- Email: [email protected]
Open sourcing the future of IAM
FEATURE age that would allow attackers to gain access to the systems. Most SCADA/ISC networks have some level of perimeter defence, including network segmentation and firewall technologies so attackers are always looking for alternative ways to get inside – for instance, through a gate that is left open, or by triggering some operations from inside the organisation that opens up a communication channel to the outside. Typical tactics include: UÊ 1Ã}Ê>ÊÀiÌiÊ>VViÃÃÊ«ÀÌÊÕÃi`ÊLÞÊ vendor for maintenance. UÊ >V}Ê>Êi}Ì>ÌiÊV
>iÊ between IT systems and ICS/ SCADA systems. UÊ ÛV}Ê>ÊÌiÀ>ÊÕÃiÀÊÌÊVVÊÊ a URL link in an email from a workstation that is connected to both the ICS/ SCADA network and to the Internet. UÊ viVÌ}Ê>«Ì«ÃÊ>`ÉÀÊÀiÛ>LiÊ media while outside the ICS/SCADA network, later infecting internal systems when they’re connected to the network for data collection or controller/sensor software updates. UÊ >}ÊÕÃiÊvÊVv}ÕÀ>ÌÊÃÌ>iÃÊ in security or connected devices. Once a hacker has infiltrated the SCADA network it becomes possible to send malicious commands to the devices in order to crash or halt their activity, and to interfere with specific critical
processes controlled by them, such as the opening and closing of valves. To achieve the level of protection needed for industrial and critical networks, security needs to grow from a collection of disparate technologies and practices to an effective business process. An effective security strategy must detect abnormal behaviour and prevent attacks while providing the organisation with meaningful forensics to investigate breaches when they occur. The security strategy should ensure that all activity is logged in an independent, out-of-band manner that is not related to the configuration of the SCADA devices, as those may be hacked by intruders. This should be supported by a baseline for normal behaviour on SCADA devices and define what is allowed, not allowed and what is considered suspicious. Once this has been established, the strategy should incorporate automatic notification and prevention of deviations from the baseline, enabling measures to be taken against undesired network operations much more efficiently. In addition to establishing a strategy it is critical that an organisation’s entire IT network be secured to help protect SCADA devices. Past cases show that the IT environment, which is usually connected to the Internet, can be a channel into the
operational technology environment. As such, it is critical to employ mechanisms for ensuring authorised access only, such as application control and identity awareness, as well as threat prevention, including firewall, intrusion prevention, anti-virus and threat emulation. A key component of a multi-layered defence for SCADA devices should include threat intelligence to both share and gather intelligence on new and emerging threats to critical infrastructure. Cyber-threats focusing on SCADA systems have increased in recent years and this is a trend that is unlikely to change in the near future. Hackers are getting smarter and ever more interested in attacking critical infrastructures – and because of wellknown vulnerabilities, SCADA networks are most at risk. Therefore it is essential that strategies and systems are implemented to protect both the network and the services they control to protect not only organisations but the public as a whole.
About the author Oded Gonda is vice president of network security products at Check Point (www. checkpoint.com). Based in Amsterdam, he works with Check Point European customers on implementation of strategic projects and with Check Point R&D on definition of next-generation products.
Open sourcing the future of IAM Lasse Andresen, ForgeRock Every CIO needs a reliable identity relationship management (IRM) system, the more evolved version of identity and access management (IAM), for protecting not merely employee and partner data, but now millions of customers’ data. For many years, businesses have relied on traditional, proprietary IAM vendors to secure user identities and data behind the company firewall. For a long time, IAM was good enough – good enough to manage, from the inside, and good enough to protect the business from the threats outside. 18
Network Security
However, identity needs have changed dramatically in the past few years in the wake of digital transformation. Today’s employees expect access to company systems anytime, anywhere; partners require access to various apps that provide limited access to company data; and most importantly, customers expect immediate and
Lasse Andresen
constant access to user-friendly, consumer-facing data – a need traditional IAM cannot even begin to address. This change is amply demonstrated by a recent Forrester survey. This found that 85% of companies were planning customer-facing identity projects where customers rather than employees were the users, and 81% were planning IAM projects where partners were the users. To adequately serve these new populations, companies
September 2014
FEATURE need to account for the specific needs of these implementations, Forrester noted.
