Skip to main content

Posts

Showing posts from February, 2013

The Blurring of the Business Identity

The concept of a well defined business identity is blurring and this is causing a complex reaction in the area of identity and access management.  Internal, enterprise class identity and access management (IAM) has been long defined, as the managing of user access as defined by approval workflows, authoritative source integration and well defined system connectivity.

Historical Business Structures
Historical business identity management has been defined by several well defined structures and assumptions.  An organisational workforce that was managed by an IAM programme, was often permanent, static and assigned into a set business function or department.  This helped define multiple aspects of the IAM approach, from the way access request approvals were developed (default of line manager as first line of approval), to how roles based access control implementations were started (use of business units or job titles to define functional groupings for example).  IAM is complex enough, but t…

Mandiant Lifts The Lid on APT

The claim that China is the root of all evil when it comes to cyber attacks, increased a notch yesterday, when security software specialists Mandiant, released a damning report claiming a sophisticated team of hackers, with suspected connections to the People’s Liberation Army (PLA) and China Communist Party (CCP), had systematically hacked over 140 organisations over a 7 year period.
Why Release The Report? There have been numerous attempts over the last few years to pin every single cyber-attack onto a group or individual, originating from a Chinese network.  Some justified, some not so, but it’s an easy target to pin things against.  Many of the claims however, have lacked the detailed technical and circumstantial foundation, to back up the claims and move towards either active defence or proactive prosecution.  The Mandiant report – and I really recommend reading it in full to appreciate the level of detail that has been generated – really looks to point the finger, but this time, w…

The Drivers For Identity Intelligence

From the main view of Identity & Access Management 1.0 (I hate the versioning, but I mean the focus on internal enterprise account management as opposed to the newer brand of directory based federated identity management, commonly being called IAM 2.0...), identities have been modeled within a few basic areas.

The 3 Levels of Compliance
'Compliance by Review' (access certification or the checking of accounts and the associated permissions within target systems), 'Compliance by Control' (rules, decision points and other 'checking' actions to maintain a status-quo of policy control) and 'Compliance by Design' (automatic association of entitlements via roles based on the context of the user), probably cover most of the identity management technology available today.

I want to discuss some of the changes and uses of the first area, namely access review.  This periodic process, is often used to verify that currently assigned, previously approved permissi…

Twitter Hack: What It Taught Us

Last week Twitter announced that it had been the victim of a hack, that resulted in 250,000 users having their details compromised.  Pretty big news.  The password details were at least salted, but a 1/4 of a million records is a damaging amount of data to lose.  Twitter responded by resetting the passwords of those impacted and revoking session tokens.

Not A Case Of If, But When

The attack again goes to highlight, that cyber attack activity is omnipresent.  Regardless of how large the organisational defense mechanism (and you could argue, that the larger the beast, the more prized the kill, but more on that later), it is fair to say that you will be hacked at some point.  A remote attacker only needs to be successful once.  Just once, out of the thousands of blocked, tracked and identified attacks that occur every hour.  Certainly if you're a CISO or infosec manager at a 'large' organisation (regardless of whether it's actively a web service company or not), from a ris…