Drive to Survive

Excelling in the Identity Access Management Space

by Harold Black, Senior Solution Architect

 

Many are familiar with the popular television show Drive to Survive. For those who are not acquainted with the show, it is a behind the scenes look at the world of Formula One (F1) racing.

You may wonder what does F1 have to do with the Identity Access Management (“IAM”) space? There are many commonalities between the two, some more nuanced than others. The obvious parallels are:

1. They are in it for the long run. IAM is a program not a project. Formula One is a series with multiple races over the course of the year generating points toward a championship.

2. They require teamwork – an F1 requires drivers, engineers, pit crews and so on. A strong, mature identity team requires developers, analysts, and operations people. Each job has its own set of skills and lessons learned and must have the ability to work well with other groups within the larger team. Attempting to have anyone fill too many roles will lead to lower performance and static thinking.

3. They require Strategic and Tactical thinking. Any given F1 race weekend contains multiple mini events – practice rounds, qualifying rounds, and race day. Each phase lays a foundation for the next and consumes time and materials from a finite pool of resources. All of this is with the aim of contributing to the larger goal. A tactical decision that is solid in the moment can be catastrophic in the long run. Conversely a strategic decision that sounds good without the resources or support to make it a reality is a sure way to hit the wall. Sound familiar?

This brings us to less obvious similarities between F1 and IAM – the Drive to Survive. Every good team in any endeavor understands their success drivers.

 

 

F1 teams design their cars with success drivers in mind. Some teams are faster on the straight aways, others on the curves. Some focus on reliability and asset management to gain some points every race. Others win a big once or twice and seldom score the rest of the year. There is no wrong answer; it’s about the team’s personality and resources that establish their “success drivers.”

In the IAM world this means program business drivers. These drivers lay the foundation for what your program is all about and lead to the way you design your systems and processes, and prioritize your work. Without adherence to a driver focused program development, teams end up with an assortment of nice but disjointed features, a collection of unsupportable processes and conflicting priorities, which makes everyone unhappy.

What does a driver focused program management mean? In the Identity world, the primary drivers are Security, Compliance and Business Enablement. Each of these have variations and subsets but they boil down to one of the three. Each has arguments to support why they are number one.

• The business will say, “We should be the primary driver because we make the money”.
• Security will respond, “That may be true but we make sure we get to keep it”.
• Compliance will say, “We prevent regulatory fines and hits to stock prices”.

All three are correct and must be addressed in your program.

The way to a successful race is to identity your drivers, determine the value of each, spot the point of diminishing returns and establish a ranking system for each driver. When you have competing requests for your limited resources, a well understood prioritization tool allows you to focus your efforts and gives the customer a realistic view of the “finish line.” Attempting to make everyone happy at once leads to hitting a wall and losing a chance for a win.

So in conclusion, establish your drivers, start your engine, and enjoy the race to success!

How To Know It’s Time To Change Your Identity Vendor

Changing Identity Governance Vendors Can Be a Difficult Decision

Your organization has already spent a lot of time and money trying to make the current solution work. You’ve invested a lot to integrate the solution into your application environment. You’ve trained your IT staff and end users on how to use the solution and don’t want to face retraining them.

But some situations make it almost mandatory to change identity governance vendors. At the end of the day, this is a business decision based on the facts. You invested in your identity solution to
solve specific business problems, strengthen security and improve operational efficiency. If your current solution is not addressing these core needs, you need to move to a solution that will. How do you know when it’s time to make a change?

Your Return on Investment (ROI) is Unacceptable

When it comes to assessing the business value you’re getting from your current identity solution, don’t pull any punches. Take the time to compile a realistic measure of how you’re doing vs. your initial goals for the project. Many companies never get close to their original goals as identity programs get bogged down with cost, complexity and customization. Begin with simple metrics: How many applications are being managed by your current solution? Does this include all your missioncritical applications? Are you able to systematically provision birthright accounts, entitlements, and roles for every on-boarding user? Are you automating password management for the majority of your end user applications?