Evolution and innovation In her blog on IAM, Fran Howarth at Bloor noted that: “in the past four to five years, identity and access management technologies and services have seen considerable evolution and innovation. Today, they are used to broker access not just to internally provisioned applications, but also to the multitude of services and applications provided by external parties as web-based applications, software-as-aservice (SaaS) subscriptions in the cloud and via mobile devices. Such services place the emphasis on ease of use and implementation and can scale from the smallest micro-firm to multinational enterprises and agencies, making them suitable for use by any organisation, no matter its size or line of business.” So, as you’d expect, Howarth goes on to observe that the vendor landscape for IAM has, “changed considerably over the past three years, prior to which there were just a handful of specialists offering online IAM services.” In contrast, there are now many specialist IAM vendors operating in the market. Traditional IAM solutions were designed exclusively for the on-premises enterprise – they are not equipped to handle or adapt to the immediate demands of the modern web. This is hardly surprising when the common use cases that influenced the initial development of traditional IAM were based on a very different set of business needs compared with today’s. Early IAM was developed to secure employee identities and protect enterprise applications and data maintained behind the company firewall. The access devices the company provided to the users (employees) were usually desktops or laptops. The scaling requirements were limited to the company’s
September 2014
employees, so a deployment that exceeded 10,000 users was rare. While use cases such as on-boarding and off-boarding users were common, these processes happened at a much slower pace than today, necessitated by predictable and intermittent events, such as hiring new employees. In his presentation “Killing IAM in Order to Save It”, former Gartner analyst and current senior director of identity at Salesforce, Ian Glazer, addressed the problem head on. “Current enterprise identity and access management cannot adapt and cannot evolve to the contemporary web. At the moment, identity management is ensconced in a reasonably static world. Identities are created, owned, and managed by the enterprise. The problem is that the world around identity management is growing both larger in terms of the constituents that have to be served and moving faster than this static model can keep up with.” Glazer notes that, “the current style is slow, requiring changes when an individual is added, moved, or leaves an organisation; and while this works fine, this isn’t the current pace or style of the modern enterprise, partners, or the customers that are working in the modern web. Legacy IAM systems are apart from, instead of a part of, other crucial business services of an enterprise, which ultimately is inconvenient and requires additional work. Modern systems need integrated systems.”
Scale and complexity Today’s needs are very different. Users are not confined to employees and partners, but also include customers. Managing customer identities and access isn’t the same as employee IAM. Many organisations should be concerned that systems focusing on classic system-of-record goals, such as automating IAM for compliance, IT administration efficiency and security, may
not provide sufficient strategic opportunities to shape customer engagement. Forrester reported: “Evolving from managing employee and partner identities to managing customer identities requires drastically increasing the scale and complexity of the operation.” Respondents to the survey reported, “a median of only 101 to 1,000 partner identities and 1,001 to 10,000 employee identities – but 500,001 to 5,000,000 consumer identities.” Not only are customer populations four orders of magnitude greater than employee populations, Forrester noted, but they also “represent an audience that is not captive to the enterprise’s internal-facing needs for security and operational efficiency and can go elsewhere to get their needs met. Further complicating this massive increase in users, generated by customer engagement, is the fact that at first the user might also be anonymous. In addition, users are accessing applications from locations far beyond the company firewall and via a multitude of devices. And the applications themselves are often hosted in the cloud and provided by an SaaS provider. As a result, the volume of users has exploded and the rate at which they change as well as the number of identities they require has expanded. This is not to say that there is no longer a need for traditional IAM. Rather, it means that what is needed now is a new, open, agile, scalable IAM platform – a platform that can integrate with the installed legacy systems, but also provide for the needs of today’s modern web environments. The Forrester survey found that many companies were dubious that their existing IAM infrastructure was ready to support the scale, responsiveness and business enablement that the new digital consumer requires. As many as 45% of companies revealed that they were planning to either build or buy partially or Continued on page 20...
Network Security
19
FEATURE ...Continued from page 19 completely new infrastructure for their next project. Two-thirds of respondents said their existing IAM technology solutions were less than ‘very’ prepared for external deployment, with 30% admitting their internal-facing solutions are ‘not very’ or ‘not at all’ prepared. Faced with such obvious shortcomings in their existing IAM solutions, how can CIOs extend, integrate, and modernise their companies’ identity infrastructure to provide for these common new use cases? Forrester found that many were looking to new technologies to try and meet their future requirements, with 88% of respondents indicating their budget for building out IAM projects requiring external-facing, customer and partner identity and access management, included investment in new IAM software, aka IRM. The alternative to traditional proprietary IAM vendors exists in open, standards-based identity solutions. Built from the ground up and tailored to the unique needs of the modern web, identity relationship management (IRM) solutions are equipped to handle customer-facing identity requirements across devices and across cloud, social, mobile and enterprise systems, as the digital transformation takes hold within the enterprise and across the customer base. There are several key reasons why open source IRM is able to adapt to the modern web where legacy IAM vendors cannot. Unlike IAM, IRM is built to help businesses manage the identities of customers and things, and the relationships between them – not just employees. It’s designed in response to the massive influx of new users and devices to be modular, scalable, borderless and context-driven. IRM is redefining the category, and agile businesses are already making the swift shift to IRM to grab market-share before their heavy-weight competitors can make the transition. An IRM platform needs to be modular, and preferably designed as an integrated, cohesive stack that is purpose-built to handle the complexity of multiple users, devices, access points and privileges. At the same time, it needs to 20
Network Security
be able to encompass legacy applications and services. Modular, open platform solutions are well-suited to connect with virtually any device or service – and have no trouble supporting older and newer versions of each device or application because the various platform pieces can be broken out and used alone or in tandem as needed.
