The “linear” nature of security and access has worked, but it is not representative of human behaviour and how we work.
In conversation with Jamie Bodley-Scott, global product manager for secure access at Cryptzone, he said that the current model does work, but is set up for failure. He said: “The model today is very disconnected and linear, as you deal with identity up front and once done that there is permission and rights and maybe access or authorisation rights.
“Then if you take advantage of it later in the day and connect to a server and if the organisation cares about security, there are SIEM systems watching what you do and it is all very linear in a step model and not joined up.”
This, he said, was evidence that systems in access management and identity are not integrated, as you can present your credentials at 8am and if they are compromised during the day and used at 6pm to steal information, the SIEM sends a report of unexpected activity that is collected the next morning. “That is way too late because if someone broke in and stole data they could steal something in minutes,” he said.
Bodley-Scott used the analogy of a front door, saying it is more sophisticated than an IT system, as it has a letterbox a knocker and a lock and those three give you a choice of ways to interact with it. You can post a letter, knock or use a key and all require different credentials.
“With a key, you have to be trusted and have proved your identity and make a number of claims,” he said. “With a letterbox, there is no requirement while with a knocker you exchange information in real-time so identity and claims are taking place at point of transaction.
“But with IT systems, it is on or off and you should have systems that don’t care about identity. We also have web servers that give you information and if you provide more information, you are given more access. But most internal systems don’t behave like that, as if you request access you get it and it doesn’t matter if you say you are the same person as you were 12 or 24 hours ago.”
Bodley-Scott said that you can be online for 24 hours continually and if you have still got the same access, the server says “ok talk to me”.
He argued that this is about recognition and, with that, about access and identity management in real time. “If I recognise you in the morning and evening and let you transact now, but recognise in the morning and see a hand grabbing in the evening, you would stop it but later in the day – it is recognition and in context, a server loses context,” he said.
“There are different areas we need to look at, but we need to be smarter at how we look at identity as we are told what sort of password to use. In a recognition-based environment, you should let the user provide information on themselves that is sufficient for whatever transaction you are trying to undertake.”
He encouraged systems to have policies to make the person say who they are, and what they are entitled to, as a system which is used to accepting requests all day can be compromised and nothing is spotted.
Constantly re-entering passwords is not a good idea and Bodley-Scott agreed with that, but he said that systems should require a level of authorisation depending on what is required and by whom. He praised the online banking system used by many banks, which time you out and require a user to log back in to re-confirm a session, saying that we need to move that intelligence into the enterprise.
He said: “IAM systems take no account for change. I can say to an IAM shell that I present a risk, but t
oday I only present a static approach as it makes a decision now, but it doesn’t judge how the risk process is changing with time. What we want is real time behaviour, not static slow iterative behaviour.”
He claimed that the move to a recognition-based concept is about creating dynamic behaviour and looking at dynamic controls. “If a linear process can be turned into a holistic system, then you can do more real time control on what is and isn’t allowed,” he said. “If we move to recognition, the process of logging out is gone as a policy dictates how often you enter a password.”
Jamie Bodley-Scott, global product manager for secure access at Cryptzone, was talking to Dan Raywood