To get to the real ROI, you’ll need to dig a little deeper: What is the total cost of ownership of your identity solution system?

To calculate this, you should consider:
• Licensing costs
• Maintenance and upgrades
• Consulting fees
• Professional services
• Internal identity staff

What quantifiable benefits have you achieved? Consider areas such as:
• Lower cost of compliance
• Reduced IT and helpdesk costs
• Improved end user productivity

If you don’t know the answers to these questions, then it’s time to find out. Look at staffing trends, on-boarding and off-boarding metrics and compliance metrics. You’ll learn a lot about how your identity program is performing. Lastly, don’t forget opportunity cost. If you stay with your current identity solution and you’re unable to address pressing business needs, what is it costing you? Is the cost to renew, maintain and potentially even upgrade your existing solution higher than what it would cost to switch to a better alternative? Are there real benefits that you could gain by changing vendors; what are they worth? If your current identity solution is under-performing, that opportunity cost could be a very big number.

Your Current Identity Provider Has Been Acquired or is Merging with Another Company

While the announcement of a company acquisition or merger can be exciting for some, it often can bring a feeling of anxiety for a customer of either company. The future becomes unclear as to what will happen: whether either company’s product will be available or maintained, or if you’ll be forced to migrate to another product altogether. Your organization’s security shouldn’t be up in the air. If your current provider can’t tell you what’s happening in the next few months, how you’ll be supported as a customer, and what the merger means for both you and the product, it’s time to start looking for a more stable option

Your Current Vendor Doesn’t Provide the Integration and Innovation Needed to Future Proof your Identity Solution

While many vendors include a base list of third-party integrations and connectivity for their solutions, they can sometimes charge exorbitant fees for the development and deployment of additional integrations that you need for your identity governance program. Other vendors may leave you to your own devices, forcing you to have your own development team create a connection point and hope that it works successfully with your system. Does your current identity solution integrate with all of your key systems, applications, file shares and cloud infrastructures across your hybrid environment so that your business can take confidence in a complete identity governance solution?

You should also ask your existing vendor how important identity governance is to their product line and go-to-market strategy. Is it something that they are heavily invested in, or is identity governance just a small product line that is offered in addition to other products and services that take a higher priority in terms of development and innovation? Does your current provider have a laser focus and broad innovative view of what identity governance encapsulates including data files, RPAs/bot identities and a rapidly growing AI identity governance capability? Is this the solution that is going to take your organization into the future and feel safe getting there?

Your Existing Vendor is Forcing You to Migrate to a New Architecture

When your identity governance vendor has “re-architected” its solution and all future investment will be allocated to this new offering, it’s a tough dilemma to face. Unfortunately, implementing the new architecture will require an expensive and timeconsuming migration project. You will, in essence, have to start over: rebuilding and re-implementing functionality such as custom user interfaces, policies, workflows and resource connectors.

The reality is that migrating to your existing vendor’s new architecture will require a “rip-and-replace” of your current identity solution. Instead, reevaluate your options and make the best choice for your business going forward by not assuming the best decision is sticking with your current vendor. In many cases, you will be better off switching to an identity governance vendor with a proven product and satisfied customers, rather than risking your business on new architecture.

Your Vendor’s Customer Satisfaction and Retention Ratings Are Very Low

It’s important to remember that when you choose an identity solution, you don’t just buy a product, you buy a company. If you’re not getting the level of service you expect from your current vendor, the causes could be many. Perhaps your vendor is reducing its investment in identity governance in favor of other products in its portfolio. Maybe the vendor is overwhelmed with product quality problems or the company is suffering from internal issues such as high employee turnover or layoffs. Whatever the reason, the bottom line is that your vendor is not investing in your – or other customers’ – success.

You should broaden your perspective by doing some research on your current identity vendor. Talk to other customers that you’ve met at user conferences or trade shows and ask about their satisfaction levels. Make use of analyst firms like Gartner or Forrester. In the Gartner Magic Quadrant for Identity Governance and Administration (IGA), Gartner shares customer satisfaction ratings for the major vendors. To go deeper, schedule an analyst consultation and get more details about each vendor’s customer satisfaction and retention scores.

