To grow your skills, you must know your skills. Problem is, that’s harder than it sounds, if only because we rarely carve time out of our hectic lives to do so. Might as well use these next few minutes to do so, and this post will give give a technique to help you along.
We cannot think about our skills in a vacuum. It’s a well researched fact that humans are horrible at assessing their own skills. We often inflate skills we do not have. We downplay skills we do have. Simply put, we lie to ourselves about the strength of our skills.
We need inner honesty. We need outside voices. We need feedback… in order to examine these skills we have and those we don’t.
If you want feedback, it helps to have a bit of structure to shape the conversation. If you want to evaluate your own skills, it helps you to focus if you have a bit of structure as well. So what then should that structure be?
In Part 1 of this series, I discussed the types of attackers who can weaponize your identity systems, use them to cause harm. In Part 2, I introduced the design goals of the Maturity Model as well as the disciplines needed to implement the Maturity Model. In this post, I’ll discuss each of the 5 levels of the Maturity Model and controls you should put in place to achieve those levels.
Level 1 – Managed
This level is table stakes. It optimizes your organization’s existing security controls for identity systems. I believe it helps make compliance with things like GDPR easier but it is in no way a “cure all” for regulatory burdens. To achieve Level 1, you’ll need a combination of access control, data protection, and audit:
2FA for admins
No developer access to production data
No program-lead access to production
No insecure data transfers
No insecure data staging
Data encrypted in transit
Audit all admin system configuration changes
Audit user access to systems
Some of things to note… 2FA for admins is just good practice in every setting, especially if you do not have a privileged account management procedure in place. We often hear about “no developer access to production” but in an era of DevOps, you want your developers in production… but that doesn’t mean they need to access to production data, just the production systems themselves. Similarly, while developers get a lot of attention, one constituency that doesn’t are program leads. People like me should not have access to production. If you oversee an IAM program, you should not have any sort of administrative access to your production systems. Sure, you are an end-user of those systems, like everyone else, but you should not have any other privileges.
Probably not a lot of surprises in the Data Protection section, but we still see people getting tripped up by staging data insecurely.
In the first part of this series, I discussed different kinds of attackers and why they attack our identity systems. I also discussed how they can weaponize our identity systems, turning what is meant to deliver services and do good into something that can be used to cause harm. In this part I’ll talk about the goals of the model, the disciplines needed to do this work, and the levels of maturity.
Goals of the Maturity Model
When coming up with this maturity model, I had 4 goals in mind:
Defend against all attackers
Balance protection and productivity
Achieve greater transparency
Promote data provenance
Defend against all attackers
Since all 3 kinds of attackers can weaponize identity systems, we have to defend against every time of attacker: Bulk, Single Data Subject, and Successor. However in order to do this requires that we have specialized defenses against each type. Said differently, a generic defense is in effective. In fact, one can think of this maturity model as a specialization of existing security controls for identity systems, but more on that later. Continue reading “A Maturity Model for De-Weaponizing Identity Systems – Part 2”
It’s no secret that we, as identity professionals, are the custodians of some of the most crucial information in our enterprises. We hold information about employees and customers in our identity systems in order to deliver them services that range from productivity to entertainment to personal health and wellbeing.
And as professionals, none of us want to build systems that can harm other people. Certainly, none of us want to build systems that can be used to harm ourselves. At the core of our professional code of ethics is the spirit of “do no harm.”
Now it is true that if our identity systems are of value to us and to our employers, then they are of value to attackers.
Who are these attackers?
There are two kinds of attackers: bulk and single data subject attackers; let’s look at both.
Bulk Attackers, as the name implies, want bulk data… they want all the data. Why they want all the data can vary widely. They might be interested in a single vendor’s customers. Or they might be interested in everyone in a region who shares a medical condition or ethnic heritage, or employer. They might be setting up for a later spear phishing attack. They might be putting the pieces together for an ethnic minority oppression campaign or a voter suppression campaign.
On the other hand, Single Data Subject Attackers are only interested in a single data subject. They are focused just one individual. Why? They might want to take control of a celebrity’s mobile phone for the lulz or leak personal photos to the web. They might be interested in dox’ing an adversary. They might want to make an ex-spouse’s life a living hell.