IAM Assets Often Overlooked in the Enterprise

Tweet

 

After reading very interesting posts by Earl Perkins at Gartner, an article from Deloitte on financial institutions making Identity and Access Management (IAM) their #1 priority, and my friend Nishant Kaushik's recent series on Federated Provisioning and the Cloud, which is brilliant and thought provoking (nicely done Nishant); I felt compelled to chime in.

Having drunk the identity assurance cool-aid for way too long, I can't help but think about IAM in terms of risk and assurance levels, the yin-yang balance sort-of-speak. So, before thinking about automating and deploying technology, I wonder what kind of risk is being mitigated and what kind of investment is warranted to provide the right level of assurance. In reaching equilibrium, one will inevitably follow the path of maximum value at the lowest cost possible.

So, with that thought in mind, I have been considering "lazy" assets that often exist in the Enterprise. They have significant potential in helping organizations derive higher levels of assurance, without significantly increasing cost, and can also add greater value to IAM initiatives.

Notwithstanding the great thoughts of Earl and Nishant, here are three examples of such assets, and my attempt to illustrate their use in real life.

User Activity Logs

I referred to this in prior blogs dealing with the topic of identity activity monitoring. The point here is to think about how one could utilize information collected from system or application logs, particularly if they contain traces of identity that can be used to link activity to a human being.

With the maturity and pervasiveness that SIEM technologies have nowadays in the Enterprise, deriving value from correlating and reporting on data (whether near real-time or historically) is relatively simple and inexpensive. This information can prove crucial in increasing visibility into day-to-day risks such as insider threads, segregation of duty violations, detecting terminated accounts activity, and other undesirable scenarios that would normally go under the radar of traditional IAM infrastructures.

We see this as a clear trend that is here to stay. More and more customers in different industry verticals (from energy to financial services) are gravitating toward identity activity monitoring as an important part of their IAM initiative. And based on our insight, the benefits make for a great business case.

Employee Identity Proofing (ala US Form I-9)

I touched on this point within the context of a two-part blog posting regarding identity assurance in everyday life. In the US, the Employment Eligibility Verification Form I-9, constitutes a great identity proofing mechanism, yielding (for the most part) an Assurance Level 4 (AL4) compliant verified identity in accordance to the Kantara Initiative Identity Assurance Framework (as well as NIST SP 800-63).

I realize that this statement is a controversial one since many would argue that the form I-9 verification process is inconsistently followed and audited. This inconsistency was a precursor to the work being led by NASPO, specifically by Graham Whitehead. However, many organizations enrich their employment verification process with "know-your-employee" checks that help them meet high-risk mitigation and compliance requirements. This is particularly true in regulated industries such as financial services, healthcare, pharmaceutical, and aerospace and defense. Hence, I argue that this high-quality identity proofing constitutes a valuable asset to the organization.

For instance, this proofed identity could be leveraged in some instances to issue AL4 credentials. Examples include credentials issued within federations such as CertiPath in the aerospace and defense industry, SAFE-BioPharma in the bio-pharmaceutical industry, or by other credential issuing authorities cross-certified with the Federal Public Key Infrastructure (FPKI) Policy Authority.

There are multiple benefits that an organization can derive from using these credentials, whether within its firewall or outside it. For example, in the biopharmaceutical industry, paperless R&D is achievable by leveraging legally accepted digital signatures that comply with the SAFE-BioPharma standard. These signatures are accepted by the FDA for eSubmissions, by the US Patent Office, and within the EU as legally accepted in conformance with the Electronic Signature Directive (1999/93/EC). Therefore, significant value can be derived from the use of these credentials, which can be issued by leveraging the high-quality-identity-proofing asset the organization had to perform anyway.

Similar examples can be found in various industry verticals, such as the KYC (Know-Your-Customer) standard in banking, which conforms to the US PATRIOT Act requirements. Hence, if one can verify that the identity of an individual is that of a DDA account holder, this could be evidence of an antecedent high-quality identity proofing, which can be leveraged to issue a high-assurance credential. This could be an effective and scalable approach to proofing the identity of non-employees (i.e., contractors, vendors, suppliers). In this case, the organization could leverage the fact that an individual has a DDA account as a lazy asset (created by banks) to streamline and increase the assurance of the identities of non-employees with whom it interacts.

Employee and Non-Employee Data

Another approach to minimizing risks and increasing identity assurance in the Enterprise is leveraging existing data about active or departed individuals, whether employees or non-employees. The idea here is to leverage information that has already been captured and used about individuals to mitigate risks at the point of entry (i.e., on-boarding, registration).

I was introduced to this concept in 2007, through what is known as NORA (Non-Obvious Relationship Awareness). This technology mines data resources to determine relationships between people. As Tim O'Reilly explained, it has applicability in various real-life scenarios. I later had the chance to meet Jeff Jonas at a presentation on the topic of identity resolution. I was really amazed by the power and applicability of this approach. It leverages existing data assets that organizations may already have (but may not be leveraging in this way), to detect potentially risky individuals based on known data traces that indicate high risk.

Rumor has it that NORA was the technology used to catch the MIT Blackjack Team. For those who don't know them, they're a group of students and alumni from the Massachusetts Institute of Technology, Harvard Business School, Harvard University and other leading colleges that used card-counting techniques and more sophisticated strategies to beat casinos at blackjack worldwide. This was the inspiration for the movie "21".  Some believe this approach is being leveraged by intelligence agencies worldwide in fighting terrorism and organized crime.

NORA or NORA-like technology has matured and is available today, allowing organizations to easily determine who to let in and who to be weary about. Scenarios that immediately come to mind include re-hires, employee-to-contractor moves and vice-versa. Organizations can look back in history to determine if the same individual (or someone closely related) performed fraud, was fired for cause, or had some sort of "unpleasant" departure. At a minimum, having the ability to detect and handle these cases as exceptions could significantly help the organization mitigate possible risks by leveraging information assets it already has.

These are just three, poorly digested examples of how "lazy" assets that most organizations already possess can be leveraged to derive more value in IAM today, at a nominal cost. This approach can prove beneficial given the budget-constrained, fraud-riddled times we live in.

I am most interested in your comments.