Bottom line: don’t accept poor customer support as the norm. Your company deserves better and other options are out there.

You Don’t Have Visibility into All Your Systems

Legacy identity solutions are limited in their availability to integrate with all the systems you use in the organization. In order for you to be the most secure and know exactly “who has access to what,” you need to implement a governance-based solution. This type of system can holistically see all data about your identities to make decisions easier, more efficient and most importantly, mitigate risk to the business.

Your Solution Has Been Moved to “End-of-Life” (EOL) Status

This may seem like a no-brainer, but it’s not uncommon for organizations to stick with an identity solution for months, sometimes years, after it has been moved to “EOL.” Many organizations are reluctant to sign up for the migration effort and are worried about business disruption. At the end of the day, though, you need to ask yourself: what is the strategic price you are paying to stay with software that has no future?

At a minimum, you’re giving up software updates and upgrades. Your software, which may already be a few years old, won’t keep pace with today’s changes. Identity requirements are constantly evolving, so how will you cope when your solution can’t manage cloud apps or unstructured data, handle mobile and social requirements, or meet new security and privacy mandates? At a more tactical level, to whom will you turn when your vendor no longer supports new releases of managed applications?

While you paid maintenance for all those years (and may still be paying for extended support), no one is going to respond to your requests for enhancement. While you may still get defect fixes, they will be few and far between.

The time to change is now.

Don’t let inertia keep you trapped in a sub-optimal identity program. It’s time to step forward with predictive identity governance solutions that can get your organization back on track. You can achieve big results that will improve end user productivity, strengthen compliance and security, all while reducing IT and helpdesk operational costs.

Send Me Info On Updating My Legacy IAM System

 

 

Decentralized Identity (virtual panel discussion)

Over the past 12-18 months, there has been a mounting interest in the next generation of IAM systems. The promises of decentralized and self-sovereign identity promote a frictionless user experience, improved privacy controls, and appeal to organizations looking to reduce both costs and risks. How do you get started? Many organizations are just starting their journey to cloud, so the idea of a decentralized identity may seem too futuristic.
In this session, experts from IBM, Pontis Research, PathMaker-Group & SecurIT discuss the value of such a transition and how clients are progressively moving towards it.
 Learn how use cases like password less authentication for law enforcement personnel and digital job credentials are becoming a reality. With the right strategy the next generation IAM is closer than you think.

Access The Recording Here

Strategic Planning For Identity Management

Keith Squires, President and CEO PathMaker Group

Strategic Identity and Access Management projects can be difficult and the new challenges with mobile, social, and cloud compound the problem. Protecting the perimeter is not enough anymore. Safeguarding identities are the key to a truly secure enterprise.

The industry has seen way too many train wrecks with IAM. To get beyond basic capabilities and really use IAM systems as a foundation for strategic IT, a company MUST take the time up front to consider the long-term plan. Near-term, immediate priorities can be solved with client-based single sign-on, basic provisioning, simple roles and audit reports. But with a short-term (and maybe short sighted) plan, a company can just as easily limit their ability to solve more complex problems.

IAM in the Cloud is all the rage in the press these days. Surely this approach will fix the problems! Although some aspects of managing an IAM solution can be improved by outsourcing the infrastructure, many other areas within the organization need to line up to make it work. IAM in the Cloud is no silver bullet. A company still has to fix broken business processes. Trying to define, streamline or automate these processes simply brings many current flaws into focus.

Foundational capabilities, architectures, and processes take time to get right. And even when you get it right, organizational adoption is not guaranteed. A company needs CIO-level support, a champion who really understands and advocates for improvement, and a support staff that can really execute to make it happen. And even when everything lines up, unfortunately we’ve seen management changes frequently upset a plan well before it takes hold.

Many companies may decide to choose a perceived safe route and hire the software vendor to also implement the solution. This can work, but we’ve also seen plenty of attempts end with less than stellar results. Does the vendor have a strong, proven implementation methodology, experienced architectural skills, long-term resource teams who have a history working well together? More often than not, a client expecting an experienced cohesive team ends up with a quickly assembled group of contractors from any number of staffing agencies. And even if a strong group of technical resources is assembled, they must also have the analytical skills to identify and solve broken business process issues.

PathMaker Group has been working hard as a systems integrator since 2003. Those early years we spent some time learning and shaping the way we approached these projects. The next few years we worked hard to hire, train and build a long-term staffing model. The last few years we have hit a stride where we have done some of the best work in our history. I would venture to say some of the best work in the industry. Our recent projects have been some of the most involved, complex, and yet still successful, in our ten years of helping our clients.

We have had our hands in almost every IAM vendor solution. These solutions continually evolve with the market and the needs of the customer. New vendor products continually emerge. These market leading products from SailPoint, IBM, Oracle, Centrify and others are extremely capable and complex. Staying current requires the committment to continually train our people. It takes significant investment to learn new vendor products, but this is what our customers require of us as a great partner with the right professional skills.

But implementation problems can occur even with good software solutions. Long-term planning, strong architectural guidance, proven implementation skills, a company champion with management backing these are all essential in the success of a strategic IAM program. If your company can get there, the benefits of a foundational, strategic IAM solution will be clear and your organization will line up to get on board.

Read More

 

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 4 of 6

4. Mobile Access Management

Centrify LogoMobile has become the de facto way to access cloud apps requiring you to ensure security and enable functionality of users devices. This includes deploying appropriate client apps to the right device and ensuring an appropriately streamlined mobile experience. Unfortunately, most existing Identity and Access Management as a Service (IDaaS) solutions fall short when
it comes to mobile support because they were built and architected before it became clear that mobile devices (smart phones and tablets) were going to become the preeminent means to access apps. Instead, they are very web browser centric—i.e. their mobile IDaaS experience just supports web-based apps vs. also supporting rich mobile apps and device security. They also
provide no means to ensure that the user’s mobile device is trusted and secure, and while they may provision a user in the cloud service, they ignore giving the end user the corresponding app on their device.

Consequently, you should look for an IDaaS solution that allows your users to enroll their mobile devices and deliver strong authentication mechanisms (using PKI certificates). The solution should let you apply mobile device-specific group policies to ensure the underlying device is secure (e.g., ensure that a PIN is required to unlock the phone, etc.), detect jailbroken or rooted devices, and allow you to remotely lock, unenroll or wipe a lost or stolen device. Once you associate the device with a user and can trust the device you can leverage the device as an identifying factor for the user in cases where additional factors are required for multifactor and step-up athentication.

The solution should also provide unified app management for both web-based and mobile client apps. This ensures that users are not left with partial access or access defined and managed in separate silos of access management such as separate mobile device management solutions (MDM). Both app and mobile management should share the same roles, identities, management tools, reports and event logs. This unification of mobile and app access management reduces redundant tools, processes and skillsets.

Mobile has quickly become the de facto way to
access apps. Centrify uniquely unifies app and
mobile access management.

How Do I Know When To Upgrade My IAM Environment?

Pathmaker Group Executive Team

Deciding if you should upgrade your identity and access management environment can be a daunting task. Although there are many variables and decision-making points involved, the “if” decision usually falls into one of two camps:

  1. The software is nearing its’ support end-of-life.
  2. There is a need to utilize new services available in the latest release.

Let’s take a look at the first camp. The end-of-life of a particular software product is tied directly to its vendor’s support. This is a very important consideration due to the potential worst case scenario. Imagine software currently running in production where its support has been deprecated by the vendor. Then when a major issue occurs, technical staff reaches out to the vendor with an explanation of the problem, only to hear “sorry, we can’t help you”.  Unless in-house staff can diagnose and find a solution to the problem, there could be a very real long-lasting disruption of service. The old adage “if it ain’t broke, don’t fix it” is not always the best mantra to follow with your identity and access management software. Although it is not critical to constantly upgrade to the latest and greatest release, it is recommended to be several steps ahead of a product’s end-of-life. This is due to not only the potential issue above, but also because vendors include critical items, such as security fixes and performance enhancements, as part of their newest releases.

How about the second camp? Let’s take a company that is utilizing a single sign-on software product or version that is a few years old. Granted, the solution is working well, however, there is now a need to integrate mobile and social technologies for their customer base. Seeing as their current software version does not support this, but the newest version does, the obvious choice would be to upgrade. Or, as a second illustration, a company may have created a custom connector, but that connector now ships out-of-the-box with the newest version. By upgrading, they would no longer have the overhead of updating and maintaining their code.

Get Information on the PathMaker Group IAM Maturity Advisory here. 

Meeting IAM Gaps and Challenges with New Product Offerings

PathMaker Group has been working in the Identity and Access Management space since 2003.  We take pride in delivering quality IAM solutions with the best vendor products available.  As the vendor landscape changed with mergers and acquisitions, we specialized in the products and vendors that led the market with key capabilities, enterprise scale, reliable customer support and strong partner programs.  As the market evolves to address new business problems, regulatory requirements, and emerging technologies, PathMaker Group has continued to expand our vendor relationships to meet these changes.  For many customers, the requirements for traditional on premise IAM hasn’t changed.  We will continue supporting these needs with products from IBM and Oracle.  To meet many of the new challenges, we have added new vendor solutions we believe lead the IAM space in meeting specific requirements.  Here are some highlights:

IoT/Consumer Scalability

UnboundID offers a next-generation IAM platform that can be used across multiple large-scale identity scenarios such as retail, Internet of Things or public sector.  The UnboundID Data Store delivers unprecedented web scale data storage capabilities to handle billions of identities along with the security, application and device data associated with each profile.  The UnboundID Data Broker is designed to manage real-time policy-based decisions according to profile data. The UnboundID Data Sync uses high throughput and low latency to provide real-time data synchronization across organizations, disparate data systems or even on-premise and cloud components.  Finally, the UnboundID Analytics Engine gives you the information you need to optimize performance, improve services and meet auditing and SLA requirements.

Identity and Data Governance

SailPoint provides industry leading IAM governance capabilities for both on-premise and cloud-based scenarios.  IdentityIQ is Sailpoint’s on-premise governance-based identity and access management solution that delivers a unified approach to compliance, password management and provisioning activities. IdentityNow is a full-featured cloud-based IAM solution that delivers single sign-on, password management, provisioning, and access certification services for cloud, mobile, and on-premises applications.  SecurityIQ is Sailpoint’s newest offering that can provide governance for unstructured data as well as assisting with data discovery and classification, permission management and real-time policy monitoring and notifications.

Cloud/SaaS SSO, Privileged Access and EMM

Finally, Centrify provides advanced privileged access management, enterprise mobility management, cloud-based access control for customers across industries and around the world.  The Centrify Identity Service provides a Software as a Service (SaaS) product that includes single sign-on, multi-factor authentication, enterprise mobility management as well as seamless application integration.  The Centrify Privilege Service provides simple cloud-based control of all of your privileged accounts while providing extremely detailed session monitoring, logging and reporting capabilities.  The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure.

With the addition of these three vendors, PMG can help address key gaps in a customer’s IAM capability.   To better understand the eight levers of IAM Maturity and where you may have gaps, take a look this blog by our CEO, Keith Squires about the IAM MAP.  Please reach out to see how PathMaker Group, using industry-leading products and our tried and true delivery methodology, can help get your company started on the journey to IAM maturity.

Initial Credential Issuance: An Often Overlooked Area of a Secure Identity Posture

Architecting mature and functional IAM strategies for our clients requires us to frequently reflect on the approaches that we have seen organizations take to solve common (and sometimes mundane) problems. One such such problem is that of initial credential distribution for internal user constituents (employees, contractors, temp workers, etc). How an organization creates and communicates a new user’s credential is really one of the first steps in a chain of maintaining a good security posture in the space of identity provisioning.

non-rep

At the core of this problem is the issue of non-repudiation. Basically, the ability to say that a given account owner was the only person who could utilize their credentials to access any given information system. More information on non-repudiation can be found here.

