This Blog
Syndication
Recent Posts
Tags
Calendar
Archives
Identity and Access Management (IAM)
April 2008 - Posts
-
Recent news and how IAM could have helped
As information security professionals, we are always interested in finding stories or anecdotes to help make a point or to further educate people on the importance and need for strong information security.
An item grabbing US headlines recently was the story concerning the inappropriate access to the passport files of the 3 major US presidential candidates, Barack Obama, Hillary Clinton, and John McCain: http://www.cnn.com/2008/POLITICS/03/21/obama.passport/index.html
At first glance, this story did not seem particularly interesting, especially when I realized that a passport file contains basic statistics such as birth date, height, weight and eye color-information that is already widely available for such public figures as these. Other than the applicant's social security number, there is no real significant private data in these files. Clearly, this was purely a case of random snooping by curious employees, much like the similar incident when people accessed the medical files of actor George Clooney's and Britney Spears. http://abcnews.go.com/US/story?id=4498155&page=1
But, as more details around this story emerged this week, my interest in the story evolved from that of a concerned citizen to that of an information security professional. According to State Department spokesman Sean McCormack, Senator Obama's files had been viewed three times by contractors working for the agency starting in January. In Clinton's case, a trainee accessed her files in 2007. McCormack said two of the contractors in the Obama case were "low-level" personnel and the other was in a mid-level position with no management role.
Now, let's reconsider this situation. These were not full-time employees doing this, but contractors and trainees who do not even work for the State Department. And while there is nothing wrong with hiring contractors (we have since learned that the State Department hires contractors to design, build and maintain their systems), this incident raises questions about how well (or not) the State Department is provisioning access to data, application and systems. In this situation, it is not just that it was contractors that accessed the files, but that the contractors themselves were ‘low-level' personnel. Unfortunately, we do not know the specific IT architectural details of the passport system, but the fact that contractors in non-management roles were able to access any and all data for highly public figures suggests that the passport system suffers from a monolithic "access for all" security model. Unfortunately, this is often the case in legacy systems that were designed and deployed decades ago with no elaborate security access control mechanisms. In the initial years of operation, such systems are only accessed by a small defined group of individuals. Thus, auditing and controlling access to information is easy.
But, as such systems become more widespread, the number of users requesting access increases rapidly. And in the case of a high value application like the passport application system, it cannot be taken off-line over an extended period of time so that developers can create a more robust security model for the application. As a result, this "access for all" model becomes the standard, meaning that everyone ends up with the same level of access, regardless of responsibility, title or function.
Situations like this scream out for identity and role management. These types of systems empower organizations to create security and access models specific for individual roles and functions. In the State Department case, a separate role category of ‘contractor' could be created and within the contractor category, certain roles such as trainee, manager etc. could be created with the level of security access commensurate with each role. Such systems deliver two levels of benefits. One, they greatly simplify management and administrative operations because the IT team only needs to manage dozens of roles instead of hundreds of individuals. And secondly, identity management systems can reduce risk by ensuring that users' access to information is limited to their actual business function. Had such systems been in place at the State Department, it is unlikely that these kinds of breaches would have even happened.
-
Liberty Alliance Workshop at the RSA Conference Drives Home the Point that Identity Federation is Entering the IT Security Mainstream
I recently returned from a week at the RSA Conference which is somewhat of an annual pilgrimage for IT security people that takes place in the heart of San Francisco in the Moscone Center.
http://www.rsaconference.com/2008/US/home.aspx
Even though the Olympic flame relay was also in town on its only stop in North America on its worldwide tour, we RSA Conference attendees stayed focused on IT security.
http://edition.cnn.com/2008/US/04/08/us.olympic.torch/index.html
As I arrived in San Francisco on the Sunday before the start of the conference, one question on my mind was where are we in the adoption of identity federation? This is a question I get asked a lot so I am always looking for evidence supporting one view or another. So I wanted to find out how interested the average RSA Conference attendee was in the topic of federation? This would certainly be a valid data point to help answer the larger question.
Fortunately I had a great way to gauge that because the very next day on the afternoon of "workshop monday" at the start of the RSA Conference, the Liberty Alliance was having a half-day workshop entitled, "Identity Federation & Web Services: Happening Today - Enabling Tomorrow". Certainly one measure of interest and adoption can be taken from the nearly 500 people who registered and attended this workshop. To see the slides from all of the presentations from this workshop please go to the Liberty Alliance Web site here:
http://projectliberty.org/liberty/resource_center/presentations_webcasts.
