Home Podcasts Videos Guest Posts Q&A News This Week Bio Contact

PODCAST: How ‘Identity Access Management’ – IAM – authenticates network connections

October 18th, 2017

Acohido and Bohren

By Byron V.  Acohido

From the start of this 21st century companies continually scrambled to embrace ever more complex digital systems. Business networks connect an astounding variety of devices than to a vast array of tools and services residing on company premises and in the Internet cloud.

An amazing cascade of logons and digital handshakes routinely takes place to enable convenient digital commerce as we’ve come to know it. The problem is, from a privacy and security standpoint, not nearly enough attention has been paid to assuring the authenticity of each and every connection.

That’s where their identity and access management, so-called IAM, systems come into play. I recently spoke with Jeff Bohren, senior solutions architect at Optimal IdM, a prominent vendor in the IAM space. IAM vendors sometimes feel they’re toiling in obscurity compared to other, more sexy, security sub-specialties.

Bohren argues that addressing IAM is logically proactive step all companies should take, one that can immediately and materially improve an organization’s security posture.

Related article: Understanding, using IAM tools can help keep intruders out of company networks

IAM controls who gets into a network and what they can do once inside, he says. Doing IAM well can reduce breaches caused by careless mistakes, such as granting administrative powers to a partner whose staff can then change or take whatever they want without constraints.

That’s approximately what happened when Amazon was breached earlier this year by hackers leveraging weak passwords and poor security hygiene to divert funds from Amazon’s vendors into the hackers’ own bank accounts.

Breaches like that are common, but they don’t have to be, Bohren told me. Company decision makers need to challenge and empower their CISOs to prevent unauthorized or over-privileged access. “Cybersecurity professionals need to rethink their IAM strategies to make sure every partner and vendor has exactly the access they need¾and not a single byte more,” he says.

FIM systems

One technology that can help: Federated Identity Management. So-called FIM systems use common sets of identity data to tie together multiple systems. FIM systems have been refined and made very flexible and reliable.

It is technically feasible for an employee to use one company logon to securely access internal company systems and applications, as well as access cloud-based tools supplied by outside vendors: the same logon for internal apps and external cloud services such as Office 365, or Concur expense reporting forms or Salesforce CRM tools.

“Right now most users at most enterprises have something like five to seven logins they need to use to get their jobs done everyday,” Bohren points out. “That’s a problem because that’s five to seven potential vulnerabilities. What enterprises should be doing is working on reducing that to fewer logins and that will translate into fewer vulnerabilities.”

Rethinking access

Acohido and Bohren

It is vital that the assigning and use of “privileged access’ be carefully considered and closely monitored, as well. Why so?  “Privileged access is a big problem because that’s where we’re seeing a lot of these hacks happening right now — it’s privileged accounts being compromised,’’ he says.

Obtaining the logon of a system administrator who has root access to all systems represents “the keys to the kingdom,” Bohren continues.  “They can now penetrate the main controller acting as an admin and change anybody’s password they want.  At that point they own your environment.”

I can recall interviewing IAM vendors just a few years ago when their big push was to get companies to take stock of, and reduce, the wide disbursement of privileged access accounts.

In the rush to accelerate digital commerce, companies routinely granted privileged access to  non-technical managers, and even clerical staff; folks that had no business requirement for deep access. Naturally, threat actors targeted those employees, stole their logons, and got deep access.

Two-factor authentication push

There has been some tightening down of privileged access,  particularly in the financial services and health care industries. So, naturally, the smartest hackers are targeting system administrators who need privileged access, including root access to critical systems, to do their jobs.

Optimal IdM and other IAM vendors today are pushing for organizations to require two-factor authentication for anyone logging on to a sensitive systems. “We’re encouraging additional security to be put on top of the admin logins,” Bohren says. “In addition to having the user id and password, they also are going to need to have some kind of second factor authentication.”

Another area of emphasis calls for companies to audit logons to sensitive systems. “This would generate an audit record of who got access to what, and that’s really important,” Bohren says.

For a deeper dive on these takeaways, please listen to the accompanying podcast.





GUEST ESSAY: 5 deadly sins for which companies reap their just reward: data breaches

By Morey Haber

I love statistics. They are a valuable commodity in a discussion to formalize a point and validate your position. Many times, others will question the source, accuracy, or even meaning of a statistic to skew the results in their favor. In addition, a statistic taken out of context, or viewed on its own, can lead to very misleading results. The point is statistics drive everything from social initiatives to new …more

PODCAST: Cyber forensic technology helps law enforcement keep terrorists in check

Acohido and Pogue

By Byron V. Acohido

For every horrific act of terrorism that gets carried out there are very likely dozens of plots that get thwarted by authorities using leading-edge cyber forensics tools to track malicious threat actors as that they communicate and transact across the Internet.

Nuix is a Sydney, Australia-based company that supplies a well-established  e-Discovery and digital investigations platform used by investigators battling terrorists, nation-state spies, hacktivists …more

PODCAST: Core Security makes the case for penetration testing as an essential layer of defending networks

Acohido and Newman

By Byron V. Acohido

The Equifax debacle has a lot to teach us about how – and how not to – handle a data breach. The massive breach resulted in hackers accessing the social security numbers, birth dates, home addresses and driving license numbers for up to 143 million Americans and the credit card numbers for about 209,000 Americans.

While the breach occurred between mid-May and July, according to …more

PODCAST: How Cyxtera came to bring a security-first approach to colocation datacenters

Rowland and Acohido

By Byron V. Acohido

Cyxtera is a colocation datacenter business with a fascinating pedigree and a new, security-first,  approach to datacenter services. I spent some time with Randy Rowland, Chief Product Officer at Black Hat 2017 in Las Vegas to hear more about the trajectory of the business to date. Colocation data centers are facilities where businesses can rent space for servers and other computing hardware.

Rowland …more

GUEST ESSAY: Trump’s Cybersecurity Executive Order is Only a Start


By Robert Ackerman Jr.

President Trump last May signed a cybersecurity executive order (EO) outlining plans to improve data security for federal agencies and to better protect critical U.S. infrastructure. I view it as a call to action, more than past administrations have done. This alone makes it worthwhile.

But it’s just a start. Much  more needs to be done, and whether this materializes is anybody’s guess. Take, for example, …more

PODCAST: Does the iPhone’s facial recognition technology go too far ?

By Byron V. Acohido

The release of the new iPhone X (don’t call it ‘X,’ say ‘ten’or iPhone X), with its facial identification activation feature, has sparked interest in the latest developments in biometric security.

I spoke with Corey Nachreiner, chief technology officer of WatchGuard Technology, about the advantages – and risks – involved in using biometric identifiers with digital devices.

The next steps in authentication

Apple is “really going whole hog” into facial recognition for …more