Identity & Access Management: Give Me a REST

Give me a REST (or two weeks stay in a villa in Portugal if you're asking...).  RESTful architectures have been the general buzz of websites for the last few years.  The simplicity, scalability and statelessness of this approach to client-server communications has been adopted by many of the top social sites such as Twitter and Facebook.  Why?  Well, in their specific cases, developer adoption is a huge priority.  Getting as many Twitter clients or Facebook apps released, increases the overall attractiveness of those services and in a world where website and service competition is as high as ever, that is a key position to sustain.

Why REST?

Cute picture of RESTing lion [1]

The evolution and move to REST is quite a clear one from a benefits and adoption perspective.  REST re-uses many of the standard HTTP protocol verbs such as GET, POST and DELETE,  when constructing URL's.  These verbs are well understood and well used, so there's no new syntactic sugar to swallow.  Each component of the service owners database is abstracted into neatly described resources that can be accessed using the appropriate URI.  Requests can then be made to return, say, a JSON or XML representation of the underlying database object.



The client, permission granted, can then in turn update or create a new object in the same way, by sending a new JSON object via a PUT or POST request.

What's This Got To Do With IAM?

Identity management has often been thought of as an enterprise or organizational problem, focussing on the the creation and management of company email, mainframe and ERP system accounts.  This process then brought all the complexity of business workflow definition, compliance, audit, system integration and so on.  Access management on the other hand, has often been focused on single-sign-on, basic authorization and web protection.  IAM today is a much more complex and far reaching beast.  

Organizations are reaching out into the cloud for services, API's and applications.  Service providers and applications are becoming identity providers in their own right, reaching back out to consumers and businesses alike.  For once, identity management is on the tip of the tongue of the most tech-avoiding consumers, concerned with privacy, their online-identities and how they can be managed and consumed.

A RESTful Future

These new approaches to identity and access management require rapid integration, developer adoption and engine-like API's that can perform in an agile, scalable and secure fashion.  Identity and access management services for consumers, such as being able to login with their Facebook or Twitter account using OAuth or OAuth2 without having to create and manage multiple passwords for the other sites they interact with, not only increases user convenience.  It also puts pressure on business security strategies as they can struggle to cope with the ability for employees to bring-their-own-identity to many of the now popular business services such as Webex, Dropbox, Salesforce and the like.

As identity management is no longer solely concerned with siloed, business unit or organisational boundaries and looking more to being fully connected, integrated and focused on consumerization, developer adoption has never been more important.  Security in general, has never been a high priority for application builders, who are more centred on features and end usability.

Identity and access management is making a big change to that area with many access management systems being easy to externalize from application logic using RESTful integration.


By Simon Moffatt

[1] - Image attribute Stock.Xchng http://www.sxc.hu/profile.big_foot

BYOID: An Identity Frontier?

[bee-oi]. [b-yoy]. [be-yo-eye]. [bee-oy-ed].  Whichever way you pronounce it, the concept of bringing your own identity to the party is becoming a popular one.  Just this week Amazon jumped on the identity provider bandwagon, by introducing it's 'Login With Amazon' API.  What's all the fuss?  Isn't that just the same as the likes of Twitter and Facebook, exposing their identity repositories so that 3rd party application and service developers can leverage their authentication framework without having to store usernames and passwords?


Well in a word yes.  With the continual threat of hacking and cracking of consumer and business user account repositories, why wouldn't you as a developer, simply take advantage of someone else storing the password details on your behalf?  No need to worry about whether to use encryption or hashing, which algorithm to use, how to handle password reset management and so on.  Simply perform a call out during authentication time, probably using your favourite language, using a simple web standard and a way you go.  Simples.



