2013 and 2014 were major years for IAM awareness in both government and industry. The Snowden leaks helped teach government agencies the value of limiting individual access to vast troves of information. In the private sector space Target’s credit card breach cost the company 46% of its fourth quarter profits and litigation for more than 140 lawsuits (Radichel, 2014). Although Target’s breach might have been stopped by any number of mitigation efforts, proper IAM would have limited the ability for the intruders to spread from the billing system used by the HVAC company to the more sensitive parts of the network.
The attention received from the breaches has resulted in an increased level of attention on the topic from all levels. Some parts of the industry such as Staminus Security and NorseCop have responded with security theater (Gallagher, 2016 & Fisher, 2016) while other parts of the industry have taken a thoughtful look at making sure only the right people have access to the right amount of information.
For local IT IAM often takes the form of a Microsoft Active Directory server or some LDAP variant. LDAP v3 is described in RFC 4511 released in 2006 and includes a number of key features, namely bind, unbind, unsolicited notification, search operation, modify operation, add operation, delete operation, modify DN operations, compare operation, abandon operation, extend operation, intermediate response message and start TLS operation. In general these commands are initiated through TCP or UDP port 389.
While RFC 4511 has served the industry well for creating functioning authentication protocols in the nearly full decade since its release has seen a great deal of growth and development. In December of 2015 the VP of Technology for Advancer Corporation penned his IAM predictions for 2016 giving us an indication of how far the field has developed. His seven predictions include:
Cyber security has become the religion, equally for government and businesses.
Cloud IAM to spread towards provisioning capabilities.
Spreading of IDM systems on on-premise as well as cloud.
Cloud will enable greater utilisation of IAM products by small enterprises.
Safeguarding and securing super users through PAM.
Managing of identity through secure user identity management and access governance will enhance.
Businesses will stay agile by adding more layers of IAM into their IT infrastructure.
In addition to SaaS, PaaS and IaaS companies to include Centrify are now talking about Identity as a Service (IDaaS).
All of these technologies are extensions of the need to be authenticated within cyberspace. For individual users sites such as LastPass step in to help them manage their online identity across a myriad of websites. SSH, bitcoin and bitmessage all operate using cryptographic keys to ensure sender and recipient identification during transmission.
For the average user this effort really hits home in the area of social media. As of 2011 facebook began forcing https connections to reduce the man-in-the-middle attack vector (Stackoverflow, 2011). Google also adopted https in 2011 to reduce snooping on user search queries (Google.com, 2011). The robustness and popularity of social media caused Gartner’s research team to predict in 2013 that future customer identities would be based on social media (Gartner Inc., 2013). Today the spirit of that prediction holds true as social media sites are integrated into sharing economy sites such as AirBnB and educational sites such as Khan Academy. Google’s developer websites now include easy to follow guides for leveraging their identification services into emerging technology (Google.com, 2016).
In mobile computing just like traditional machines identification management begins with authenticating on the device itself. Fingerprint readers are now serious features on smartphones. Although phones do have inherently insecure networking components (Anthony, 2013) they do enable a second layer of IAM, two factor authentication (2FA). 2FA on smartphones works because the phone itself is a part of two separate networks. The SMS messaging service built around the purely cellular technology is in many ways a separate network from the data connection on the phone itself. Because of this an attempted login over https can be verified using an SMS message. Circle finance requires authentication before conducting bitcoin transactions and major social networks now offer 2FA as part of their authentication services.
In the cloud IAM has become a must have as cloud features have grown in popularity and potential. Google for business accommodates several layers of cloud sharing options with respect to files hosted on Google Drive. By default they are only accessible to the author. The default for sharing is to have it shared across the entire organization. Additional options exist for public read only, public edit and organization read only. Because the system is cloud based it can respond quickly to new features suggested by user feedback. Google’s products aren’t the only ones with these features. Similar access control and identification measures are implemented into dropbox and owncloud and are considered a standard feature set when developing similar tools.
As we move more and more things to the cloud and big data becomes more of a reality for businesses IAM will continue to be a significant part of the organization’s IT strategy. In the business world Sony’s 2014 breach attributed to an insider threat is a critical example of how big data matched with poor IAM can cause serious problems. While 2013 and 2014 were significant years for IAM awareness today the industry has matured, but only time will tell of the pace of maturity across the spectrum has kept up with the pace of innovation from malicious actors.
Anthony, S. (2013, November 13). The secret second operating system that could make every mobile phone insecure | ExtremeTech. Retrieved April 12, 2016, from http://www.extremetech.com/computing/170874-the-secret-second-operating-system-that-could-make-every-mobile-phone-insecure
Fisher, C., & Jude, A. (2016, February 4). Hot Norse Potato | TechSNAP 252 | Jupiter Broadcasting. Retrieved April 12, 2016, from http://www.jupiterbroadcasting.com/93496/hot-norse-potato-techsnap-252/
Gallagher, S. (2016, March 11). After an easy breach, hackers leave “TIPS WHEN RUNNING A SECURITY COMPANY”. Retrieved April 12, 2016, from http://arstechnica.com/security/2016/03/after-an-easy-breach-hackers-leave-tips-when-running-a-security-company/
Gartner, Inc. (2013, February 5). Gartner Says Half of New Retail Customer Identities Will Be Based on Social Network Identities by 2015. Retrieved April 12, 2016, from http://www.gartner.com/newsroom/id/2326015
Google.com. (2011, October 18). Making search more secure. Retrieved April 12, 2016, from https://googleblog.blogspot.de/2011/10/making-search-more-secure.html
Google.com. (2016, April 12). Google Identity Platform | Google Developers. Retrieved April 12, 2016, from https://developers.google.com/identity/
Mittal, R. (2015, December 18). IAM Tech Trends to watch out for in 2016. Retrieved April 12, 2016, from https://www.linkedin.com/pulse/iam-tech-trends-watch-out-2016-rajesh-mittal
Radichel, T. (2014, August 5). Case Study: Critical Controls that Could Have Prevented Target Breach. Retrieved March 29, 2016, from https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412
Stackoverflow. (2011, January 27). Force HTTPS on Facebook? Retrieved April 12, 2016, from http://stackoverflow.com/questions/4723983/force-https-on-facebook