Default style (Cherry Eve). Switch styles (Capricorn). Atom Feed Calendar
« What problem is... | Main | Does identity matter... »
http://blogs.sun.com/whoami/date/20090701 Wednesday July 01, 2009

Identity and the front door

  Once the decision has been made that Identity is critical to the security of IT systems an identity and identity management strategy must be setup.  Often this is as simple as an user name and password authentication method storing accounts in a local file which came as a feature of the OS and possibly some of the applications.  In many cases this is good enough and is the front door into IT resources. Identity authentication and identity management can get very complex with multiple data stores and authentication mechanisms over multiple domains, geographical areas, with multi-factor authentication requirements.  I want to only focus this entry on the front door concept. I understand that there is much more to security and good identity management than just the front door; however, it is the focus of this entry.  I will talk about why the front door is important and future entries will talk about front door security and other security strategies around identity and identity management.

  I was talking to a developer that produces product for the manufacturing industry.  He writes code that makes machines do the right thing in a manufacturing plant.  He has been around computers for years and started programing with punch cards.  Over the years I have had a few conversations about security with him and we usually end up on different ends of the argument.  In our last conversation he indicated that he felt that he really did not have anything on his computer that was interesting or of value to others.  I would guess that his corporation might think that some of his code has value and should be protected.  Even if the information seems trivial it may have value and may need to be protected in some way.  Spies and others that want to gain an advantage often start by gaining information that seems like harmless bits of information that when brought together with other seemingly harmless bits of information give enough information to help them put a picture together that can be used to leverage their way in.  His company uses standard username and password to authenticate and screen savers when systems are locked.  My friend pointed out that he changes his screen saver to a picture of a car and that car in some way is part of his password. As a security focused person this seems very insecure to me.  As we talked he also indicated that he does not lock his house ever.  He does not live in a big city, in an area of high crime,  nor has anything of real value ever been taken from his home.  He is not in an industry that is often targeted by hacker and he is not aware of his system being hacked. Some of his sense of security is based on his physical world were people are mostly honest and respect people and their property.  The problem with this is that out in the Internet world my neighbor might be anyone from any country.  With targeted attacks by both organized crime and countries that want to do harm to other countries the Internet is not quite as safe as small town America.  Then add to that "hackers" that want to break into systems for fun or profit it truly is the wild wild west. Most of these three groups do not have authorized front door access and often will use other entry points.  So who is it that we are trying to keep out with a strong front door?  Why should we really care about who is really using our systems or what they have access too?

  First, why is the front door so critical to information security?  Much like the physical world the front door is all about keeping honest people honest.  In the physical world the front door is where those that live inside have key access and those that live outside knock and ask to enter.  In the IT world it is the place where only those with a key (having the authorization to authenticate) should pass through.  If identity matters; there is usually some vetting process of a given user before they are given authorization (like an username/passwor) to gain access to system. 

  Secondly, which key to use?  There are many options on authentication mechanisms that could be used.  Options like biometrics, smart cards, PKI, one time use passwords, and standard username/password to name a few.  It can be hard to know which one or ones to use for any given resource.  The thrust of this entry is not around picking an authentication mechanism.  I will point out that systems should be evaluated to understand what authentication mechanism is best for the location and environment of the users and their systems.  What are the abilities of the users to use the method of authentication.  It is critical to understand for the data stored on the system what level of a surety that a user is who they say they are should be required.  What authentication method used and why could be a long paper and will not be part of this entry.  I will point out a few issues with the often used username/password as the authentication mechanism (the key to the lock on the front door).  Some of the problems with username/password systems include:

  • people often share this information (lone out the key)
  • write down the information and leave it someplace (leave the key under the mat)
  • use passwords that are easily guessed (still use a skeleton key lock that is easily picked) much like my developer and his clue on his screen saver.

   Thirdly, why should we really care?  The front door is all about audit, traceability, and privileges (capabilities).  Lets start with audit.  In the physical world those that enter the building are watched by others that are already in the building.  In my home that is my family in my office that is my co-workers.  The bigger the population or building the less this self monitoring works.  In large environments there is often a guard or other person that is responsible for checking identity of those that enter in large work places.  Once we know that those in the building should be in the building how do we know what they did?  In my house we know who is doing what most of the time.  We can hear water running look around and know who is taking a shower or see dishes left out and figure out who did not put them in the sink.  We have very loose auditing in our family and I would say that is also true in most work places.  In large environments there may be camera monitoring systems of what people are doing which is recorded.  In each case there are physical eyes that see a given amount of activity within the physical space which is used to audit activity as good or bad within that space.  In the IT world once someone uses the front door there should be an audit trail created on what that user is doing.  We audit because we need to know what has happened or is happening on a system. All processes have some type of ID to them that can be traced back to a person, application, or OS function.  Through these processes we can tell what or who is using resources, has modified data or applications, or did something that caused a problem on the system.  If audit is on, configured to gather the right data, monitored, protected, and understood it can be used for forensics on what happened on a system or systems and used in court to prosecute violators.  Some of the key things that need to take place for audit to work are:

  • Proper vetting of identities.
  • Access controls in place that give a good level of assurance that the user on the system and the person identified with that user ID are one and the same.
  • Good layered security is in place to be sure user on system is not a hacker/impostor.
  • Activity has taken place which as been monitored, recored and understood.

Then if an activity is illegal, out of policy, or procedures one could prosecute or discipline the individual for that activity.

  Finally, the other side of the front door access control is privilege control.  Within my house there are many rooms and some are open to all that have access to the house like my living room.  On the other hand my bedroom is not open to all that  enter my house.  My bedroom is only used by those that I have given permission to enter.  There is even a bit more security around my gun room where there are guns, gun powder, and ammunition and this room has additional locks to gain access.  In a computer there may be different levels of privileges given, for example:

  • General user privileges
  • Specific admin privileges (printer admin, user account admin, network admin, etc..)
  • Unrestricted admin/root privileges

Depending on the OS and application there could be many levels of privileges given to a user to preform any number of given job functions while denying access to other functions within the system.  It is critical to think about separation of duty and least privilege when setting up a layered access and privilege strategy.  This type of approach should be part of a good layered security strategy.

   Identity is about access control, privileges, and audit ability.   Identity and identity management needs to be tied with a good layered security approach to be effective.  I will talk about layered security in regard to identity and identity management in the future entries.

  Have a good one, Ed.


Posted at 02:18PM Jul 01, 2009 by Edward Clay in Personal  |  Comments[0]

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed