Tuesday, September 25

NetVision: Policing the Power of Identity

NetVision issued a press release today in conjunction with our appearance at Digital ID World. It's primarily about our very cool new reporting capabilities to be officially released in October. The release also points to a four minute whiteboard session explaining what we mean by Policing the Power of Identity. If you have four minutes, please take a look. Since I created the presentation, I especially hope you enjoy it.

Tuesday, September 18

The End of Encryption?

OK, I realize it's not the end of encryption, but this is a big deal. Separate groups of researchers in Australia and China have independently used quantum computers to factor the large numbers used for much of today's asymmetric encryption. Asymmetric encryption is used for PKI which is the underlying concept behind SSL -- probably the most fundamental component of security on the web.

Here's how SSL works (simplified):

  1. persons 1 & 2 agree on a base number (x)
  2. person 1 raises x to the power of a large secret key (y1) = z1
  3. person 2 raises x to the power of a large secret key (y2) = z2
  4. persons 1 & 2 exchange values z1 & z2
  5. person 1 raises z2 to the power of y1 = k
  6. person 2 raises z1 to the power of y2 = k
They now both have k as a secret key that nobody else knows.

The security of the process hinges on the fact that an eaves dropper wouldn't be able to take x and z1 (which are both passed openly) and quickly figure out y1 (the secret key) -- or do the same for y2. If that were possible, they would be able to listen in on SSL transactions. And that's pretty much what these researchers are now able to do.

The article suggests that "For the moment, enterprise computers seem pretty secure, since you'd have to be a quantum physicist to crack today's codes." But, one might speculate that if a secret is worth enough to a would-be attacker, quantum physicists or their tools may become purchase-able. It's probably not a big deal for joe consumer, but for governments, large defense contractors and the like, it's probably time to take a look at their use of certain algorithms in asymmetric encryption. That analysis of course should be and probably is a continuous, on-going process. Interesting stuff.

Saturday, September 15

Identity Management Detective

Jackson Shaw asks "is there a role for an identity management detective?" Although I suspect it was mostly a rhetorical question, the answer is absolutely. You may have seen my recent post on Policing the Power of Identity. The challenge that Jackson describes is exactly what we have in mind when we talk about policing identity. Many of NetVision's customers recognize that they can't provide answers to basic questions about what identity controls are in place, what are people doing on the network and what power has been given to users. The combination of controls, behavior and power is what makes up the power of identity. And our customers are definitely finding value in tools that provide policing/detective capabilities around that power.

Friday, September 14

Identity Cartoon

A little identity humor for your viewing pleasure...

identity cartoon

Monday, September 10

Identity Audit != Identity Management Audit

I've posted a few times now on identity audit and I've noticed that some other smart folks in the industry have used the term identity audit (IdA) when speaking about what I call identity management audit (IdM-A). The Identity Management software vendors are especially (and understandably) guilty of this. So, I'm taking this opportunity to point out that identity audit is NOT the same thing as identity management audit. I realize that I probably won't eliminate the confusion across the entire industry, but at least you'll be aware of the distinction and will be able to educate those around you.

Abbreviations:
IdM = Identity Management
IdM-A = Identity Management Audit
IdA = Identity Audit

Identity Management Audit

IdM-A is usually provided by the IdM software vendor. It's an IdM system's internal audit of IdM activities. It can tell you about the identities that flow through the IdM system. It generally relies on the logs generated by the components of the identity management system. If it's one of the better IdM-A solutions, it may even report on what it sees in its connected data repositories. IdM-A is typically limited to an audit of the IdM system itself and is somewhat myopic in that sense. Any reports that it provides are based on its own view of the environment and may be less reliable than an independent audit mechanism.

Identity Audit

Identity Audit solutions provide a more external view of identity information. It can provide independent reports on the data within identity data stores to verify whether the IdM system is doing its job correctly. It can also identify and take action on activity that happens outside of the IdM solution. For example, if an administrator subverts policy by manually adding a friend to the domain admins group, IdA can capture that event, throw alerts and potentially provide remediation as well -- perhaps through an existing IdM system. IdA solutions are equally if not more useful in environments without IdM systems. For example, in a smaller Microsoft Windows environment where users are managed in Active Directory with no or limited automation, an IdA solution can provide a useful tool set for auditing the power of identities within the environment -- without the requirement for an identity management system.

Conclusion

Identity management systems along with other information security mechanisms are controls put in place to enforce organizational policies. Identity Audit provides an independent and wide-angled view of identity controls, identity behavior and identity power to ensure that policies are being enforced. IdA solutions are complementary to IdM systems and continue to provide value in environments where IdM systems aren't available (or required).