Meeting IAM Gaps and Challenges with New Product Offerings

PathMaker Group has been working in the Identity and Access Management space since 2003.  We take pride in delivering quality IAM solutions with the best vendor products available.  As the vendor landscape changed with mergers and acquisitions, we specialized in the products and vendors that led the market with key capabilities, enterprise scale, reliable customer support and strong partner programs.  As the market evolves to address new business problems, regulatory requirements, and emerging technologies, PathMaker Group has continued to expand our vendor relationships to meet these changes.  For many customers, the requirements for traditional on premise IAM hasn’t changed.  We will continue supporting these needs with products from IBM and Oracle.  To meet many of the new challenges, we have added new vendor solutions we believe lead the IAM space in meeting specific requirements.  Here are some highlights:

IoT/Consumer Scalability

UnboundID offers a next-generation IAM platform that can be used across multiple large-scale identity scenarios such as retail, Internet of Things or public sector.  The UnboundID Data Store delivers unprecedented web scale data storage capabilities to handle billions of identities along with the security, application and device data associated with each profile.  The UnboundID Data Broker is designed to manage real-time policy-based decisions according to profile data. The UnboundID Data Sync uses high throughput and low latency to provide real-time data synchronization across organizations, disparate data systems or even on-premise and cloud components.  Finally, the UnboundID Analytics Engine gives you the information you need to optimize performance, improve services and meet auditing and SLA requirements.

Identity and Data Governance

SailPoint provides industry leading IAM governance capabilities for both on-premise and cloud-based scenarios.  IdentityIQ is Sailpoint’s on-premise governance-based identity and access management solution that delivers a unified approach to compliance, password management and provisioning activities. IdentityNow is a full-featured cloud-based IAM solution that delivers single sign-on, password management, provisioning, and access certification services for cloud, mobile, and on-premises applications.  SecurityIQ is Sailpoint’s newest offering that can provide governance for unstructured data as well as assisting with data discovery and classification, permission management and real-time policy monitoring and notifications.

Cloud/SaaS SSO, Privileged Access and EMM

Finally, Centrify provides advanced privileged access management, enterprise mobility management, cloud-based access control for customers across industries and around the world.  The Centrify Identity Service provides a Software as a Service (SaaS) product that includes single sign-on, multi-factor authentication, enterprise mobility management as well as seamless application integration.  The Centrify Privilege Service provides simple cloud-based control of all of your privileged accounts while providing extremely detailed session monitoring, logging and reporting capabilities.  The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure.

With the addition of these three vendors, PMG can help address key gaps in a customer’s IAM capability.   To better understand the eight levers of IAM Maturity and where you may have gaps, take a look this blog by our CEO, Keith Squires about the IAM MAP.  Please reach out to see how PathMaker Group, using industry-leading products and our tried and true delivery methodology, can help get your company started on the journey to IAM maturity.

With today’s increasing Mobile Enterprise Security Threats, do you have a strategy to mitigate the risk on your Corporate Network?

Corporations are increasingly utilizing mobile enterprise systems to meet their business objectives, allowing mobile devices such as smart phones and tablets to access critical applications on their corporate network.  These devices provide advanced technologies over traditional desktop clients, such as: information sharing, access from anywhere at any time, data sensors, location, etc. But what makes these mobile devices desirable, by their very nature, also poses a new set of security challenges.  Reports by research agencies in recent years show an alarming trend in mobile security threats listing as top concerns: Android malware attacks, and for the IOS platform issues with enterprise provisioning abuse and older OS versions.

These trends highlight the need for corporations to start taking seriously a mobile security strategy at the same level to which cyber criminals are planning future attacks. A mobile security strategy might involve adopting certain Mobile Security Guidelines as published by standards organizations (NIST) and Mobile OWASP project. See the references at the end of this document:

The following guidelines are a subset of Mobile Security Guidelines I pulled from various published sources with most coming from NIST. It is by no means a comprehensive list, however they can be considered as a starting point or additional considerations for an existing mobile security strategy.

1 – Understand the Mobile Enterprise Architecture

You should start with understanding and diagramming the flow from mobile application to business applications running on the back-end application server. This is a great starting point and should be done at the beginning stages, as most of the security guidelines will depend on what is known about the architecture.

