After some holidays, lots of internal meetings, and some insane travel schedules, things are settling back down this week just in time for me to head to TEC. So I can get back to spending time with Quest’s customers, partners, and having great discussions with people. In the last week, I had three excellent conversations, one with a panel of folks moderated by Martin Kuppinger from Kuppinger & Cole set up by ETM [link to podcast site], another with Don Jones and an audience of folks asking questions set up by redmondmag.com [link to webcast], and the third just today with Randy Franklin Smith [link to webinar site]. All these discussions revolved around managing identity (of course); they focused on the business’s view of IAM, wrapping proper security controls around Active Directory, and controlling privileged user access, respectively. Even though the subjects seemed quite far apart, a common question emerged: how do you translate the policy the business has in mind (or the auditor has in mind) into something actionable which can be enforced through a technical control? Put another way, the problem is how to take wishes expressed in business terms and make the come true with technology. To me, this is the central question in the IAM world. We have many ways to enforce controls, many ways to create compound rules, many ways to record and manage policies. But the jump from a policy to a rule is the tricky bit.
Let’s take an example and see what we can do with it. Everyone in the US and many around the world know SOX, and most that know it are familiar with section 404. There is a great wikipedia article about SOX section 404 if you want to brush up. Section 404 makes the statement that it is “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” While this makes sense, it’s hardly actionable. And businesses in the US have relied on many layers of committees and associations to distill this. What is that process? It’s lawyers and similarly minded folks figuring out what executives can be charged for if they don’t do things correctly in the face of vague statements like the one above. So they come up with less and less vague statements until they have something they feel is actionable. Of course, what they feel is actionable and what some specific IT department sees as actionable may be quite different.
From the filtering at the high levels of the interbusiness activities you get a statement like “Understand the flow of transactions, including IT aspects, sufficient enough to identify points at which a misstatement could arise,” which comes from the work done by the SEC and POCAB to interpret SOX section 404. That approaches something IT can dig into, but it’s hardly actionable as is. But now a business can take that, bring it inside the organization, and have their executive management and IT work out what it means to them. Of course, there are scads of consultancies, vendors, and others who would love to assist there. Your results may vary when it comes to those folks, or your own folks, being able to make these statements more or less actionable. With this specific statement about the “flow” of data and not allowing “misstatement” to arise, there is general agreement that having IT staff with administrative powers that could, in theory, alter financial data is a risk that needs to have a control. And from that general agreement has risen an entire market for privileged access management products that allow you to restrict people who need administrative rights to do operational tasks in IT infrastructure from using those rights to somehow change data that would be used in any kind of financial reporting (or use that access to do any number of other things covered by other sections of SOX or other regulations like PCI, etc.).
What should be apparent is that things like RBAC, ABAC, and rules based approaches to access control are all simple and straightforward when compared to taking policy and making it actionable. Putting an RBAC system into place is taking action. But, as anyone who has been through an RBAC roll out will tell you, the hardest bit is figuring out the roles. And figuring out the roles is all about interpreting policies. So what is the answer for all those folks on these webcasts who wanted to know how to master this art? The short answer is like the old joke about how you get to Carnegie Hall: practice. The medium length answer is to find a consultancy and a vendor that you trust and that have had the right amount of practice and make them do it for you. The long answer is to follow the path I took above trying to explain the question. You need to analyze the requirements, break them down, and keep doing that until you start getting statements that look slightly actionable. Of course, that takes a huge amount of resources, as evidenced by all the money that’s been spent on SOX alone in the US (that same wikipedia article quotes one study that says the cost may have been 1.7 trillion USD). And the final trick is to take your actions and breakdowns back to the top, your auditor or CISO or whomever started the chain, and validate them. That’s a step that gets skipped all too often. And then you see million dollar projects fail with one stroke of an auditor’s pen.
Last week was #TEC2010. It was my second year at the event, and I was again stunned by the unique vibe it has. Since TEC is focused on education for the folks in the trenches of managing directories, the crowd is markedly different from many other events I attend. There were some senior management types around, mostly owing to the Microsoft centered nature of the event and their shops being very heavily Microsoft focused. The vast majority were people who architect, deploy and maintain directories, though. And it was far from just Microsoft directories. I heard every type of directory mentioned by the folks in the crowds, from RACF to Novell.
