March 31, 2017

IAM what IAM

Davitt PotterBy Davitt Potter
Sr. Engineering Manager, Cybersecurity
Arrow Enterprise Computing Solutions

 

“Are you talking to me? Are YOU talking to ME?”

Ah, authentication. Such a simple premise in IT, and yet… woefully underserved, sloppily implemented and long maligned.

What is IAM? You may have seen the acronym, or heard the painful jokes. IAM is Identity Access Management—or, more clearly—giving the right people the right access to the right resources at the right times from the right locations. Totally clear, right? Well, if not, let’s dive in.

Authentication

Authentication, for a computer network or system, is something we all do every day. Username and password – authenticated. You recognize the barista at the coffee shop and hand over a credit card? Authenticated.

Both of those scenarios, however, have implicit weaknesses.

In the coffee shop scenario, you assume the person wearing the apron is an actual employee. He or she also assumes that you are indeed the named cardholder. (Be honest, how many times have you verified ID at your coffee shop?)

Similarly, on a network, if you log in as “DPotter” with my password, the system believes that you are that person. So, now, you can run my email, find my files and basically be me for all intents and purposes.

Obviously, that’s a problem. How do we solve that?

Multifactor Authentication

Multifactor is a good and solid way to solve part of the problem. Commonly known as two-factor authentication, or “2FA”, you must present “something you have” (like a token, key fob, or PIN code), with “something you know” (a password). This is a much more secure system, as it’s highly unlikely for an outside person/company to compromise both of those things simultaneously. If your password is stolen, the token is useless. If your token is stolen, they likely don’t know your password. If either is lost, they can be revoked by your IT staff.

That’s great, except that many companies didn’t adopt 2FA en masse, OR, their newer systems and apps (especially mobile) don’t work well with 2FA. Also, from a worst-case scenario, if I’m already in the network, what’s stopping me from jumping from system to system? This means that if DPotter is logged in, and I have security access rights to Sharepoint, Office365, Salesforce, Oracle, etc., there’s no way to really track or audit what I’m doing whilst authenticated. Add in the plethora of cloud apps, and… well, I hope you get where I’m going with this.

IAM who IAM, or IAM NOT!

So, what is a savvy company to do? Identity Access Management is a big piece of a successful security posture. Identity Access Management handles authentication to multiple systems, roles and responsibilities, and can also provide auditing and governance of those systems.

Uh, what now?

Here’s a good example. Davitt Potter is hired as a junior systems engineer, with VPN access, access to a few critical IT systems, email, Sharepoint and some other line-of-business systems. All fine, all good. Can you tell me when Davitt logged in? What systems he accessed? If Davitt leaves the business, can you tell me that his accounts are disabled/deleted?

Let’s say Davitt is promoted, or moves to a different department. What new systems does he have access to? What systems does he no longer need access to? Can you show me that in a report? Would that stand up to an audit?

IAM provides the function to set up roles and overarching policies that can then be applied to multiple employees to allow for alignment to company roles and responsibilities, reduce security exposure and limit internal “east-west” insider threats. IAM ties to many GRC (governance, risk and compliance) suites for reporting, auditing and automated workflow management for onboarding/offboarding. It also ties to firewall authentication, VPN authentication, SaaS/Cloud gateways and many of the new CASB offerings.

Popeye IAM IYAM

Image from github.com.

Currently, Arrow offers IAM solutions from RSA, IBM, HP, Gemalto and others. We are continually monitoring the market, and can provide guidance, consulting and implementation strategies as needed – acting either as your CTO/CISO, or in a full engineering/deployment support fashion. Contact me for more information.

Why offer IAM? Today’s customers are asking for deeper and smarter security strategies. Authentication by username/password simply isn’t adequate for today’s threat landscape. IAM can help drive overall posture conversations, set strategy and uncover numerous opportunities, as well as allow you to act in that vaunted “trusted advisor” capacity. IAM is a highly services-oriented solution, as well!

So, to horribly mangle our boy Popeye, are you who you am? IAM!