Digital transformation Digital businesses work at Internet scale, which means that the number of users can expand exponentially from thousands to millions worldwide. The identity system needs to be scalable and dynamic enough to deal with these immediate fluctuations and serve content regardless of location – while being aware of the difference location might make in the type of services available and the way they’re delivered. The Internet of Things (IoT) is connected everywhere, all the time. IRM needs to provide secure access to applications wherever they are stored – on premises, in the cloud or both – from any Internet-connected device, from anywhere. And finally, context. Context was barely even a consideration for traditional IAM, but it’s a critical differentiator for companies delivering digital services. IRM can help businesses better engage with stakeholders based on context and behaviour. It needs to be intelligent enough to evaluate a variety of circumstances in real time and make the best judgment – for example, using adaptive and multi-factor authentication when a user logs in from an atypical device or region. An IRM model presents a highly attractive alternative for enterprises seeking lightweight, flexible identity solutions that can accommodate the standard needs of the traditional, onpremises enterprise, and the dynamic requirements of the modern web.
EVENTS CALENDAR 29 September–2 October 2014 (ISC)2 Security Congress Atlanta, US https://congress.isc2.org/
13–16 October 2014 HITBSecConf Kuala Lumpur, Malaysia http://conference.hitb.org/
14–17 October 2014 Black Hat Europe Amsterdam, Netherlands www.blackhat.com/eu-14/
14–15 October 2014 Information Security Solutions Europe (ISSE) Brussels, Belgium www.isse.eu.com
16–17 October 2014 Hacker Halted USA Atlanta, Georgia www.hackerhalted.com
22–26 October 2014 Toorcon San Diego, US http://toorcon.org
14–16 November 2014 ISACA Information Security and Risk Management / ITGRC Las Vegas, US http://bit.ly/165MHQa
17 November–22 December 2014 SANS London 2012 London, UK www.sans.org/event/london-2014
About the author
19–20 November 2014
Lasse Andresen is co-founder and chief technology officer of ForgeRock. He has more than 20 years of experience in the software industry.
Cloud Security Alliance Congress Rome, Italy
September 2014
processes controlled by them, such as the opening and closing of valves. To achieve the level of protection needed for industrial and critical networks, security needs to grow from a collection of disparate technologies and practices to an effective business process. An effective security strategy must detect abnormal behaviour and prevent attacks while providing the organisation with meaningful forensics to investigate breaches when they occur. The security strategy should ensure that all activity is logged in an independent, out-of-band manner that is not related to the configuration of the SCADA devices, as those may be hacked by intruders. This should be supported by a baseline for normal behaviour on SCADA devices and define what is allowed, not allowed and what is considered suspicious. Once this has been established, the strategy should incorporate automatic notification and prevention of deviations from the baseline, enabling measures to be taken against undesired network operations much more efficiently. In addition to establishing a strategy it is critical that an organisation’s entire IT network be secured to help protect SCADA devices. Past cases show that the IT environment, which is usually connected to the Internet, can be a channel into the
operational technology environment. As such, it is critical to employ mechanisms for ensuring authorised access only, such as application control and identity awareness, as well as threat prevention, including firewall, intrusion prevention, anti-virus and threat emulation. A key component of a multi-layered defence for SCADA devices should include threat intelligence to both share and gather intelligence on new and emerging threats to critical infrastructure. Cyber-threats focusing on SCADA systems have increased in recent years and this is a trend that is unlikely to change in the near future. Hackers are getting smarter and ever more interested in attacking critical infrastructures – and because of wellknown vulnerabilities, SCADA networks are most at risk. Therefore it is essential that strategies and systems are implemented to protect both the network and the services they control to protect not only organisations but the public as a whole.