One of the main highlights for me was Conrad Bayer‘s keynote about Active Directory and the future of identity services at Microsoft. It was very refreshing to hear someone from the top of the technology food chain at Microsoft saying a lot of things that have been true for a while. Conrad directly acknowledged the breakdown in the concept of using structured hierarchy to represent the relationships between identities and organizations in today’s world. He also gave a nod to the difficulties there are with peer-to-peer federation approaches, though he said ease of use should mitigate that, which I do not agree with. He also pointed out the competitive advantage Microsoft sees in RMS when compared to other identity vendors. I found that odd, but very interesting. Lastly he called out that most clients he speaks with thinks that identity is one of the last things they would move to the cloud, which is something I hear a lot as well.
The other session I enjoyed very much was Brian Puhl‘s. Brian is from Microsoft’s own MSIT division and is in charge of identity services. As he put it, his job is “dog fooding” – using what Microsoft makes for Microsoft’s benefit. Likely the most notable thing about the entire presentation and discussion that followed to me was that the word authorization was in the title and never once did the term XACML make its way into the chatter. At points I got the feeling there was some very complicated mental gymnastics going on to avoid the idea that policy expression needs a platform and protocol. At one point Brian said point-blank “my hosting provider needs to give me a mechanism to express the complexity and facets of my required policies”. I almost coughed out “XACML”, but held it back. Two observation Brian made that struck me as totally true were that trust (and policy) often boils down to contracts and that key management is every bit as important and encryption itself. These are two lessons that only someone who has had to wrestle with lawyers or exotic devices’ key renewal protocols would be able to offer.
By far, the best part of the conference was speaking to the hundreds of fellow attendees – and this year I was thankfully just an attendee so I had no booth duty to distract from the fun. I had conversations with the world’s largest banks, small law firms, government affiliated agencies who remained nameless and everything in between. Every one of them had backlogs of issues they were looking to get ideas on, and the peer level advice flying around was worth it’s weight in platinum. If only there was a good way to bottle that – that would be something we could all use.
lots of talk about sso and authN at TEC 2009. what fascinates me is how many people are espousing the merits of having completely different credentials for many systems. they all claim that the reason is security (at least all of them that i have heard). one of our senior products folks has an analogy they use that i like to discuss this. he will ask, if you were building a house would you want 8 weak doors or one strong one? and i think that really gets to the heart of the security issue.
but even if you grant that perhaps many credentials could potentially be stronger than one, the question becomes what is the trade off? basically, we’ve been working de facto under the multiple credential world for the whole open systems era and no one thinks we’re in a good security state. i would submit it’s because of all the other issues that come from many credentials like more to manage and burden on the users. so i’d ask if there is really a way to get rid of the burden on the users and maintenance issues? some say synchronize, but then you have one door again (or at least one key that works on all the doors). and now you have extra infrastructure on top of what you already have.
sso and AD briding has a role. so does sync. but whatever the stuff that powers this stuff, sso seems like it will always be the one strong door when it’s done right. what do you think?
About the Identity Sander
- "So what you mean is we don't need policy now because you guys can fix it all later, right?" Um. No. Not really. #security #facepalm:: 20 hours ago
- and #hacker movie trivia. @securityweekly shames me with one I really should have got /cc @InfoSec_World (2/2) youtube.com/watch?v=WjrvxJ…...:: 1 day ago
- First, the serious bit of #security #philosophy with @securityweekly at the #InfoSec con /cc @InfoSec_World (1/2) youtube.com/watch?v=NeC8hi…...:: 1 day ago
- Yes & don't forget AD #AuthN & data access - Clean Break: Block Ex-Employees' Access inforisktoday.com/clean-break-bl… by @euroinfosec #security #IAM:: 2 days ago
- I sometimes wonder if some of the people really upset about online #privacy overlap with people screaming #PII into mobiles on NYC streets:: 2 days ago
- RT @STEALTHbits: WEBINAR: 1 day left to register! Solve the #IAM blindspot & adopt a better #InfoSec posture @sanderiam @joe_carson | https…:: 2 days ago
- math giveth #encryption, and math will take it away youtu.be/12Q3Mrh03Gk #security via @PBSInfinite:: 5 days ago
- RT @STEALTHbits: 5 Trends for Security Professionals #infosec #GDPR, @sanderiam bit.ly/2oXYC5P:: 2 weeks ago