7 Tenets of Successful IAM (webinar)
/in Identity Management, Planning, SailPoint, Webinar/by Howard MahoneySailPoint CTO and CISO Darran Rolls discusses the seven tenets of a successful IAM program in this informative webinar (59:15)
7 Tenets of Successful IAM (webinar)
How To Instantly See Privileged Account Compromise Or Abuse
/in Identity Management, Incident Response, Security Awareness, Threat Advisories, Threat Management, Thycotic, Vulnerability Management/by Howard MahoneyIT and System Admins along with security professionals know that safeguarding access to privileged accounts throughout an enterprise is critical. With up to 80% of breaches involving a compromised user or privileged account, gaining insights into privileged account access and user behavior is a top priority. Even more important, identifying a breach by an outside attacker or malicious insider involving compromised privileged accounts now averages more than 140 days—an eternity in terms of putting your critical assets at risk.
Bringing Identity to Enterprises of All Sizes
/in Identity Management, SailPoint, Uncategorized/by Howard MahoneyThere is a massive transformation happening across the globe as every business leverages the power of technology to keep themselves competitive.
This digital transformation has had vast implications to the speed of business, but it has also made managing users and resources significantly more complex. Modern business environments are more open and interconnected than ever before. Employees, contractors, suppliers and business partners need to access company resources from a variety of devices and locations.
7 TRENDS THAT WILL SHAPE THE FUTURE OF IDENTITY
/in Access Management, Identity Management, Threat Management/by Howard MahoneyThe identity and access management (IAM) space is constantly evolving, and the pace of transformation is only accelerating as new security threats arise, expectations increase for streamlined and transparent experiences, and IT environments grow more complex to support business initiatives like cloud adoption.
Over the course of this evolution, identity has become a key business driver across the organization. Businesses are using IAM to help them accomplish a number of goals, including:
- Managing identities, profiles and attributes
- Authenticating people, systems and things
- Enabling access to resources
- Managing runtime access to applications and application programming interfaces (APIs)
With the rapid pace of change and increasing scope of identity, it’s hard to stay on the cutting edge of trends in the IAM space. Ping Identity recently invited the Chief Information Security Officers (CISOs) from leading enterprises to share the seven trends they believe will shape the future of identity.
- NEW METHODS OF IDENTITY PROOFING For centuries, identity proofing has required people to show up at a physical location and have their identity documents inspected. This method isn’t going to scale in the age of the internet. New methods of remote proofing and social proofing are currently being developed that will change the way people trust each other online.
- PASSWORDLESS AUTHENTICATION When individuals interact online, they frequently do things that attackers would never do, like pay bills, order small items to be shipped to their homes or send a note to say hi to mom. Authentication will eventually be smart enough to recognize these as contexts that are low risk and don’t require a password. There are also many contextual pieces of information that could indicate people’s true identities, like the devices they use and how they interact. Authentication of the future—for both individuals and enterprises—will be adaptive and contextual so a password is required only when necessary.
- BEHAVIORAL ANALYTICS AND MACHINE LEARNING It used to be that you could grab a latte in the morning and hop into a cab with no one knowing who you were. Starbucks and Uber have changed that forever. People increasingly interact with the world in an authenticated context, which means that the companies with which they interact have a lot of information about their behavior. Machine learning gives businesses an even bigger opportunity to apply the data in different ways. They will be able to remove frustrations and friction from their customers’ daily lives by remembering who they are, what they like, when they’re likely to access services and exactly how much whipped cream their kids like on their hot chocolate.
- CONSENT AND PRIVACY Customers are getting more savvy about understanding how and when their data is stored—especially as more of them have been victims of data breaches. New regulations require that companies gather consent to store personally identifiable information and then only use that information for agreed-upon purposes. The days of 100-page terms of service are gone. Expect to see short, clear requests for information as it’s needed during a transaction.
- BLOCKCHAIN AND OTHER DISTRIBUTED LEDGER TECHNOLOGIES How new distributed ledgers will shape identity management is a question still to be answered, but many companies are eagerly playing with the technology and trying new things. There’s a lot of excitement about the new tools that this technology could enable, particularly in spaces where global coordination is needed. However, since everything that’s put on a blockchain is immutable, it’s important that they remember the privacy and security implications of these tools as they build new things.
- INTERNET OF THINGS (IoT) As identity becomes the new perimeter for both security and privacy, it’s increasingly critical that the industry gets device identity right. The number of devices individuals carry and install in their homes is growing dramatically, and the enterprise use cases are exploding—from production line monitors to water sensors to medical devices. We’re going to need new norms and policies to differentiate between trusted users, threats and different members of a household.
- BIOMETRICS Biometrics are emerging as a quick and easy way for users to authenticate, but they’re not perfect. As usage grows, the technology to fool biometric sensors will get more advanced and easier to produce. Right now, unlocking local devices using a locally stored biometric has a low likelihood of compromise, but using biometrics at scale over the web carries more serious security implications that the industry will have to wrestle with over the next few years.
