I’ve been one to accuse the identity and access management space of being slow moving, without any real chance to write about.
Yes, it lets people in and it is hard to manage who has access, and the biggest challenge is privileged user access – which is also hard to manage. We’ve heard it all before, right? In conversation with Chris Sullivan, vice president of advanced solutions at Courion, he introduced me to the concept of what he called “next generation IAM”.
So another 2.0 or next generation concept, but what Sullivan said was interesting with reference to ongoing attacks.
“IAM is about giving people access to what they need and changing it when you leave,” he said. “We generally give people the right access, but breaches are still going through the roof and audit issues are still going up – so something is fundamentally wrong.”
He said that the cause and effect needs to be considered, as there are two things to consider – the first is speed and second complexity. Regarding speed, Sullivan said that hackers come in and within two weeks they are breaching the initial systems, building out staging servers and exfiltrating servers with rogue code which goes through the distribution cycle and kicks out credit cards in 12 days. “We look at stuff, but that is the best we can do, and that is done every six months,” he said. “But if they are in and out in 12 days it just doesn’t work, as it is a structural disadvantage.”
Regarding complexity, he said that this is simple mathematics. “The security model is not designed to work together, We build all these LANs and connect them together, but there is no central architecture and it is a disaster,” he said.
“Now things are very clean and there are cleaner routing protocols and a cleaner architecture, but on the security side it is not the case so you start plugging security models together and start getting staggering numbers of different combinations. So if there are 2,000 people in your company, maybe there are 2,000 security groups and when you start to multiply them, what are the permeations of access?
“You have roles within roles and profiles within profiles and it adds up to billions of different profiles that are changing all of the time. Some security manager cannot say “yes this is correct, approve it”, you need regular access to go through to an access portal – to payment or to shut down a network and the reality is it is very different.”
Sullivan argued that with the challenge of speed and complexity, traditional IAM has taken a workflow driven approach to figure out who you are and whether or not you are approved, but he said that the speed and complexity of it all is not being addressed. “We are trying to get to root access, it is not a control, it is a way of looking at it differently and that is where I think IAM is going,” he said.
He said that the entire IAM industry is built on workflows and automating work processes and if there is a privileged account in a system with a billion interchanging tunnels, we can say “yes, looking at how they are connected”, and approve it.
“Look at the RSA breach, it was buried in those entitlements and reviewing that data did not see anything wrong, even though it popped its permissions,” he said.
“Look at breaches, the attackers are so far inside the loop that we do not have a chance. Look at them being connected for 16 or 12 days, you’ll find 12 things compromised, It is not just one PC that is compromised, they were inside Target across networks that are supposed to be segregated and protected, and the incredible thing is the
y did multiple iterations and attackers had to go in and change the environment, and use the code to go through multiple iterations and compromise the software system, then distribute the software to the point of sale systems as they will not take software from anywhere. Before Target figured it out, the attackers had exfiltrated 70 million cards.”
Sullivan told me that he plans to put together a new committee to define measures that we have and how specifically we should measure them that will ultimately put together a framework on how to contribute data that requires a legal structure, and an infrastructure to collect data and share it back. At the time of writing this was still in the process of being put together.
I concluded by asking Sullivan if one of the problems with such attacks being missed is because the IAM administrator is swamped with events, and he pointed to the Target attack with the first instance being the use of contractors who are set up as employees, but are rarely cleaned up and removed.
“So in the case of an attack, in the first instance they use the old login, and then elevate permissions from an old service account and the default password was never changed, no one was watching those privileged accounts and many still work with the default passwords and the last password reset date is the same as the account creation date,” he said. “No one ever logged in as there is too much complexity to manage.”
Better management and things working better and more efficiently, maybe the concept of a next generation of IAM software is required that works faster and resolves those long standing issues as at the moment, it seems that simple problems are not done well.
Chris Sullivan, vice president of advanced solutions at Courion, was talking to Dan Raywood