Podcasts
Word Notes
Ep 106
Word Notes 6.28.22
Ep 106 | 6.28.22

Identity access management (IAM) (noun)

Show Notes
Transcript

Rick Howard: The word is: IAM.

Rick Howard: Spelled: I for identity, A for access, and M for management. 

Rick Howard: Definition: A set of solutions for ensuring that the right users can only access the appropriate resources.

Rick Howard: Example sentence: Identity, and access management is critical to an organization's security program because it stands between users and sensitive information.

Rick Howard: Origin and context: In 1993, The New Yorker's Peter Steiner published his famous, “On the Internet, nobody knows you’re a dog” cartoon. The single panel, now a famous meme, shows a dog sitting at a keyboard in front of a monitor and talking to his dog Buddy sitting on the floor. Unfortunately, almost 30 years later, this joke is still true today. The concept of Identity and Access Management or IAM is fascinating, complex, and exponentially difficult to administer at the corporate level and personally, in your day- to-day life.

Rick Howard: How do we know if the entity logging into my system as the company's CEO is really her, some nefarious ransomware hacker, or indeed my dog Dexter? How should I, as an individual convey the appropriate identity for the right context for a particular task I'm trying to accomplish as either an employee, a volunteer advocating for the political action committee of underwater basket weavers that love sunsets, or to my Dungeons and Dragons Reddit forum where I'm known as Abigail, a level 47 chaotic neutral Tiefling warlock? 

Rick Howard: Admittedly, we didn't really think it through, back in the 1960s when the late, great Doctor Fernando Corbató, one of computing's founding fathers, needed a way to keep researchers and students out of each other's files at MIT. This is back in the day when mainframe computers ruled the world and we all had to share the same computer. As a stop gap measure, he created the USEIRID/PASSWORD system that we all mostly still use today. It's astonishing really, if you think about it, that in a world where the hardware and software, computer and engineering paradigms shift every 18 months or so, that the dominant way we all still identify ourselves and gain access is over six decades old. That's 60 years. The mind boggles. 

Rick Howard: But that doesn't mean that there aren't better systems out there. There are. They are just harder to use by the typical user, difficult to implement and manage, and expensive. But, if the community has any hope of deploying a Zero Trust strategy, IAM is the key and essential component. You can't deploy any Zero Trust policies, unless you absolutely know who or what wants access.

Rick Howard: In other words, I need to know unequivocally that it is indeed the CEO trying to log in, or that it is her iPhone connecting to the M&A database sitting in AWS, or that it is the Concur App trying to connect to the CEO's profile. If I have that, I then can deploy rules designed to limit access to material data in systems to only the essential entities that require that access and nothing else. That is Zero Trust. One of the problems with IAM today though, in 2022, is that our current systems are site-centric. Users have to present credential information to multiple digital silos like Amazon, Netflix, eBay, and our corporate system, whatever that is. These silos typically don't talk to each other. If I routinely use Amazon and Barnes and Noble, I can individually log into each separately but I can't ask Amazon to share the books I purchased on their site with their Barnes and noble competitor, even though it's my information, because they are both walled gardens. 

Rick Howard: That's starting to change though with a concept called single sign on. You log into a broker, say Google, Amazon, or Apple, just to name three, with your first cup of coffee in the morning and then later that day, when you wanna log into Twitter, you ask Google to log into Twitter for you. Twitter and Google, do the authentication dance themselves, and you don't have to remember your Twitter password. Twitter trusts google as being the authoritative source for your login information. For authentication, we have several two factor authentication methods at our disposal that range in capability from being slightly better than Doctor Corbató’s USERID/PASSWORD system to being exponentially better. 

Rick Howard: Things like SMS Verification, email verification, Authenticator Soft Tokens, like Blizzard's Battlenet, Google's Authenticator, ID.me, and LastPass, push authentication from companies like Apple, Google, Microsoft, and Twitter, and finally, Universal 2nd factor Authentication or U2F, an open standard that uses a Universal Serial Bus or USB or NFC near-field communication devices as the second factor.