By Ping Identity’s CISO Advisory Council, comprised of CISOs from 12 enterprise organizations, including: Frank Aiello, CISO for American Red Cross; Diane Ball, CISO for BCBS Tennessee; Steve Martino, CISO for Cisco; Stanton Meyer, CSO for CoBank; Ben Mayrides, CISO for Cvent; Sam Masiello, CISO for Gates Corporation; Larry Whiteside, CISO for Greenway Health; Michael Strong, CISO for GCI; Chris Gullett, VP of Information Security for Allegiant Air; and Adrian Mayers, CISO for Vertafore.
VIDEO – THE 7 TENETS OF SUCCESSFUL IAM (SAILPOINT)
[embedyt] https://www.youtube.com/watch?v=XDgE0IGRmgI[/embedyt]
Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 4 of 6
/in IAM Maturity, Identity Management, Planning, Strategic Planning/by Howard Mahoney4. Mobile Access Management
Mobile has become the de facto way to access cloud apps requiring you to ensure security and enable functionality of users devices. This includes deploying appropriate client apps to the right device and ensuring an appropriately streamlined mobile experience. Unfortunately, most existing Identity and Access Management as a Service (IDaaS) solutions fall short when
it comes to mobile support because they were built and architected before it became clear that mobile devices (smart phones and tablets) were going to become the preeminent means to access apps. Instead, they are very web browser centric—i.e. their mobile IDaaS experience just supports web-based apps vs. also supporting rich mobile apps and device security. They also
provide no means to ensure that the user’s mobile device is trusted and secure, and while they may provision a user in the cloud service, they ignore giving the end user the corresponding app on their device.
Consequently, you should look for an IDaaS solution that allows your users to enroll their mobile devices and deliver strong authentication mechanisms (using PKI certificates). The solution should let you apply mobile device-specific group policies to ensure the underlying device is secure (e.g., ensure that a PIN is required to unlock the phone, etc.), detect jailbroken or rooted devices, and allow you to remotely lock, unenroll or wipe a lost or stolen device. Once you associate the device with a user and can trust the device you can leverage the device as an identifying factor for the user in cases where additional factors are required for multifactor and step-up athentication.
The solution should also provide unified app management for both web-based and mobile client apps. This ensures that users are not left with partial access or access defined and managed in separate silos of access management such as separate mobile device management solutions (MDM). Both app and mobile management should share the same roles, identities, management tools, reports and event logs. This unification of mobile and app access management reduces redundant tools, processes and skillsets.
How Do I Know When To Upgrade My IAM Environment?
/in Access Management, IAM Maturity, Identity Management, Planning, Strategic Planning, upgradeIAM/by Howard MahoneyDeciding if you should upgrade your identity and access management environment can be a daunting task. Although there are many variables and decision-making points involved, the “if” decision usually falls into one of two camps:
- The software is nearing its’ support end-of-life.
- There is a need to utilize new services available in the latest release.
Let’s take a look at the first camp. The end-of-life of a particular software product is tied directly to its vendor’s support. This is a very important consideration due to the potential worst case scenario. Imagine software currently running in production where its support has been deprecated by the vendor. Then when a major issue occurs, technical staff reaches out to the vendor with an explanation of the problem, only to hear “sorry, we can’t help you”. Unless in-house staff can diagnose and find a solution to the problem, there could be a very real long-lasting disruption of service. The old adage “if it ain’t broke, don’t fix it” is not always the best mantra to follow with your identity and access management software. Although it is not critical to constantly upgrade to the latest and greatest release, it is recommended to be several steps ahead of a product’s end-of-life. This is due to not only the potential issue above, but also because vendors include critical items, such as security fixes and performance enhancements, as part of their newest releases.
How about the second camp? Let’s take a company that is utilizing a single sign-on software product or version that is a few years old. Granted, the solution is working well, however, there is now a need to integrate mobile and social technologies for their customer base. Seeing as their current software version does not support this, but the newest version does, the obvious choice would be to upgrade. Or, as a second illustration, a company may have created a custom connector, but that connector now ships out-of-the-box with the newest version. By upgrading, they would no longer have the overhead of updating and maintaining their code.
Get Information on the PathMaker Group IAM Maturity Advisory here.
Meeting IAM Gaps and Challenges with New Product Offerings
/in Access Management, Application Platforms, Design, ESSO, Federation, IAM Maturity, Identity Management, Log Management, News, Notifications, PathMaker Group, Planning, Policy Development, Provisioning, Provisioning, Role Design, Security Assessments, Security Framework, Security Services, Strategic Planning, Threat Management, Uncategorized/by PathMaker GroupPathMaker Group has been working in the Identity and Access Management space since 2003. We take pride in delivering quality IAM solutions with the best vendor products available. As the vendor landscape changed with mergers and acquisitions, we specialized in the products and vendors that led the market with key capabilities, enterprise scale, reliable customer support and strong partner programs. As the market evolves to address new business problems, regulatory requirements, and emerging technologies, PathMaker Group has continued to expand our vendor relationships to meet these changes. For many customers, the requirements for traditional on premise IAM hasn’t changed. We will continue supporting these needs with products from IBM and Oracle. To meet many of the new challenges, we have added new vendor solutions we believe lead the IAM space in meeting specific requirements. Here are some highlights:
IoT/Consumer Scalability
UnboundID offers a next-generation IAM platform that can be used across multiple large-scale identity scenarios such as retail, Internet of Things or public sector. The UnboundID Data Store delivers unprecedented web scale data storage capabilities to handle billions of identities along with the security, application and device data associated with each profile. The UnboundID Data Broker is designed to manage real-time policy-based decisions according to profile data. The UnboundID Data Sync uses high throughput and low latency to provide real-time data synchronization across organizations, disparate data systems or even on-premise and cloud components. Finally, the UnboundID Analytics Engine gives you the information you need to optimize performance, improve services and meet auditing and SLA requirements.