About the author Oded Gonda is vice president of network security products at Check Point (www. checkpoint.com). Based in Amsterdam, he works with Check Point European customers on implementation of strategic projects and with Check Point R&D on definition of next-generation products.
Open sourcing the future of IAM Lasse Andresen, ForgeRock Every CIO needs a reliable identity relationship management (IRM) system, the more evolved version of identity and access management (IAM), for protecting not merely employee and partner data, but now millions of customers’ data. For many years, businesses have relied on traditional, proprietary IAM vendors to secure user identities and data behind the company firewall. For a long time, IAM was good enough – good enough to manage, from the inside, and good enough to protect the business from the threats outside. 18
Network Security
However, identity needs have changed dramatically in the past few years in the wake of digital transformation. Today’s employees expect access to company systems anytime, anywhere; partners require access to various apps that provide limited access to company data; and most importantly, customers expect immediate and
Lasse Andresen
constant access to user-friendly, consumer-facing data – a need traditional IAM cannot even begin to address. This change is amply demonstrated by a recent Forrester survey. This found that 85% of companies were planning customer-facing identity projects where customers rather than employees were the users, and 81% were planning IAM projects where partners were the users. To adequately serve these new populations, companies
September 2014
FEATURE need to account for the specific needs of these implementations, Forrester noted.
Evolution and innovation In her blog on IAM, Fran Howarth at Bloor noted that: “in the past four to five years, identity and access management technologies and services have seen considerable evolution and innovation. Today, they are used to broker access not just to internally provisioned applications, but also to the multitude of services and applications provided by external parties as web-based applications, software-as-aservice (SaaS) subscriptions in the cloud and via mobile devices. Such services place the emphasis on ease of use and implementation and can scale from the smallest micro-firm to multinational enterprises and agencies, making them suitable for use by any organisation, no matter its size or line of business.” So, as you’d expect, Howarth goes on to observe that the vendor landscape for IAM has, “changed considerably over the past three years, prior to which there were just a handful of specialists offering online IAM services.” In contrast, there are now many specialist IAM vendors operating in the market. Traditional IAM solutions were designed exclusively for the on-premises enterprise – they are not equipped to handle or adapt to the immediate demands of the modern web. This is hardly surprising when the common use cases that influenced the initial development of traditional IAM were based on a very different set of business needs compared with today’s. Early IAM was developed to secure employee identities and protect enterprise applications and data maintained behind the company firewall. The access devices the company provided to the users (employees) were usually desktops or laptops. The scaling requirements were limited to the company’s
September 2014
employees, so a deployment that exceeded 10,000 users was rare. While use cases such as on-boarding and off-boarding users were common, these processes happened at a much slower pace than today, necessitated by predictable and intermittent events, such as hiring new employees. In his presentation “Killing IAM in Order to Save It”, former Gartner analyst and current senior director of identity at Salesforce, Ian Glazer, addressed the problem head on. “Current enterprise identity and access management cannot adapt and cannot evolve to the contemporary web. At the moment, identity management is ensconced in a reasonably static world. Identities are created, owned, and managed by the enterprise. The problem is that the world around identity management is growing both larger in terms of the constituents that have to be served and moving faster than this static model can keep up with.” Glazer notes that, “the current style is slow, requiring changes when an individual is added, moved, or leaves an organisation; and while this works fine, this isn’t the current pace or style of the modern enterprise, partners, or the customers that are working in the modern web. Legacy IAM systems are apart from, instead of a part of, other crucial business services of an enterprise, which ultimately is inconvenient and requires additional work. Modern systems need integrated systems.”
Scale and complexity Today’s needs are very different. Users are not confined to employees and partners, but also include customers. Managing customer identities and access isn’t the same as employee IAM. Many organisations should be concerned that systems focusing on classic system-of-record goals, such as automating IAM for compliance, IT administration efficiency and security, may
not provide sufficient strategic opportunities to shape customer engagement. Forrester reported: “Evolving from managing employee and partner identities to managing customer identities requires drastically increasing the scale and complexity of the operation.” Respondents to the survey reported, “a median of only 101 to 1,000 partner identities and 1,001 to 10,000 employee identities – but 500,001 to 5,000,000 consumer identities.” Not only are customer populations four orders of magnitude greater than employee populations, Forrester noted, but they also “represent an audience that is not captive to the enterprise’s internal-facing needs for security and operational efficiency and can go elsewhere to get their needs met. Further complicating this massive increase in users, generated by customer engagement, is the fact that at first the user might also be anonymous. In addition, users are accessing applications from locations far beyond the company firewall and via a multitude of devices. And the applications themselves are often hosted in the cloud and provided by an SaaS provider. As a result, the volume of users has exploded and the rate at which they change as well as the number of identities they require has expanded. This is not to say that there is no longer a need for traditional IAM. Rather, it means that what is needed now is a new, open, agile, scalable IAM platform – a platform that can integrate with the installed legacy systems, but also provide for the needs of today’s modern web environments. The Forrester survey found that many companies were dubious that their existing IAM infrastructure was ready to support the scale, responsiveness and business enablement that the new digital consumer requires. As many as 45% of companies revealed that they were planning to either build or buy partially or Continued on page 20...
