Monday, 7 May 2007
The big IAM
I haven't had a data centric security post for a while as I've been very much business focused in my day job recently. By night however, I've still been scouring the internet for morsels of security information by any means feasible, just short of selling my mother.
My last trick was to publish something that someone else said in Dutch, thereby snagging the interest of a Security giant and Afrikaans speaker from South Africa, Karel Rode. Karel is the Security Strategist at CA and a board member of Internet Security Group Africa (ISGAfrica). Therefore I listened and absorbed all he had to say with great interest.
Karel wrote to me about IdM/IAM and how important it was in my continuing quest for data security. I wasn't totally convinced at first, saying that I thought 2 and 3-factor authentication was probably enough given proper access controls. Karel kept on resolutely and kept on explaining that IAM was necessary. Then I remembered, I used to work for a company who wrote their own access controls around the data, he works for a company which puts their access controls around the user, there's bound to be some conflict, even if there's valid arguments on both sides. So who's right?
My argument is that the data should control who accesses it, rather than the user controlling what they access. It's a simplistic view of a much more complex set of ideas, but it will do for now. Centralising security around the data makes a lot of sense to me, data is hard to control, it moves around, gets broken up, becomes dispersed, gets appended, replicated and deleted. Users tend to stay as discreet packages and we can normally define them fairly easily in the context of our network.
However, before I get too excited, Karel wasn't disagreeing with this notion, in fact he made it very clear that he agreed. He just advised that I think harder about the user security. There are very good arguments why you should look into IAM.
1. IAM seems to be good at addressing compliance issues from a user perspective.
2. With IAM, users can self-service a request for access to more or new services through forms.
a) System owners are automatically informed through workflow routing.
b) Password resets are in the hands of the users with IAM.
3. IAM is not SSO, widespread use of SSO is a myth. Many companies will not allow pervasive SSO if the perceived risks in some instances are too high.
I will comment further on these points tomorrow, from a data-centric perspective. Thanks to Karel for opening my eyes a little further.