.

If HR was to be the home of employee identity, then what of customer identity? Looking to the business process engines that manage customer information, one could see CRM systems absorbing customer identity functions. In such a world, the teams overseeing sales, service, and marketing processes would be the voice of the customer and their business process engines would deliver the identity functionality the customer needed.

In both scenarios the job of “standalone” identity management technology and professionals would be greatly diminished. The path forward for professionals in such a world was to become technical HR, Sales, Service, Marketing, etc professionals, acting as business system analysts serving their constituency or delivering architectures and process integrations to allow identity information to flow and be useful. These worlds did not fully materialize. Continue reading “Why is the Identity leg of the stool missing?”

FAQ for Building a Presentation

I’ve been collecting questions I get about my thoughts on how to build a presentation.  Here are, in no particular order, some of the top ones and my answers.

Does this work for every kind of presentation?

Hell no! It works well, for me, for keynotes. It works well for building talks that are presentation, performances.

It will not work well for lectures and workshops. It will not work well if what you actually need is documentation. See Tufte on that one.

How long does this take?

Start to finish it takes me between 40 and 80 hours to build a complete 20-minute keynote. I can’t tell if that is too much or too little time.

But in the end, it doesn’t matter. Think about building a presentation like building an animated movie. It takes hours upon hours to build just one frame.

Can I do this?

Hell yes! If you have clarity of what you want to communicate and if you have empathy for your audience, you can do this. Do not let anyone tell you otherwise. Continue reading “FAQ for Building a Presentation”

Showing my work

A few weeks back I posted my 9 step process for building  a presentation. I wanted to share some example of that process in action. What follows are glimpses of my “No person is an island” talk which I delivered at Defrag in November.

Step 1 – Finding the Nucleus

I had two quotes that served as the nucleus for this deck.

hierarchies and our love for them is the strange love child of Confucius and the military industry complex

and

treating people like just nodes just rows in a database is, essentially, sociopathic behavior. it ignores the reality that you, your organization, and the other person, group, or organization are connected

Step 2 – Build and outline

I use OmniOutliner for my outlines.  Here’s a PDF of it: no one is an island outline

Step 3 – Write the speech

You can read the final version here, but if you want to see the original with my notation for pictures, check this out.

Steps 4 & 5 – Skeleton Deck to Version 1 Deck

This was a bit of an unusual presentation for me in that I had material from another presentation I wanted to include. That helped get me to a more polished looking version 1 of the presentation than I usual have. Just a heads up – I usually work Keynote but to be fair to my non-Mac friends, I have posted the deck as a pdf: No person is an island v1

Steps 6 to 9 – Getting to ship the deck

I ended up doing 5 revisions to this deck. Usually I do about 10. Here’s the final version:

The Identity Philosophers Song

With all due apologies to Monty Python and specifically Eric Idle here’s the identity industry’s version of the Philosophers Song. Many thanks to everyone who helped this effort and huge thanks to Eve Maler for all her work on this. What follows is meant with much love and respect to everyone in the industry (mentioned or not). And with that… maestro please:

Jeremy Grant was a real pissant
Who was very rarely stable
iglazer, iglazer was a boozy beggar
who could think you under the table
Blakley whom could out-consume
Madsen, Bradley, and Dingle
Pat Patterson was a beery swine
Who was just as schloshed as Cahill
There’s nothing Wilton couldn’t teach ya’
Bout the raising of the wrist.
Cameron himself was permanently pissed…

George Fletcher, still, of his own free will,
On half a pint of shandy was particularly ill.
Nishant K could stick it away;
Half a crate of whiskey every day.
Patrick Harding, Patrick Harding was a bugger for white lightning
Nash was fond of his dram,
Really Dick Hardt was a drunken fart
“I drink, therefore I am”
Yes, Cameron himself is particularly missed;
A lovely little thinker but a bugger when he’s pissed!

 

And if none of that made sense to you, here’s the original which also might not make much sense either.