 

Over the years working in the IAM field, I’ve seen customers approach the problem of getting credentials to newly created users in different ways. Some (surprisingly many) choose to have their IT departments create new user accounts using a known password or formula (such as: <user_lastname><month><day>) in the newly created system. The issue with this approach is that there is no real guarantee that the account will not be used by a third party prior to or after distribution before the intended user begins to use them. This presents an obvious security issue that can be slightly mitigated by requiring a user to change their password after the 1st use. But, even forcing a user to change their password doesn’t completely solve this issue.

 

A more mature approach is to have a random password generated that complies with corporate password policies that is then communicated to the user through the IT department or the user’s manager. This still leaves the issue of non-repudiation, since whoever generates and communicates the credential to the user or manager also has knowledge of the credential. However, this approach limits the knowledge of this credential to only those in the chain of custody of the credential, instead of everyone who has been exposed to the ‘standard known password’ or password formula.

 

The most mature and effective way to address this issue usually involves implementing some sort of ‘account claiming’ mechanism. In this approach, a provisioning system or process generates a random system generated password that is never known to any person. Additionally, a system generated ‘claim token’  is generated that is then submitted to the user that can only be utilized once and within a specific time frame of issuance. The intended user is then directed to visit an internal account claiming site where they are asked for some personally identifying information (PII) along with their ‘claim token’. Once this information is verified, the user is directed to change their password, which is then communicated to the provisioning system and all downstream information systems. Identity provisioning platforms such as those from Oracle, IBM, and Sailpoint all make available the tools required to develop/configure this solution with minimal effort. This approach more effectively protects the integrity of the credential and greatly increases an organization’s IAM security posture with very little overall implementation effort.

 

This article is part 1 of a multi-part series that dives into specific concepts covered during our IAM MAP activities. More information about the Pathmaker Group IAM map can be found here.

 

With today’s increasing Mobile Enterprise Security Threats, do you have a strategy to mitigate the risk on your Corporate Network?

Corporations are increasingly utilizing mobile enterprise systems to meet their business objectives, allowing mobile devices such as smart phones and tablets to access critical applications on their corporate network.  These devices provide advanced technologies over traditional desktop clients, such as: information sharing, access from anywhere at any time, data sensors, location, etc. But what makes these mobile devices desirable, by their very nature, also poses a new set of security challenges.  Reports by research agencies in recent years show an alarming trend in mobile security threats listing as top concerns: Android malware attacks, and for the IOS platform issues with enterprise provisioning abuse and older OS versions.

These trends highlight the need for corporations to start taking seriously a mobile security strategy at the same level to which cyber criminals are planning future attacks. A mobile security strategy might involve adopting certain Mobile Security Guidelines as published by standards organizations (NIST) and Mobile OWASP project. See the references at the end of this document:

The following guidelines are a subset of Mobile Security Guidelines I pulled from various published sources with most coming from NIST. It is by no means a comprehensive list, however they can be considered as a starting point or additional considerations for an existing mobile security strategy.

1 – Understand the Mobile Enterprise Architecture

You should start with understanding and diagramming the flow from mobile application to business applications running on the back-end application server. This is a great starting point and should be done at the beginning stages, as most of the security guidelines will depend on what is known about the architecture.

  1. Is the mobile application a native application or mobile web application? Is it a cross-platform mobile application?
  2. Does the mobile application use middleware to get to the back-end API, or does it connect directly to a back-end Restful based Web Service?
  3. Does the mobile application connect to an API gateway?

2 – Diagram the network topology of how the mobile devices connect

Is the mobile device connecting to the business application servers over the cellular network or internally through a private WiFi network, or both? Does it go through a proxy or firewall? This type of information will aid in developing security requirements; help with establishing a QA security test bed and monitoring capability.

