cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

You Are Here - Part 4 - Identity & Access Security

Where are you? Halfway through this 6-part series exploring a new reference model for IT infrastructure security!

As you learned in earlier posts, this model breaks the security infrastructure landscape into four domains that each contain six categories. While today’s domain may seem simple, it is an area that I constantly see folks getting wrong--both in my clients and in the news. So, let’s carefully review the components that make up a comprehensive identity and access security system:

DOMAIN: IDENTITY & ACCESS

Your castle walls are no use if the attacking hoard has keys to the gate. In IT infrastructure, those keys are user credentials. Most of the recent high-profile breaches in the news were simple cases of compromised passwords. We can do better, and the tools in this domain can help.

The categories in the identity and access domain are; single sign-on (SSO – also called identity and access management, IAM), privileged account management (PAM), multi-factor authentication (MFA), cloud access security brokers (CASB), secure access (user VPN), and network access control (NAC).

CATEGORY: SSO (IAM)

The weakest link in almost every organization’s security posture is its users. One of the hardest things for users to do (apparently) is manage passwords for multiple devices, applications, and services. What if you could make it easier for them by letting them log in once, and get access to everything they need? You can! It’s called single sign-on (SSO) and a good solution comes with additional authentication, authorization, accounting, and auditing (AAAA) features that aren’t possible without such a system – that’s IAM.

CATEGORY: PAM

Not all users are created equal. A privileged user is one who has administrative or root access to critical systems. Privileged account management (PAM) solutions provide the tools you need to secure critical assets while allowing needed access and maintaining compliance. Current PAM solutions follow “least access required” guidelines and adhere to separation-of-responsibilities best practices.

CATEGORY: MFA

Even strong passwords can be stolen. Multi-factor authentication (MFA) is the answer. MFA solutions combine any of the following: something you know (the password), something you have (a token, smart phone, etc.), something you are (biometrics, enrolled device, etc), and/or somewhere you are (geolocation) for a much higher level of security. Governing security controls, such as PCI-DSS, and industry best practices require MFA to be in place for user access.

CATEGORY: CASB

According to Gartner: “Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention, and so on.” If you are using multiple SaaS/PaaS/IaaS offerings, you should probably consider a CASB.

CATEGORY: SECURE ACCESS (VPN)

Your employees expect to work from anywhere. You expect your corporate resources to remain secure. How do we do both? With secure access. Common components of a Secure Access solution include a VPN concentrator and a client (or web portal) for each user. Worth noting, the new category of software defined perimeter (SDP) services mentioned in part 2 often look and act a lot like an always-on VPN. In any case, the products in this category ensure that users can securely connect to the resources they need, even when they’re not in the office.

CATEGORY: NAC

Let’s say a criminal or a spy is able to get into your office. Can they join the Wi-Fi or plug into an open jack and get access to all of your applications and data? Less nefarious, what if a user computer hasn’t completed a successful security scan in over a week? Network access control (NAC) makes sure the bad guys can’t get onto the network and that the security posture of devices permitted on the network is maintained. Those users or devices that don’t adhere to NAC policies are either blocked or quarantined via rules an administrator configures. Secure access and NAC are converging, but it’s too early for us to collapse the categories just yet.

ONE MORE DOMAIN!

While we’ve made a lot of progress, our journey through the domains of IT infrastructure security isn’t over yet. In the next post, we’ll peer into the tools and technologies that provide us with visibility and control. Even that isn’t the end though, as we’ll wrap the series up with a final post covering the model as a whole, including how to apply it and where it may be lacking. I hope you’ll continue to travel along with me!

16 Comments
Level 13

Good Article - Thanks. I'm enjoying these.

Level 13

Have to say the move towards secure passwords always seemed to me to be not enough. you end up with users not remembering the password or simple substitution that Computers can easily be made to try. Far better to use two or three random words to make up you password rather than special characters and numbers.

Level 14

Thanks for the article.

Level 13

Really enjoying this series.  Thanks for the post.

Level 13

Yep.  Compuserve used to do that years ago (dating myself).  I still remember the password but it would be incredibly difficult to guess.

This.  So much this.  Every topic.

Level 13

Heard there was an article by the person who originally advocated strong passwords. Basically saying he was wrong and now suggesting password management apps such as keepass etc rather than single sign on.

Level 9

Awesome, glad it resonates! 😃

Level 9

Great article. It's nice to be security conscious and try to be proactive.

Level 13

Like the article.  Good info.  Thanks

Level 16

Thanks for the write up. I usually do substitutions such as 1 for I or @ for A randomly as well as use use a phrase alternating english and spanish. 

MVP
MVP

good article

Level 14

Bill Burr was the man in question and here is a UK newspaper story about it.  Sorry if you can't access it but just search for his name.

Password guru who told the world to make them complicated admits: I got it completely wrong

Level 20

Continuous multi factor authentication is on the horizon and it's bad as heck!  Continuous Multi Factor Authentication - YouTube

Level 20

This ^^^^^

MVP
MVP

Nice description of the various types.

About the Author
Chris Grundemann is a passionate, creative technologist and a strong believer in technology's power to aid in the betterment of humankind. In his current role as Director of Strategy at Myriad360 he is expressing that passion by helping clients build bigger, faster, more efficient IT infrastructure that is both more secure and easier to operate and scale. Chris has well over a decade of experience as both a network engineer and solution architect designing, building, securing, and operating large IP, Ethernet, and Wireless Ethernet networks. Chris holds 6 patents in network technology and is the author of Day One: Exploring IPv6 and Day One: Advanced IPv6 Configuration, an IETF RFC, a personal weblog, and various other industry papers and blogs. As a volunteer he is currently serving as President of IX-Denver, Program Committee (PC) member for AfPIF, and Chair of the Open-IX BCOP committee. Chris often speaks at conferences, NOGs, and NOFs the world over. He has held previous positions with Markley Group, Internet Society, CableLabs, tw telecom, CO ISOC, ISOC-NY, ARIN, NANOG, CEA, UPnP, DLNA, RMv6TF, and several others. Chris is currently based in Brooklyn, NY and can be reached via Twitter.