As we live and work in the global economy, the range and variety of relationships that we encounter in our daily lives is increasingly dynamic, distributed and mobile. While the traditional forms of server, network, and data security are effective in their specific domains, securing people as they interact with these systems has become critically important as one can no longer assume the person is on a specific, server, network or database. Applications are increasingly distributed on cloud infrastructures and composed from a mashup of capabilities and data that comes from different sources even different organizations.
So how do you make sure that these applications and data are not accessed by the wrong people?
As security professionals, we need a clear focus on securing people in these complex environments. When it comes to securing people, one needs to have a clear understanding of:
- Individual’s role
- What systems/applications they should have access to
- What systems/applications they should not have access to
- How they access these systems
- Where they access these systems
These security policies need to be dynamic and change over time as the individual’s role changes in the organization. As business requirements drive the roll out of new applications, the security management system needs to quickly integrate these changes and maintain an accurate picture of all running applications. As an example, if the business signs a new contract with a new supplier, there may be critical information that needs to be accessed and shared between new and existing applications. As the workforce is more mobile and flexible, when and where we access these applications needs to be more open while also being secure to ensure the companies assets are protected.
Can Identity Management be more like online shopping?
For years Identity and Access Management (IAM) has been a very technical and administrative function. However, as it becomes a more essential element in any security strategy, one in which roles and access are pervasive and complex, new models are needed around consumption and the ease-of-use associated with these systems. We have to empower business owners, not just the sophisticated IT teams with deep technical understanding.
When we sat down with our engineering team, we wanted to focus on the overall user experience and the question we asked ourselves was, “why can’t the experience associated with Identity Management be more like online shopping?” This includes easy point and click, shopping carts, checkout, etc.
In search of these ends, during the development phase, the team carried out multiple user-interface design white-boarding and review sessions with business users. The goal of these reviews was to present complex security concepts in a form that non-security experts can consume while still maintaining strong security policy.
We have also been focused on adapting the overall architecture to have a much more flexible self-service user interface that can respond to the pace of change in these dynamic environments. Rather than having central Security Admin as a bottleneck to control over application access, we have developed a user interface that is targeted at the business owners that allows them to dynamically add new applications to the security policy and provision access for application users themselves.
Flexible computing means flexible deployment
As users become more mobile and access these business critical applications, we also have to provide a flexible yet reliable access management system that does not get in the way of business productivity while also preventing access from rogue users. Along with the traditional desktop access methods, we are developing targeted access management products for Mobile users and Cloud users.
In the case of Mobile, we are integrating location, device type and device reputation information along with traditional user access credentials to seamlessly grant access when we see a normal access pattern. When we see abnormalities or deviations in these data sets we ask additional questions (e.g. biometric validation) to the users that are trying to access these systems and will only grant access when they respond correctly.
Finally, when it comes to delivery of these technologies, we are no longer exposing our customers to all the complexities of user-interface, middle-ware and database technologies. We are moving the entire Identity portfolio to a set of packaged Virtual and Physical Appliances where the customers simply loads the images or plugs in the appliance and they are running. In addition to appliance delivery models we will also start delivering many of these capabilities in Cloud Infrastructures in the future.
Simplicity in security
You’ll see more from on us on all these topics over the course of the ensuing weeks and months ahead, but making everything easier to deploy and manage is central to our approach in the Identity and Access space. While it is a well known axiom that “complexity is the enemy of security,” that is true in more ways than one. The bottom line is that making these systems easier to use makes employees using the technology more effective and thus improves an organization’s overall security posture.