Why It's Cool To Be An Identity Provider

So why have all of these identity providers sprung up?  Well in essence they haven't.  The Security Assertion Markup Language (SAML) has been around for the best part of 12 years and in the last 8 or so, has been implemented at numerous federation related projects both in the education, public and private sectors.  SAML has the concept of an identity provider, but that has been expanded in recent years to be more consumer orientated.  With the rise of social networking sites that house millions of user records and newer protocols such as OAuth(1 and 2), the use and consumption of these vast repositories is simpler.  From a social platform perspective (Facebook) or from a  consumer outreach perspective (Amazon) it makes pretty good business sense to get more applications, services and in turn users, using the sites and services they manage.  If you make cricket bats, you want to help those who make the balls.  It's the same with being an identity provider.  The consumer has a familiar (and to an extend trusted) account they use to log in with.  It's signal sign on, without all the password hiding and syncing stuff.

If The Consumer's Happy The Orgs Are Happy Right?

Well, if you're an identity provider, I'd imagine you are pretty ecstatic.  You have had to manage the user's password and account details in the past anyway.  So in theory they should be only a marginal cost to expose that information via an API to your apps developers or associated service providers.  Consumers are content as they don't have to create multiple accounts or remember lots of passwords each time they sign up to a new service or application.  But what about the non-consumer side of things?  Perhaps these users are also employees using their newly found identity freedom to access services and applications that are being used for business purposes.  Perhaps CRM systems, hosting providers, calendars, software repositories, syncing apps and so on.  How can that be managed and controlled?

Business Evolution Now Revolves Around Identity Management

I wrote recently about how modern enterprises now face significant challenges, as they expand into new business partnerships, with complex supply lines and an ever evolving mobile and now identity aware workforce.  For many organizations, their continual evolution into new areas of revenue, especially within the business to consumer space, will rely heavily on being able to manage both internal employee access to cloud based services, as well as managing their own consumers' access to their own resources.  Both can be complex, requiring unprecedented scalability and web enablement.

The 'consumer is king', now really translates to 'identity is king'.

By Simon Moffatt

It's Not Unhackable, But Twitter Makes a Start

This week Twitter introduced a new two-factor authentication process to verify account logins.  This comes on the back on some pretty big Twitter account hacks in recent months.  Now, whilst you can argue that it is not Twitter (or any other service providers) responsibility for you to keep your account details secure, they potentially do have a duty to some extent to make increased security an option if an end user does want to use it.

A typical end user isn't particularly interested in security.  Yes, they don't want hacking, yes, they don't want to have their bank details stolen, or their Facebook timeline polluted with nasties, but a typical end user won't actively take extra steps to avoid that from happening.

The concept of strong passwords is pretty much standard these days.  At least 8 characters, an uppercase letter, a number and / or a special character too.  End users have a list of passwords in their minds that fit the criteria.  Unfortunately these passwords are probably being recycled across every site that requires a 'complex' password, perhaps incrementing the number at the end every time it expires.

The use of secondary verification, become familiar for typical web users, when Facebook verification was introduced a year or two back.  If you login to Facebook from an unknown device or network location, you are asked to go through an additional set of verification steps.  This could include security question responses (knowledge based authentication), mobile verification or the most interesting in my mind, confirming you know the people in selected photos from your albums.  Again this is a form of KBA, but without the need to set up or remember arcane questions about your first pet or primary school.

To set up Twitter's additional verification isn't particularly complicated.  A couple of minutes setting up a phone to use as the registered verification device and a few test text messages and you're done.  Albeit the mobile anti-virus scanner on my phone flagged the responding text message from Twitter as 'suspicious' made me smile.

But will this extra step prevent hacks?  The simple answer is no, well yes in some cases, but maybe in others!  Basically there is no simple answer.  Of course it makes cold hacking a lot more difficult, due to having to break something someone knows (the password) alongside breaking the physical something someone has (the phone).  However, what happens if you lose your phone?  I for one do most of my tweeting from a smartphone as many others do to.  For a single end user that could pose an issue as both the Twitter client will undoubtedly have a cached password and obviously the physical phone is able to receive the text message for verification.

