ID & access: Halt, who goes there?
Evolving ID and access management options have gone from central control of a rigid boundary to multiple ID options, distributed assets, IoT machine ID and variable authentication reports Danny Bradbury*
As the tokens of our identity have grown more complex – from military insignia to passports and encryption keys, so the means to cheat them has become more sophisticated too.
The Bible story of Jacob wearing hairy kid-goat skins on his hands and neck to fool his blind father Isaac into believing that he was his more hirsute brother Esau is possibly the earliest recorded case of biometric ID theft - some 4,000 or more years ago.
And as the tokens of our identity have grown more complex – from military insignia to passports and encryption keys, so the means to cheat them has become more sophisticated too.
So how does a company master identity and access management (IAM), and specifically how do we prevent malicious actors who try to steal legitimate credentials and misrepresent themselves to gain access?
Ant Allan, research vice president at Gartner describes today's technology as a “convergence of user provisioning (identity administration) and access governance.” These capabilities have created an extra layer for ID management, and a forest of acronyms: identity and access management (IAM), identity governance and administration (IGA), and what Martin Kuppinger, founder of German analyst company KuppingerCole, calls IAM/IAG.
These components cover how identities are described, provisioned and managed, how they are authenticated and how companies govern their use to access internal resources. A significant problem for ID management users has been the lack of standardisation across different service providers.
“There are multiple technical standards for different aspects of IAM,” says Gartner's Allan. One approach is OAuth, a protocol used to manage authorisation workflows when users access a site. It is commonly used to let users of one online service grant another online service access to some of their information and privileges.
In most cases ID management is bound tightly to particular organisations.
Paul Simmonds, executive director of the Global Identity Foundation says that ID management and access management have converged when they should be viewed separately. “The mainframe always was an authentication system, via username and password, that gave you access,” he says. The problem with maintaining a tightly bounded ID management system that “owns” all of its users' identities is that increasingly, companies no longer have rigid boundaries.
“Historically, the way that ID systems worked was that you had a single authoritative source, which used to be the HR system,” says Andy Pinnington, senior manager of identity and access management at KPMG UK. “Now you're trusting third parties and visitors who might be using their social identities. One issue is, how do they manage all of these identities from various sources?”
Also, people shift far more fluidly between different companies, and many work for multiple firms at the same time. Customers, suppliers and business partners all need their own identities based on the specific jobs they are doing for a given employer rather than a single identity for multiple employers. Furthermore, it makes it difficult to create global frameworks to support risk-based decisions across different company boundaries.
We must change our view of ID management, separating identity, access management and entitlements entirely, says Simmonds.
In this ideal world, authentication and identity systems can issue attributes to anyone that they can then use to assert their identity. Access management systems are managed separately and typically operated by the organisation with which the individual wants to have a business relationship. A layer of entitlement rules sits in the middle, describing what users with certain attributes can do with certain systems.
Identity or attribute
This data is a set of attributes used by an individual to describe themselves to a particular organisation. These attributes, name, date of birth, address, says Kenneth Dagg, an independent consultant and chair of the Identity Assurance Working Group, support the relationship that one has with that organisation. “Your employer also requires specific attributes about you in order to have you as an employee – ie, to pay you, to provide benefits and to provide work facilities,” he adds.
The attributes your bank needs are different from those of your employer. Dagg believes that separating attributes this way enables individuals to give the minimal necessary information about themselves to an organisation.
Identity or attribute providers will issue these distinguishing characteristics, argues Simmonds, explaining that there will be multiple providers for different sets of attributes. “The key here is that you only sign the attributes in a persona for which you are authoritative,” he says. “So date of birth should be signed by the UK government as part of my ‘Citizen' persona,” he explains.
The UK government has its own scheme for provisioning and describing identities, called Gov.UK Verify, based on work done by OpenID Exchange, a vendor-neutral group addressing policy issues around the sharing of identity assurance information.
Some personnel will need privileged access to a system. Allan says he has seen increased sophistication in privileged access management (PAM) tools, providing single sign-on (SSO)-like access to shared privileged accounts across multiple servers and other infrastructure.
Other technologies to enhance privilege management include session management techniques that allow IAM systems to filter the commands permitted to users according to their level of privilege. Monitoring technologies also allow compliance or security employees to watch what happened and detect any irregularities.
One potential issue is role creep, eg as a business evolves, some functions can shift, requiring additional access to data or functions for specific people. Access governance handles role assignments across different target systems and provides auxiliary services such as role mining.
Servers also have PAM access time with administrative accounts on one system talking to an administrative account on another system, often on entirely different networks. If one of the admin accounts is compromised, an attacker could use these machine-to-machine accounts to do serious damage. Passwords on administrative accounts on servers tend to change much less frequently than those of human users.