In my last blog post, I described a new security mindset to address the lack of control associated with “shadow IT.” As IT loses control of some of its traditional assets, my suggestion to CISOs is to double-down on security controls and oversight for the things they still own. In my humble opinion, there are two key areas to focus on: Sensitive data and identity. Everything else – applications, endpoints, networks, and servers – must kowtow to these two cornerstones and enforce specific data security and identity policies.
In Part 1 of my blog, I described how data security must become smarter about the sensitivity of the content and where it resides across enterprise and third-party networks. Aside from deeper data intelligence, however, we also need much deeper identity intelligence than the basic user name, password, and role descriptions we have today. This makes identity the other cornerstone of next-generation cybersecurity.
As enterprise IT morphs into “shadow IT,” identity management will act as an anchor and must include:
- Strong authentication for all users and devices. While most security professionals agree that it’s time to move on from user names and passwords, few organizations have the resources or wherewithal for enterprise-wide security tokens or geeky PKI implementations. Help may be on the way, however, based upon the Fast IDentity Online (FIDO) protocol project being sponsored by companies like ARM, eBay, Google, MasterCard, Microsoft, and Samsung. At a high level, FIDO could provide a development framework and set of protocols to help commodify multi-factor authentication. Early discussions have been focused on consumers, but FIDO could become a root-of-trust for all connected devices and users in and out of the enterprise. Heck, it may even play a role in things like DNSSec, BGPSec, and the Internet of Things. Regardless of the trajectory and progress of FIDO however, eliminating our reliance on obsolete user name/password authentication is a necessary next step.
- Rich identity attributes built in. When you login to the network today, I probably know very little about you other than your name and role. This just isn’t enough information for making granular policy decisions in a mobile/cloud-based world. So what’s needed? More identity attributes about users, the device they are on, the state of these devices, their location, what they want to do, etc. We do this today by asking users goofy questions about their mother’s maiden name or whether they have a dog or cat. What’s needed here is collective intelligence about users, devices, and locations, along with machine-learning algorithms that generate risk scores. This process is sometimes called “adaptive authentication” and a whole bunch of vendors, including CA, Entrust, Okta, Oracle, Ping Identity, and RSA, are headed in this direction. Good start, but we also need to be able to exchange this identity information in a standard way. This is exactly what Cisco is after with PXGrid, and what the TCG envisioned with IF-MAP. The combination of adaptive authentication and identity information exchange will be more tightly integrated with network access and data security as well.
- An identity ecosystem. I know we’ve had some success with federated ID standards, but this technology is still too much of a point-to-point, tightly-coupled model. Somehow, organizations and individuals need the ability to set up ad-hoc trust relationships as need be. Governments could fill the role of ID clearinghouse, but this will never fly in the US/NSA. I like the NSTIC model and hope that industry can push something similar.
- Integrated identity and data security policy management and entitlements. In my first blog, I described the need for technology standards around data tagging to move to a more universal DRM policy enforcement model. My vision is that every device can read these tags and enforce policies about what users can and can’t do with the data. It would be nice to have a similar system for identity and entitlements management. In this case, a user ID would be tagged with a role description, which would then trigger common application entitlements. Again, we’ve gotten part way there with SAML and XACML, but we need to go further.
- Big data security analytics focused on identity and data security. If we did everything I’ve suggested we’d have a more intelligent and automated way of providing secure user access while vastly improving data security. That said, companies would get lazy with policy enforcement or miss signs of a data breach while cybercriminals will poke at new data security and identity technologies until they found a side door at some point. To manage this risk, we need detailed intelligence and analytics about who is doing what and when. We need to model this behavior, look for anomalies, implement new rules – all the things we do for greater oversight.
There’s been decent progress and a lot of industry gurus are focused on modernizing identity for the “shadow IT” world. Still, there are too many proprietary products and competing standards while many organizations take a lethargic, laissez faire approach to identity management. Things have to change in this area – and soon.