However, in corporate PR scenarios a large client may require a team of 3,4 or more executives managing the Twitter account.  Twitter is alive 24x7 and no one individual could manage that for a large consumer client.  This therefore results in multiple machines and potentially multiple clients.  Whilst those clients can be authorised, the security risk is spread as you have multiple access vectors for malware, accidental misuse, malicious misuse and so on.  So whilst Twitter has upped its game on the backend, end users still have a duty with regards managing who has access to the account in general and how those users are managed and vetted.

If nothing else, the introduction of an additional authentication factor increases the information security awareness for the typical end user and starts to make security a much more common step when using services and websites.  The important step next, for Twitter and others, is to make sure there is a larger security 'reward' for those who do engage in the extra steps.

By Simon Moffatt

Forget Firewalls, Identity Is The Perimeter

"It is pointless having a bullet proof double-locked front door, if you have no glass in your windows".  I'm not sure who actually said that (if anyone..), but the analogy is pretty accurate.  Many organisations have relied heavily in the past, on perimeter based security.  That could be the network perimeter or the individual PC or server perimeter.  As long as the private network was segregated from the public via a firewall, the information security manager's job was done.  Roll on 15 years and things are somewhat more complex.

"Identity as the perimeter" has been discussed a few times over the last year or so and I'm not claiming it as a strap line - albeit it is a good one at that.  But why is it suddenly becoming more important?

The Extended Enterprise - Mobile, BYOD, Consumer

Organizations of all sizes are no longer central places of work, with siloed business units, headed up by managers in glass-walled offices.  Remote working is no longer limited to cool startups or the creative industries.  Desktop PC's are now in decline, with tablets and smartphones able to do the majority of work related use cases.  Many organisations now have complex supply chains, leveraging partners, sub-partners, clients and consumers.  Outsourced services and applications now make up a large percentage of an organization's delivery management process, with these services often allowing authentication and user management controls outside of the standard corporate LDAP.

The increased use of BYOD, mobile workforces and increased outsourced and consumer lead service interaction, requires a much more integrated and agile view of an identity, but also requires CISO's, to view data protection and segregation in a much more user centric approach.

There Is No Network Separation - Everything is Connected

Everything is connected.  You can receive corporate email on your smartphone over a network carrier paid for privately.  Remote backup and file sync solutions allow sensitive files to be stored off site without the knowledge of a DLP solution.  There is no longer a 'corporate' network with strong demarcation lines.  Whilst this has obvious user benefits and efficiency gains, it has opened up new areas for security management.  The one thing which is staying relatively static is the that of the identity driving this change.  I don't mean the role and concept of identity is static.  Quite the opposite, but identities are still the driving force between application interactions, network traffic analysis, DLP techniques, firewall management and so on.  Each transaction should be linked in some way to an identity.  This identity could be well masked through alias upon alias, but there are fewer and fewer chances for a truly anonymous computer interaction.

Extend the Enterprise or the Stretch The Cloud?

These identities are developing in multiple directions.  The traditional corporate view of an identity originating from an authoritative source such as HR and flowing via provisioning systems to a target directory or database is still present.  Complex workflows and RBAC projects will keep many a consultant in work for years to come.  But with the onset of the extended enterprise, the increased use of social and cloud based identity brokers and platforms (Google, Facebook et al), there is a need for fusion.  The ability for organisations to extend to the 'cloud' and the for the internet based services and brokers to able to reach out to traditionally standalone organizations with their new apps and services securely, whilst still making the user experience convenient.  But where to start?  Traditional enterprise identity and access management solutions are often too static and unable to scale to internet style proportions.  Internet focused identity has been about single sign on, federation and authentication via social platforms. Organizations need to be able to manage interactions with 3rd party service providers from a centralised, potentially policy driven, authentication and authorization perspective.  It's pointless disabling a contractor's internal LDAP account if they still have an active Saleforce or Dropbox account when they've left.

Compliance doesn't just fade away in cloud and internet based scenarios.  There are still stringent controls that need to be adhered to, in order for an organization's identity management platform to be both convenient and effective.