Rick Howard: But for corporate environments, the trick is defined or build an IAM system that works seamlessly with all the data islands, where you store your data and run your key services. Ideally, you want your CEO to log on once in the morning and have the IAM system orchestrate the identity and authorization dance, according to the company's Zero Trust policies, for all the places she connects to during the Workday: SaaS apps, multi-cloud environments, and any homegrown apps still running in the data center. IAM is a key piece to any organization's identity fabric that also includes Identity Governance and Administration or IGA Privileged Access Management, or P A M or PAM and Customer Identity Access Management or CIAM, C I A M. 

Rick Howard: One last thing, a potential future of IAM might be a one hundred and eighty degree flip of who or what is the authoritative source for your identity. Today, as I said, we might use a broker like Google, but in the future, you might become the authoritative source and every app that you wanna authenticate with will do the IAM dance with you because you will hold the credential, something called a digital ID.

Rick Howard: The second factor would be your phone or other mobile device and your credential would be your cryptographically stored key. Instead of the CEO logging into Twitter with her USERID/PASSWORD, Twitter would interrogate the CEO's credential stored on her mobile device. This architecture is not quite available yet but is probably just a few years away. Canada and the European union are already experimenting with the concept. 

Rick Howard: Nerd reference: In a perfect example of a failed IAM program and a flawed Zero Trust deployment I give you the 1982 movie "Star Trek II, The Wrath of Khan" arguably the best Star Trek movie in the Canon and I will die on that particular nerd hill. I look forward to your cards and letters. Captain Kirk, the commander of the USS Enterprise played by the indomitable William Shatner is trying to take control of the USS reliant's industrial control systems because Kirk's nemesis Khan played by the fabulous Ricardo Montalban has taken control of the ship and has crippled the Enterprise's combat and navigation systems in a devastating attack.

Rick Howard: Two things to note in this clip. One, the Federation's Zero Trust policy that allows every ship's captain to possess the password to every other ship in the fleet. That's probably not a very good idea and their password policy to allow only five digit passwords. I'm just saying in this clip, you will also hear from Kirstie Alley, Judson Scott, And the late great Leonard Ni moy.

William Shatner: Lets punch up the data charts of reliance command console. 

Kristie Alley: Reliance command? 

Ricardo Montalban: 45 seconds. 

Leonard Nimoy: The prefix code.

Leonard Nimoy: Reliance prefix number is one, three, six, zero, nine. 

Kristie Alley: I don't understand. 

William Shatner: We have to learn why things work on a starship. 

Leonard Nimoy: Each ship has its own combination code 

William Shatner: to prevent an enemy from doing what we're attempting. We're using our console to order reliant, to lower her shields. 

Leonard Nimoy: Assuming he hasn't changed the combination, he's quite intelligent. 

William Shatner: Mr. Sulu, lock phasers on target and await my command. 

George Takei: Phasers locked.

Ricardo Montalban: Time's up Admiral. 

William Shatner: Here it comes. Now, Mr. Spock.

Khan's Henchman: Our shields are dropping. 

Ricardo Montalban: Raise them. 

Khan's Henchman: I can't. 

Ricardo Montalban: Where's the override, the override?

William Shatner: Fire!

Ricardo Montalban: Fire, fire! 

Khan's Henchman: We can't fire, sir. 

Ricardo Montalban: Why can't you?

Khan's Henchman: They've damaged the proton controls and the Wolf drive. We must withdraw. 

Ricardo Montalban: No.

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.

Word Notes
Podcast Info
HOST(S):
Rick Howard
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Tuesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Strata Identity
Sponsored by Strata Identity

Strata, the #1 platform for Identity Orchestration, integrates multi-cloud and hybrid identity infrastructure and allows enterprises to enforce consistent identity and access policies. Strata empowers IT and cybersecurity teams to architect identity that’s forever modern and permanently flexible. Learn more.