A state government recently discovered a rather embarrassing security vulnerability: Using their normal work login, employees of the Parks and Recreation Department were able to access the state's probation records. This otherwise confidential and sensitive information was now open to workers who had no business viewing it.
“Clearly something was misaligned,” says Geoff Webb, a marketing manager with the Texas-based IT firm Credant Technologies. He believes that a form of identity management could have prevented the breach.
A sound approach to identification and authentication is an elementary building block to security policy within most any organization. Webb's concerns are shared by many, and the discipline is growing as the configuration of IT platforms, devices and equipment used in today's dispersed computing environments challenge those charged with the task of identity management.
“The tools and techniques have greatly improved,” says Kelly Bissell, a principal in the security and privacy practice of Deloitte & Touche in Atlanta. “The IAM [identity and access management] tools are much easier, but that is not the challenge. Authentication and identity tools are really highlighting the real difficult issue: Companies who own multiple heterogeneous legacy platforms, such as multiple flavors of Unix, mainframe or VAX. This causes the deployment of authentication and identity tools that are complex and costly to support.”
“As we look at the growth of mobile and, potentially, cloud computing, the problem is accelerating away from the IT department's capacity to solve it.”
– Geoff Webb, marketing manager with Credant Technologies
In fact, today's computing environment is more complex than it was even a few years ago, he says. The number of devices, the types of access required and the scope of people – both internal and the partners who need identity and authentication management – has grown significantly and rapidly. Concurrently, enterprises have struggled to roll out broad identity and access management projects, leaving them with a mishmash of technologies, not to mention users struggling with multiple logins and passwords and misaligned access privileges. It is a lot of work for IT help desks, Bissell says.
There are no easy solutions, Webb adds. “In many ways, as we look at the growth of mobile and, potentially, cloud computing, the problem is accelerating away from the IT department's capacity to solve it.”
Others agree. “The top concern regarding identification and authentication is the reliance on the antiquated user ID and password scheme,” says Mike Meikle, a consultant with the Richmond, Va.-based Hawkthorne Group, which provides consulting services to the health care industry.
“Savvy social engineering techniques can gather user identities, and passwords can be readily cracked due to the difficulty of enforcing proper password protocol,” he says. Also, due to the increase in computing power, most passwords can be compromised via brute force.
“The largest concern in deploying and supporting IAM solutions is dealing with complex and heterogeneous systems,” says Deloitte's Bissell.
He points out that aside from the complexity of IT infrastructure, user behavior is adding fuel to the fire. “In addition, the increasing compliance regulations and improved internal and external attacks are creating a perfect storm in making the IT manager's job more difficult,” he says.
User behavior is also cited by Scott Morrison, CTO and chief architect of Washington, D.C.-based Layer 7 Technologies, a provider of API [application programming interface] security and governance solutions. He says the the largest looming issue with identification and authentication is the increasing misuse of simple API keys. He says API keys are a weak security token compared to stronger methods of authentication that are well established.
Effective identification and authentication not only validates an employee, but also the equipment assigned to that user. A consumer-centric universe, knee-deep in social networking and a multitude of computing devices, is at the face of the corporate IT infrastructure. Its capacity to delineate which devices are acceptable becomes more and more tenuous. This brings up the issue of tagging a user to the equipment and how such association should be managed.
“It is also important to understand what we mean by a user,” says Webb. “Of course, many users are real, flesh-and-blood individuals. But, don't forget that many systems require complex interplays of access in order to provide business services.”
But, Layer 7's Morrison sees this issue differently. He believes that the user and associated equipment need not be viewed together. There should always be a separation between authentication and authorization to resources, he says. The IAM technology boom of the last 15 years supports this way of thinking. “Entitlements come and go, and it is very important for organizations to make it easy to maintain constantly changing requirements around who can access what,” he says, adding that there should be a flexible association between resources and users.
Another distinct dimension of the IT landscape that has accelerated concern for IAM is the dispersed workforce.
“As the workforce becomes more mobile and distributed, the problems for identification become difficult to solve without placing increasingly onerous burdens on the users,” says Webb.
Businesses are becoming more tightly interconnected with third parties too, so identity management must extend beyond just internal employees and include partners, contractors, suppliers and so on, he says. As businesses look at the highly distributed world of the cloud, the ability to reliably authenticate a user and grant access is going to become even more complex.
Looking forward, the trend of identification and authentication policies, plans and management best practices will be challenged to keep pace with the sophistication of threats, many say.
“After living in the IAM space, we think the trend will move along with IT rationalizing the numbers of IT platforms,” says Deloitte's Bissell. “In addition, we expect increasing regulations and more sophisticated internal and external attacks will demand better vendors and company procedures to be streamlined. Clients will really need to pull all these different authentication and layered security solutions together into a loosely coupled enterprise resource planning (ERP) solution.”