By Simon Moffatt

Infosecurity Europe 2013: Round Up

This week saw London bathed in glorious spring like sunshine, just as the 3 day annual Infosecurity Europe conference took place at Earls Court.  Over 330 vendors, 190 press representatives  and 12,000 attendees converged to make a interesting and thought provoking look at information security in 2013.

The keynote panel discussions focused on best practices as identified by experiences CISO's and security managers, with the general theme of education, awareness and training being top priorities, for organisations wishing to develop a sustainable and adaptive security posture.  Budget management is also a tough nut to crack, but it is becoming clear that technical point solutions don't always deliver what is required and properly training security practitioners, coupled with cross department accountability make for a more cost effective approach.

Advanced Persistent Threats, cyber attacks and SCADA based vulnerabilities were all up for hot discussion, by both vendors and attendees alike.



See below for a detailed write up of some of the keynote sessions.

Hall Of Fame Inducts Shlomo Kramer & Mikko Hypponen
Keynote Panel: Smarter Security Spending
Technical Strategy: Defining APT
Keynote Panel: Battling Cyber Crime
Keynote Panel: Embedding Security Into The Business
Technical Strategy: SCADA The Next Threat
Analyst Panel: Future Risks

Infosecurity Europe 2014 will run from April 29th to May 1st 2014

By Simon Moffatt

Infosecurity Europe 2013: Smarter Security Spending

Information security should be focused on "moving from the 'T' in IT, to the 'I' in IT' according to panel moderator Martin Kuppinger from KuppingerCole Analysts.  Information security has often been focused on technical related controls, with point solutions based on software and hardware being deployed, in the hope that a 'silver' bullet style cure is found for all attacks, breaches and internal issues.  This is an unsustainable model, from both a cost and effort perspective, but what areas provide a good return on security investment?  An expert panel in the keynote theatre at day 3 of Infosecurity Europe, aimed to find out.

The People, In People, Process & Technology

Michelle Tolmay, from retailer ASOS, commented that the people, in the people, process and technology triad, is increasingly more important that simply installing and configuring technology.  Dragan Pendic, from drinks manufacturer Diageo, also described how building the information security business case, requires focus on the 'right people' within the organisation.  As budgets are finite, all spending needs to be fully justified and explained in business language to key business stakeholders.  Dragan articulated, that whilst the majority of the security budget is ring fenced for legal and regulatory compliance, any remaining funds are spent wisely, focused on identifying security stakeholders with the correct role and responsibilities in order to the make existing and new security technology work smarter.

Education, Training & Awareness

Graham McKay,  of DC Thomson, described, that whilst risk should be decided by the business, countermeasures should be implemented by the IT and security teams, with a key focus on sustainable education.  He argued point solutions are nearly always breachable at some point in time, and that employee training and awareness is a much more effective and sustainable way to protect information.

Cal Judge from Oxfam explained that for training to be effective, it needs to take a personable and story based approach, trying strongly to avoid the dry, theoretical policy lead content.  Michelle also added, that by making examples of the security implications employees face in real life, helps to articulate what measures need to be implementated in the work place.

Accountability -v- Commerciality 

In any organisation, there is a clear trade off between business effectiveness and security implementation.  Graham described that an organisation will never be 100% secure, as commerciality will always take hold.  Whilst technology obviously has a major role to play, learning the full technical limitations, integration steps and implementation paths are key to fully maximising a return on investment commented Pendic.  Often technology is not implemented to the maximum of it's capability, resulting in cheaper alternatives being overlooked or not evaluated.  Cal Judge promoted the use of vulnerability scanning of existing technology as an effective spend, arguing that this can help to simulate what an external attacker would look for, from an internal and external asset perspective.

Michelle Tolmay added that overly restrictive policies are actually counterproductive and costly, resulting in employees taking shortcuts and workarounds that will ultimately put the business at risk.  She also commented that relationships are the underlying success factor for effective infosec spending.  Relationships between internal employees across departments and external relationships between the organisation, audit teams and external regulators all play a key part in understanding how to fuel infosec project spending.

By Simon Moffatt