Identity and Data Governance
SailPoint provides industry leading IAM governance capabilities for both on-premise and cloud-based scenarios. IdentityIQ is Sailpoint’s on-premise governance-based identity and access management solution that delivers a unified approach to compliance, password management and provisioning activities. IdentityNow is a full-featured cloud-based IAM solution that delivers single sign-on, password management, provisioning, and access certification services for cloud, mobile, and on-premises applications. SecurityIQ is Sailpoint’s newest offering that can provide governance for unstructured data as well as assisting with data discovery and classification, permission management and real-time policy monitoring and notifications.
Cloud/SaaS SSO, Privileged Access and EMM
Finally, Centrify provides advanced privileged access management, enterprise mobility management, cloud-based access control for customers across industries and around the world. The Centrify Identity Service provides a Software as a Service (SaaS) product that includes single sign-on, multi-factor authentication, enterprise mobility management as well as seamless application integration. The Centrify Privilege Service provides simple cloud-based control of all of your privileged accounts while providing extremely detailed session monitoring, logging and reporting capabilities. The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure.
With the addition of these three vendors, PMG can help address key gaps in a customer’s IAM capability. To better understand the eight levers of IAM Maturity and where you may have gaps, take a look this blog by our CEO, Keith Squires about the IAM MAP. Please reach out to see how PathMaker Group, using industry-leading products and our tried and true delivery methodology, can help get your company started on the journey to IAM maturity.
Initial Credential Issuance: An Often Overlooked Area of a Secure Identity Posture
/in Design, Identity Management, Oracle Identity Manager, Provisioning, Strategic Planning, Tivoli Identity Manager/by Jerry CastilleArchitecting mature and functional IAM strategies for our clients requires us to frequently reflect on the approaches that we have seen organizations take to solve common (and sometimes mundane) problems. One such such problem is that of initial credential distribution for internal user constituents (employees, contractors, temp workers, etc). How an organization creates and communicates a new user’s credential is really one of the first steps in a chain of maintaining a good security posture in the space of identity provisioning.
At the core of this problem is the issue of non-repudiation. Basically, the ability to say that a given account owner was the only person who could utilize their credentials to access any given information system. More information on non-repudiation can be found here.
Over the years working in the IAM field, I’ve seen customers approach the problem of getting credentials to newly created users in different ways. Some (surprisingly many) choose to have their IT departments create new user accounts using a known password or formula (such as: <user_lastname><month><day>) in the newly created system. The issue with this approach is that there is no real guarantee that the account will not be used by a third party prior to or after distribution before the intended user begins to use them. This presents an obvious security issue that can be slightly mitigated by requiring a user to change their password after the 1st use. But, even forcing a user to change their password doesn’t completely solve this issue.
A more mature approach is to have a random password generated that complies with corporate password policies that is then communicated to the user through the IT department or the user’s manager. This still leaves the issue of non-repudiation, since whoever generates and communicates the credential to the user or manager also has knowledge of the credential. However, this approach limits the knowledge of this credential to only those in the chain of custody of the credential, instead of everyone who has been exposed to the ‘standard known password’ or password formula.
The most mature and effective way to address this issue usually involves implementing some sort of ‘account claiming’ mechanism. In this approach, a provisioning system or process generates a random system generated password that is never known to any person. Additionally, a system generated ‘claim token’ is generated that is then submitted to the user that can only be utilized once and within a specific time frame of issuance. The intended user is then directed to visit an internal account claiming site where they are asked for some personally identifying information (PII) along with their ‘claim token’. Once this information is verified, the user is directed to change their password, which is then communicated to the provisioning system and all downstream information systems. Identity provisioning platforms such as those from Oracle, IBM, and Sailpoint all make available the tools required to develop/configure this solution with minimal effort. This approach more effectively protects the integrity of the credential and greatly increases an organization’s IAM security posture with very little overall implementation effort.
This article is part 1 of a multi-part series that dives into specific concepts covered during our IAM MAP activities. More information about the Pathmaker Group IAM map can be found here.
Who We Are
PathMaker Group is a specialized Security and Identity Management Consultancy, blending core technical and product expertise, consultative know-how, and extensive implementation experience.
Pathmaker Group
DALLAS-FORT WORTH
635 Fritz Drive
Suite 110
Coppell, TX 75019
(817) 704-3644
info@pathmaker-group.com