Network Security
19
FEATURE ...Continued from page 19 completely new infrastructure for their next project. Two-thirds of respondents said their existing IAM technology solutions were less than ‘very’ prepared for external deployment, with 30% admitting their internal-facing solutions are ‘not very’ or ‘not at all’ prepared. Faced with such obvious shortcomings in their existing IAM solutions, how can CIOs extend, integrate, and modernise their companies’ identity infrastructure to provide for these common new use cases? Forrester found that many were looking to new technologies to try and meet their future requirements, with 88% of respondents indicating their budget for building out IAM projects requiring external-facing, customer and partner identity and access management, included investment in new IAM software, aka IRM. The alternative to traditional proprietary IAM vendors exists in open, standards-based identity solutions. Built from the ground up and tailored to the unique needs of the modern web, identity relationship management (IRM) solutions are equipped to handle customer-facing identity requirements across devices and across cloud, social, mobile and enterprise systems, as the digital transformation takes hold within the enterprise and across the customer base. There are several key reasons why open source IRM is able to adapt to the modern web where legacy IAM vendors cannot. Unlike IAM, IRM is built to help businesses manage the identities of customers and things, and the relationships between them – not just employees. It’s designed in response to the massive influx of new users and devices to be modular, scalable, borderless and context-driven. IRM is redefining the category, and agile businesses are already making the swift shift to IRM to grab market-share before their heavy-weight competitors can make the transition. An IRM platform needs to be modular, and preferably designed as an integrated, cohesive stack that is purpose-built to handle the complexity of multiple users, devices, access points and privileges. At the same time, it needs to 20
Network Security
be able to encompass legacy applications and services. Modular, open platform solutions are well-suited to connect with virtually any device or service – and have no trouble supporting older and newer versions of each device or application because the various platform pieces can be broken out and used alone or in tandem as needed.
Digital transformation Digital businesses work at Internet scale, which means that the number of users can expand exponentially from thousands to millions worldwide. The identity system needs to be scalable and dynamic enough to deal with these immediate fluctuations and serve content regardless of location – while being aware of the difference location might make in the type of services available and the way they’re delivered. The Internet of Things (IoT) is connected everywhere, all the time. IRM needs to provide secure access to applications wherever they are stored – on premises, in the cloud or both – from any Internet-connected device, from anywhere. And finally, context. Context was barely even a consideration for traditional IAM, but it’s a critical differentiator for companies delivering digital services. IRM can help businesses better engage with stakeholders based on context and behaviour. It needs to be intelligent enough to evaluate a variety of circumstances in real time and make the best judgment – for example, using adaptive and multi-factor authentication when a user logs in from an atypical device or region. An IRM model presents a highly attractive alternative for enterprises seeking lightweight, flexible identity solutions that can accommodate the standard needs of the traditional, onpremises enterprise, and the dynamic requirements of the modern web.
EVENTS CALENDAR 29 September–2 October 2014 (ISC)2 Security Congress Atlanta, US https://congress.isc2.org/
13–16 October 2014 HITBSecConf Kuala Lumpur, Malaysia http://conference.hitb.org/
14–17 October 2014 Black Hat Europe Amsterdam, Netherlands www.blackhat.com/eu-14/
14–15 October 2014 Information Security Solutions Europe (ISSE) Brussels, Belgium www.isse.eu.com
16–17 October 2014 Hacker Halted USA Atlanta, Georgia www.hackerhalted.com
22–26 October 2014 Toorcon San Diego, US http://toorcon.org
14–16 November 2014 ISACA Information Security and Risk Management / ITGRC Las Vegas, US http://bit.ly/165MHQa
17 November–22 December 2014 SANS London 2012 London, UK www.sans.org/event/london-2014
About the author
19–20 November 2014
Lasse Andresen is co-founder and chief technology officer of ForgeRock. He has more than 20 years of experience in the software industry.
Cloud Security Alliance Congress Rome, Italy
September 2014