  1. Is the mobile application a native application or mobile web application? Is it a cross-platform mobile application?
  2. Does the mobile application use middleware to get to the back-end API, or does it connect directly to a back-end Restful based Web Service?
  3. Does the mobile application connect to an API gateway?

2 – Diagram the network topology of how the mobile devices connect

Is the mobile device connecting to the business application servers over the cellular network or internally through a private WiFi network, or both? Does it go through a proxy or firewall? This type of information will aid in developing security requirements; help with establishing a QA security test bed and monitoring capability.

3 – Develop Mobile Application Security Requirements

At a high level, a security function must protect against unauthorized access and in many cases protect privacy and sensitive data. In most cases, building security into mobile applications is not at the top of the mind-set in the software development process. As such, these requirements should be gathered as soon as possible in the Software Development Life Cycle (SDLC). It has been my personal experience in many cases that you have to work with application software developers in adopting best security practices. So the sooner you can get that dialogue going the better. Security objectives to consider are:  Confidentiality, integrity, and availability. Can the mobile OS platform provide the security services required? How sensitive is the data you are trying to protect. Should the data be encrypted in transit, and in storage? Do you need to consider data-in-motion protection technologies?  Should an Identity and Access Management (IDAM) solution be architected as part of the mobile enterprise system? Should it include a Single Sign On functionality (SSO)? Should there be multi-factor authentication, role based or fine-grained access control? Is Federation required? Should the code be obfuscated to prevent reverse engineering?

4 – Incorporate a Mobile Device Security Policy

What types of mobile devices should be allowed to access the organization’s critical assets. Should you allow personal mobile devices, Bring Your Own Devices (BYOD’s) or consider only organization-issued or certified mobile devices to access certain resources? Should you enforce tiers of access? Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and BYOD’s by enterprise users. These technologies can remotely wipe the data or lock the password from a mobile device that has been lost or stolen. Should Enterprises consider anti malware software and OS upgrades to become certified mobiles on the network? To reduce high risk mobile devices, consider technologies that can detect and ban mobile devices that are jail broken or rooted, as these can pose the greatest risk of being compromised by hackers.

5 – Application Security Testing

According to a study performed by The Ponemon Institute, nearly 40% of 400 companies surveyed were not scanning their applications for security vulnerabilities, leaving the door wide open for cyber-attacks. This highlights the urgency for security teams to put together some sort of security vetting process to identify security vulnerabilities and validate security requirements as part of an ongoing QA security testing function. Scanning application technologies typically conduct two types of scanning methods: Static Application Security Testing (SAST) which analyzes the source code and Dynamic Application Security Testing (DAST), which sends modified HTTP requests to a running web application to exploit the application vulnerabilities. As the QA scanning process develops, it can be automated and injected into the software build process to detect security issues in the early phases of the SDLC.

6 – System Threat Model, Risk Management Process

What will typically come out of the application scanning process will be a list of security vulnerabilities found as either noise, suspect or definitive.  It will then be up to the security engineers knowing the system architecture and network topology working with the application developer to determine whether the vulnerability results in a valid threat and what risk level based on the impact of a possible security breach. Once the risk for each application is determined, it can be managed through an enterprise risk management system where vulnerabilities are tracked, fixed and the risk brought down to a more tolerable level.

7 – Consider implementing a Centralized Mobile Device Management System

Depending on the Mobile Security Policy that is in place, you may want to consider implementing a Centralized Mobile Device Management System especially when Bring Your Own Device (BYOD) mobiles are in the mix that can:

  • For mobile devices, manage certificates, security setting, profiles, etc through a directory service or administration portal.
  • Policy based management system to enforce security settings, restrictions for organization-issued, BYOD mobile devices.
  • Manage credentials for each mobile device through a Directory Service.
  • Self service automation for BYOD and Reducing overall administrative costs.
  • Control which applications are installed on organization-issued applications and check for suspect applications on BYOD mobile devices.
  • A system that can remotely wipe or lock a stolen or loss phone.
  • A system that can detect Jail-broken or rooted mobile devices.

