Shubhra Rishi, Associate Editor at CSO Forum India spoke to Dave Taku, Director Product Management, Identity & Access Management at the RSA Security Conference 2017 in San Francisco
Shubhra Rishi, Associate Editor at CSO Forum India spoke to Dave Taku, Director Product Management, Identity & Access Management at RSA Conference 2017.
In one of our CSO Forum's survey, we found that Identity Access Management (IAM) was the top priority of our 55% IT Managers. So it true that when it comes to IT security, the weakest link is still identity and access management?
In fact, the problem of IAM is far more challenging than it used to be. If you look at how identities used to be managed in the past, the information on your corporate network was protected by a perimeter.
In today's environment – information is spread on cloud, third party SaaS provider, including on-prem. For organizations to remain agile, not just power users but all your employees, your clients and your customers, need data; so how do you provide access to these users in a way that is going to satisfy the diverse use cases.
What's becoming critical today is how you make this access not only secure but convenient for users. If we don't do that, users will try to remain productive and find creative solutions, which inevitably, will erode your security. Five years ago, CISOs didn’t care much for convenience, but today, they want to discuss how to make things easier for end users.
Is the problem also around choosing the right solution? Biometric 2FA, adaptive authentication, tokens, or smart cards, is there a type that is better than the other?
I think CISOs and security managers are thinking about reimagining their approach and strategy. Earlier, sensitive data used to be locked down in on-prem; now you put everything on cloud and it is no longer protected in the same way. This is because convenience has trumped security.
The InfoSec professionals are caught between a rock and a hard place where eventually, they know that the decision to put everything on the cloud, will come and bite them if they don't protect their data –but their immediate pressing need is to make this information available to users.
There has been a lot of focus on convenient forms of authentication. While biometrics, mobile devices, yes, all that stuff is very important, but we are focusing on the wrong things.
Not all apps and situations are created equal. If you try to protect everything at the highest level, it doesn't work. Your source code and financial data is far more critical than some of the other things. What we have been challenging CISOs and Infosec professionals to do is to take a risk-based approach in your identity assurance strategy. It is not about what’s more important —security or convenience— but it is about achieving both at the same time. We can do that by understanding where is our sensitive info, who are our risk users, and understanding based on context, which scenarios are riskier than others?
This is how we can create a baseline assessment of how risky this is, how much confidence do we need, and the final question is – how can we achieve additional confidence. Authentication comes in right at the end, and not at the beginning. And this is where a lot of folks have their focus backward.
Is there one authentication method that is better than the other?
With mobile devices, there has been a explosion in innovation around authentication. However, it also creates a lot of confusion around which technology is viable, which companies are viable, and how do various authentication methods measure up against one another.
With security access, one of the things that we want to do is provide our customers with an authentication hub – that combines best of breed from RSA, open source, and third party tech. RSA as a trusted vendor goes through the work of evaluating and recommends authentication methods for various different scenarios.
Understanding the right authentication method for the right scenario, under the relative strength of each authentication method, where they should be applied, and whether it makes sense to give users the choice – if I have various techniques that are equivalent in terms of strength in security for a particular use case, we must give users the desired choice.
New approaches to IAM, including how to use the mobile device to enhance authentication and access without having to worry about mobile malware infecting devices and gain unauthorized access to accounts?
Mobile devices have become a tremendous part of how organizations are moving forward with authentication. Four years ago, we didn’t trust mobile devices or software solutions. Today, it all goes back to convenience and end user behaviour. On the one hand, I can have a hardware token – but if I use it for no other reason than to access my VPN, it is not something that I carry with me or carry in my laptop bag all the time.
In a smart phone, you could argue that it is more susceptible to malware and other types of attacks. However, as an end user, if I lose it, I will be able to remotely wipe that device and intrinsically, it creates tremendous benefits from a security perspective. Organizations have come around to that – realizing that those impacts and use behavior trump any of the technological limitations.
That being said, on mobile devices, that your software based techniques tied to your hardware route of trust, on that device. A lot of organizations are looking that they have a tiered strategy works for managed devices etc. Most organizations have accepted the fact that they have to support BYOD. However, they don’t have to treat the risk profile of BYOD device same as they do a managed device.
For instance, as an InfoSec professional, if I know that a device is not jailbroken, has a strong locking and pin policy, then I have a higher confidence as to whoever is authenticating and using that device, is a legitimate user, and we have the confidence to make better decisions about whether the authentication is acceptable and what I can allow the user to do.
What are the common challenges that CISOs across organizations are facing that desires the need for a strong IAM solution? How should they choose?
Some companies that have a unifying identify strategy syncs passwords across different systems. This is one of the biggest attack vectors today. A cyber criminal can hack into email accounts, get their password, and the same password works across all their enterprise systems (because we have made password so complicated). There are a lot of mature standards such as SAM, open ID connect, federate identities without syncing passwords. And that’s a very important step towards that.
The second thing is – as more workloads and information goes to cloud, your approach and strategies should be consistent across different elements in the organization. For instance, if you have critical on –prem data, it should remain important when it moves to the cloud.
Your approach to creating a full-proof IAM strategy should start with a ‘convenience’ mindset. If you think security first and convenience later— inevitability, you will have user rejection and a failed program in your hands.