One of the key points of this workshop was to show interested RSA Conference attendees how the use of standards-based identity federation technologies can provide immediate business value as well as prepare the organization to thrive in a heavily federated and trust-based world that is rapidly descending on us in the form of SaaS, identity as a service, application outsourcing, user centric identity or whatever terminology or perspective fits your view of the world.
CA was fortunate to have two excellent federation customer case studies presented during the event, the first one from BT's Chief Security Architect, Robert Temple, in which he discussed their success in extending their Web security infrastructure to enable browser-federation with many partners of BT. The second CA customer case study session was from Chris Sharp of MEDecision in which he discussed the key enabling role of a centralized, policy-based security service for SOA & Web services based applications.
My personal perspective is that federation in its broadest sense is now entering mainstream usage. Will it solve all identity related problems that came before it? Of course not. But it has proven itself to be a valuable tool when applied by experienced practitioners to the right project. To me that is a sign that mainstream, thought not necessarily ubiquitous usage, is currently unfolding.
-
Some thoughts on e-ID
In late February I gave a talk at a conference on e-ID in Belgium organized by L-SEC http://www.lsec.be. Belgium is one of the first countries in the world where all citizens will have their identity supported by a digital identity card. Unlike Finland, where the e-ID card is optional, in Belgium it is a legal requirement that every resident registers their address. This registration process is performed at the local town hall and delivers an e-ID identity card at a cost of around 10 Euros. Up to date around 7 million e-ID cards have been distributed; by the end of the year all 8.3 million citizens older than 12 years of age should be in possession of their e-ID. It is no surprise that Belgium is looking for ways to exploit this card.One example of this is eBay who recently entered into an agreement to integrate e-ID as one of the verification options for its users in Belgium. This new functionality allows new and existing eBay-users to (re)register on the site by having their identity confirmed quickly, and safely. On top of that, eBay-sellers who use this verification method will get an ‘e-ID Verified’ label next to their username. Next to the seller’s profile and feedback score, this will be an additional indicator to that the buyer or seller is trustworthy.
The three basic functionalities of e-ID are data capture, authentication and electronic signature. Around 40 to 50% of all e-ID applications in Belgium relate to data capture and 40 to 45% are for authentication. Together data capture and authentication cover 90 to 95% of all the current applications. The much smaller number around 5% to 10% relate to electronic signature. ‘Data capture’ is when the card is put into the reader in the library, a hotel or in the city hall and the application reads the name and some other data on the e-ID card. ‘Authentication’ is used in all kinds of web applications (and incidentally CA’s SiteMinder is used by the Flemish Government MVG for this). The e-ID card is also well suited as authentication mechanism for PC banking.
The card stores a visible and digital picture but also allows to log on to the National Register, the government database. The e-ID card is used to authenticate the citizen for access to public services. The resident can also consult the Register and see what the authorities have stored and who has accessed that information (except for State Security). For example a user can use the card to borrow books from the library and later check which books he has borrowed and when they are due to be returned. A more mundane side effect of this is that access to municipal garbage dumps is now controlled by your e-ID card. If you try to dump your garbage at a dump that is outside of the commune where your address is registered you will not be allowed access!
-
User-centric Identity - a joint CA/Microsoft effort
The Identity Metasystem offers a new way to think about the relationship between parties that are interested in either consuming or producing identity information. Sometimes this is referred to as Identity 2.0, or more correctly as User Centric Identity. This new paradigm offers many benefits, from increased security, enhanced privacy, and the opportunity for new business models. It is sometimes misinterpreted as a technology that nullifies the current identity practices that many enterprises have in place. This is most likely due to the technical nature of most literature available on User Centric Identity, and on the focus of standards and interoperability. But it could not be farther from the truth.What is really important about the Identity Metasystem is that it defines an “Identity Dial Tone” that prescribes how identity can flow seamlessly through enterprise websites, web services, and the ever growing social networking and collaboration services, spanning both high and low trust situations. For the potential opportunity of this new ecosystem to thrive, it is important that it is embraced and delivered to enterprise customers in a way that allows them to incorporate the concepts in their existing infrastructures, without the fear that large portions of the solutions will need to be replaced or significantly modified.
CA and Microsoft are committed to the Identity Metasystem and on helping customers realize the benefits of the Identity Metasystem, while protecting their current investments. To focus the discussion on business objectives, and less on technical practices, CA and Microsoft have jointly developed a White paper “CA and Microsoft Support for User-Centric Identity and the Identity Metasystem” that describes the Identity Metasystem, InfoCards and how they can be incorporated into existing solutions where CA and Microsoft technologies are being used.
Print
Email
Rate+-+CA&dcsref=-&WT.cg_nid=120298&WT.cai_l1=120399&WT.cai_l2=120298&WT.cai_l3=&WT.cai_cntry=us){kind=small}