8 – Security Information and Event Management (SIEM)

Monitor mobile device traffic to back-end business applications. Track mobile devices and critical business applications and correlate with events and log information looking for malicious activity based on threat intelligence. On some platforms it may be possible to integrate with a centralized risk management system to specifically be on alert for suspicious mobile events correlated with applications at higher risk.

References:

3 Benefits of Abstracting Web-Based API with a Dedicated Gateway Layer

Right now, the solution du jour in the IAM space seems to be focused around enabling mobile and cloud based services for the enterprise. Organizations’ IT departments around the world are being tasked with providing the business with services to allow access and visibility of services to more platforms and providers than have ever been previously required. Mobile platforms, BYOD and SaaS provider requirements , along with new classes of threats against web based API’s, have given rise to the need to secure these services to in order to protect the organization from new security risks.
Building  an abstraction layer between internal services and external mobile or SaaS platform providers makes sense for a number of reasons from a strict security focused point of view, however there are also a number of benefits to utilizing this approach that may not be immediately apparent that can help to justify the adoption of these solutions.
1) Rapid enablement of mobile and cloud services: Most organizations these days have already invested significantly in developing services that enable their business. It makes sense to leverage these existing services, but with the adoption of Mobile and Cloud based service requirements (such as REST, OAUTH, etc) the choice to re-tool can be a costly one. Products like Oracle API Gateway can be used to translate these types of requests into formats expected by your existing services catalog. This can significantly cut down the time required to enable access to these solutions from these new services.
API1_JPG
2) Abstraction of external identities integrated with existing services: Often times, existing services that are deployed within the organization were not initially envisioned to be consumed by users or entities outside of the organization. Many organizations, in order to leverage existing investments in development assets, want to do so but are concerned with the lack of security controls that may not have been built into existing services infrastructures. An API Gateway is an excellent place to implement such controls when introducing these services to new user constituencies. By integrating a new or existing Identity and Access Management infrastructure with your Gateway, you can introduce controls such as strong authentication, certificate requirements or even a security token services to protect access to these services while minimizing redevelopment of these assets.
API2_JPG
3) Centralization of Cloud Service API Key usage: The traditional approach to securing our organizations has been a perimeter focused exercise where the concern has been to protect the organization from external threats intruding into corporate networks. As mobile and clouds services blur the lines of our borders, it is important to consider those assets which may grant user access to information that may be stored within a cloud service provider. Many providers allow organizations to interact with their hosted data in a programatic fashion. Often, providers authenticate these types of request using ‘API Keys’ that are issued to customer organizations and users. One core tenant of a strong IAM posture is that no credential should ever be shared between two parties consuming the same service. This creates a management headache when dealing with externally hosted cloud service providers that issue such API ‘access keys’. Issuing individual keys to each developer may not only be impractical, but also represents certain security and operational management concerns. By routing internal requests to external service providers through a gateway, there is an opportunity to provide common access control based on a pre-exiting internal credential, certificate, etc. Once the request is authenticated and authorized, the API Key for the given service can be applied to the request at the gateway layer. In this way, management of such functionality is centralized and protected using trusted standards.
API3_JPG
There are many obvious benefits to protecting service based requests coming into and going out of your organization’s infrastructure, but some are not quite as plain to see. Clearly, mobile and social technologies present great potential benefits, but come with a new set of risk. It is important to make sure we are leveraging all of the tools available to us in order to ensure these services are delivered with minimal risk of exposure to the enterprise.

Using IBM Tivoli Identity Manager to Synchronize HR changes to Active Directory

Imagine this scenario. An employee gets married and her last name changes. Human Resources receives the required documentation and updates the employee’s last name. Now that the W2 has been changed, how long will it take this change to get propagated to the email system? How many people will be involved? How many phones calls will be made wondering why the name hasn’t been updated? Shouldn’t there be a simpler process?

With IBM Tivoli Identity Manager (ITIM) this last name change can automatically be replicated to multiple ITIM controlled systems with just the change to HR and without the need of any more human intervention.

ITIM automatically detects the change to the person’s last name and then triggers name change updates to multiple ITIM controlled systems including Active Directory, LDAP and database repositories. These updates occur in real time and the new last name is available for all to see. Read more