There is No Security without Identity Management

It isn't. That's how it is. Why? Take any study describing potential information security threats. What do you see among the top threats there? Take another study. What do you see there? Yes. That's the one. It is consistently marked as one of the most serious threats in vast majority of studies published for (at least) last couple of decades. Yet it looks like nobody really knows what to do about this threat. So, who is this supervillain? He's right under your nose. It is the insider.

It all makes perfect sense. The employee, contractor, partner, serviceman - they all are getting the access rights to your systems easily and legally. But, do you really know who has access to what? Do you know that the access is still needed? Maybe this particular engineer was fired yesterday, but he still has VPN access and administration rights to the servers. And as he might not be entirely satisfied by the way how he has left the company the chances are he is quite inclined to make your life a bit harder. Maybe leaking some of the company records to which he still has the access would do the trick? It certainly will. And who is the one to blame for this? Is the security officer doing his job properly? Do we know who has access to what right now? Do we know if the access is legal? Are we sure there are no orphaned accounts? Are we sure there are no default or testing accounts with trivial passwords? Can we disable the accounts immediately? Maybe we can disable password authentication, but are you sure that there is no other way around that? What about SSH keys? What about email-based or help-desk password resets?

If you do not have good answers to these questions then your information security is quite weak. I'm sorry. That's how it really is. Do you remember that weakest link idiom that is taught in every information security training? Now you know where your weakest link is.

But what to do about it? Obviously, you need to manage the access. So maybe the Access Management (AM) software can help here? Actually, the primary purpose of Access Management software is not security. The AM purpose is to make user's life easier by implementing convenience mechanisms such as single sign-on (SSO). Yes, AM might improve the authentication by adding a second factor, making the authentication adaptive and so on. But that won't help a bit. Authentication is not your problem. The insider already has all the credentials to pass the authentication. He got the credentials legally. So even the strongest authentication mechanism in the world will do absolutely nothing to stop this attack. No, authentication is not the problem and therefore Access Management is not going to make any significant difference.

The root of the problem is not in authentication, authorization, encryption or any other security buzzword. It is plain old management issue. The people have access where they should not have access. That's it. And what turns this into a complete disaster is lack of visibility: the people responsible for security do not know who has access to what. Therefore improvements in "information security proper" are not going to help here. What needs to be improved is the management side. Management of the identities and access rights. And (surprise surprise) there is a whole field which does right that: Identity Management (IDM).

Therefore there is no real security without Identity Management. I mean it. And I've been telling this for years. I though that everybody knows it. But obviously I was wrong. So recently I have been putting that openly in my presentations. But still everybody is crazy about deploying Access Management, SSO and OpenID Connect and OAuth and things like that. And people are surprised that it costs a fortune an yet it will not bring any substantial security improvement. Don't get me wrong, I'm not telling you that the AM technologies are useless. Quite the contrary. But you need to think how to manage them first. Implementing SSO or OAuth without identity management is like buying a super expensive sport car with an enormous engine but completely forgetting about steering wheel.

Don't make such dangerous and extremely expensive mistakes. Think about identity management before heading full speed into the identity wilderness.

(Reposted from Evolveum blog)