3 – Develop Mobile Application Security Requirements

At a high level, a security function must protect against unauthorized access and in many cases protect privacy and sensitive data. In most cases, building security into mobile applications is not at the top of the mind-set in the software development process. As such, these requirements should be gathered as soon as possible in the Software Development Life Cycle (SDLC). It has been my personal experience in many cases that you have to work with application software developers in adopting best security practices. So the sooner you can get that dialogue going the better. Security objectives to consider are:  Confidentiality, integrity, and availability. Can the mobile OS platform provide the security services required? How sensitive is the data you are trying to protect. Should the data be encrypted in transit, and in storage? Do you need to consider data-in-motion protection technologies?  Should an Identity and Access Management (IDAM) solution be architected as part of the mobile enterprise system? Should it include a Single Sign On functionality (SSO)? Should there be multi-factor authentication, role based or fine-grained access control? Is Federation required? Should the code be obfuscated to prevent reverse engineering?

4 – Incorporate a Mobile Device Security Policy

What types of mobile devices should be allowed to access the organization’s critical assets. Should you allow personal mobile devices, Bring Your Own Devices (BYOD’s) or consider only organization-issued or certified mobile devices to access certain resources? Should you enforce tiers of access? Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and BYOD’s by enterprise users. These technologies can remotely wipe the data or lock the password from a mobile device that has been lost or stolen. Should Enterprises consider anti malware software and OS upgrades to become certified mobiles on the network? To reduce high risk mobile devices, consider technologies that can detect and ban mobile devices that are jail broken or rooted, as these can pose the greatest risk of being compromised by hackers.

5 – Application Security Testing

According to a study performed by The Ponemon Institute, nearly 40% of 400 companies surveyed were not scanning their applications for security vulnerabilities, leaving the door wide open for cyber-attacks. This highlights the urgency for security teams to put together some sort of security vetting process to identify security vulnerabilities and validate security requirements as part of an ongoing QA security testing function. Scanning application technologies typically conduct two types of scanning methods: Static Application Security Testing (SAST) which analyzes the source code and Dynamic Application Security Testing (DAST), which sends modified HTTP requests to a running web application to exploit the application vulnerabilities. As the QA scanning process develops, it can be automated and injected into the software build process to detect security issues in the early phases of the SDLC.

6 – System Threat Model, Risk Management Process

What will typically come out of the application scanning process will be a list of security vulnerabilities found as either noise, suspect or definitive.  It will then be up to the security engineers knowing the system architecture and network topology working with the application developer to determine whether the vulnerability results in a valid threat and what risk level based on the impact of a possible security breach. Once the risk for each application is determined, it can be managed through an enterprise risk management system where vulnerabilities are tracked, fixed and the risk brought down to a more tolerable level.

7 – Consider implementing a Centralized Mobile Device Management System

Depending on the Mobile Security Policy that is in place, you may want to consider implementing a Centralized Mobile Device Management System especially when Bring Your Own Device (BYOD) mobiles are in the mix that can:

  • For mobile devices, manage certificates, security setting, profiles, etc through a directory service or administration portal.
  • Policy based management system to enforce security settings, restrictions for organization-issued, BYOD mobile devices.
  • Manage credentials for each mobile device through a Directory Service.
  • Self service automation for BYOD and Reducing overall administrative costs.
  • Control which applications are installed on organization-issued applications and check for suspect applications on BYOD mobile devices.
  • A system that can remotely wipe or lock a stolen or loss phone.
  • A system that can detect Jail-broken or rooted mobile devices.

8 – Security Information and Event Management (SIEM)

Monitor mobile device traffic to back-end business applications. Track mobile devices and critical business applications and correlate with events and log information looking for malicious activity based on threat intelligence. On some platforms it may be possible to integrate with a centralized risk management system to specifically be on alert for suspicious mobile events correlated with applications at higher risk.

References:

Your journey toward IAM maturity requires the right MAP