The marriage of identity yin and security yang

In just two weeks, the annual RSA Conference takes place in San Francisco. What can we expect as the "hot topics" at this annual security love fest? I'm sure there will be plenty of buzz about securing virtual servers and cloud computing infrastructure, but this topic will likely focus on blue sky vision describing the safeguards we will need in 2012 or so. Rather than this hyperbole, I am looking forward to discussions focused on the marriage of identity and security.

Haven't these two areas been linked forever? Well, yes and no. Security folks think of identity in terms of authentication issues like password management, role-based access controls, or biometrics. But other aspects of identity like user provisioning, fine-grained entitlement management, and single sign-on usually live elsewhere in IT. When network access was restricted to internal employees, this division made sense, but identity and security can no longer remain apart. The marriage of these two IT disciplines will take place for a simple reason--identity and security must work together to enable modern business processes.

Identity is all about who gets access to applications and data so in theory, strong identity skills let organizations get users more productive sooner than the competition. Think of identity management as the magical formula to unleash Metcalf's Law. More users come with a cost, however--a greater number of security threats from hackers, malicious code attacks, and data breaches. Thus IT executives must balance their ability to let users into the network with proportional safeguards to keep bad things from happening.

Call it social networking, the consumerization of IT, Web 2.0, or any other market-speak term you want. To me, it is all about information sharing, collaboration, and business process improvement. IT must create an environment where users can access what they need and come and go as they please as long as they add business value while they are around. Public and private sector organizations headed down this path had better have their identity yin and security yang working together in harmony or they will either hold back the business or greatly increase security risk.

[ManuNamboodiri]

You have looked at answering two fundamental questions - who has access and how do we enforce it? The first part is identity and the second is broadly security (though I would say controls at the application, OS, network or data encryption that look at identity and give a pass/fail on access). I might even add a third dimension - i.e. for how long is access valid? This is where policies of retention etc come in.

In any case, the pivotal aspect of this is always identity - this leads to all the rest of the questions. How we use identity to enforce everything else is, I think, the crux of the whole security practice.

Disclaimer: Being from BitArmor, I think all these policies should be embedded in the data itself :)

[skswave]

Ultimately, This is where the role of the TPM in the PC will become better understood. The TPM provides a container for tamper resistant identity for both users and devices. The other key is that it is a vendor neutral industry standard solution that everyone can leverage. The key to all identity based networks like cell phones and set top boxes is that the identity can be trusted. The strong benefit of the TPM is that it is owned by the owner of the platform and not the network so it can be used for multiple applications from VPNs to pay pal. The merger of identity and security has helped the Mobile phone industry make huge strides and it will change how we all use our PCs.

[dan_griffin]

I'd like to see the TPM used in that role, too, but have you ever tried to buy a PC with a TPM chip from, say, Best Buy? My point is that, partly because of MS Windows SKU differentiation, consumer PCs generally don't include TPMs.

Since TPM usage, and the few scenarios such as drive encryption that actually support it, are enterprise driven, the next question is who owns the chip and the keys that are bound to it? Hint - if the laptop is a managed or enterprise asset, then it's not the user that owns those keys. So are you sure you want to use it for your personal Pay Pal account? Are you sure your employer wants you to do so?

Phones have the same problem, and so do chip (smart) cards for that matter.

In any case, I agree that all of the above pose big opportunities for intra-enterprise solutions. But confusing ownership of the asset between the user as an employee and the user as an individual consumer is problematic.

[rcraig_courion]

I agree wholeheartedly with your analysis. Over the past few years identity and access management (IAM) has become a priority for enterprises for a variety of reasons, including cost controls and regulatory compliance, as well as security. Many CIOs are now more concerned about the internal threats posed by employee misconduct or disgruntled ex-employees, than by threats coming from outside the network. Similarly, the severe brand damage that the leakage of sensitive customer, patient or employee information can cause gives CIOs an additional incentive to deploy an effective IAM system. I also agree that identity management can be a business-enabler for an organization. When a company ensures that only the right people have the right access to the right resources and are doing the right things, the business can save money and run more effectively with reduced security risk.