"You've been hacked." That is the line that every person dreads waking up to in their inbox. But securing your identity and your privacy is no easy task. The government has been using identity and access management tools for years, commonly known as IAM. IAM uses a four part verification process that helps cut down on security breaches, but the system is not perfect.
Paul Christman is the Vice President for Sales and Marketing at Dell Software’s Public Sector. He told Chris Dorobek on the DorobekINSIDER program that the four A's are the key to identity and access management.
"We need to make these issues on identity management and access more relevant to folks. Words like privacy and security resonate a little more closely with folks, but you can’t have either privacy or security without identity and access management. Identity and access management are the foundation for determining security. If you look at is as a connector to two things that folks talk about quite a bit, then we can build up their importance," said Christman.
How does IAM work?
"I think about it as four A’s. Authentication. Authorization. Automation. Audit," said Christman.
- Authentication: Authentication is the basis for determining that you are who you say you are. Authentication has to do with usernames and passwords at the most primitive level. We really need to move beyond this level, but it could also include other things in the federal space like two factor authentication like the DOD’s Common Access Card.
- Authorization: Once the user is authenticated the system has to give you access to certain assets, resources and data. Authorization is very complicated, but it needs to be fluid as users change their role. The easiest example would be in the DOD. You could go from being a recruit to active duty to retired. All the while, your identity should be transforming and your authorization to the various assets should be evolving behind the scenes. That idea of migrating an authorization through its lifecycle leads to automation.
- Automation: The scale of the government is so large that you can not do it by hand. You have to automate these tasks.
- Audit: Audit and compliance leads us down to digital forensics. It leads us to who did what, and when. If there was misuse or some sort of breach, either intentional or not, how did that authentication and authorization happen? Who gave that access? Was that person authorized to do so? The last A is unfortunately is what a lot of people see in the news. People ask, ‘Why wasn’t there an audit trail?’
More than 2.5 million people have Common Access Cards, why haven’t they changed the world yet?
"The cards have yet to reach their full potential. We have made huge strides to unify both physical access to buildings and access to IT. But bridging the physical and the IT realms with a single device is challenging. The other thing to keep in mind is that for every building there is an access key card system. You have to have the card conform to the system specifications. That is fairly straightforward when you build a building. When you are building software and when you are building information technology, the diversity of the interfaces that you have to have between the security token and the application is enormous. You have to build those connections every single time. It also needs to be built to the proper specifications. It also has to retrofit that specification to existing applications, that is tremendously expensive and it is very challenging to layer that technology back onto systems that were never intended to have that kind of authentication," said Christman.
Identity as a Service
"One of the things that is happening now is a new thing we are calling identity as a service. Identity as a service is going to pull the identity out of the application. Whether it is the health care application at the VA or a command and control system somewhere else, we are trying to pull the identity out of the application and have it exist as a separate entity, then have the identity interface with the application on its own. The idea is a little technical, but the idea that the identity exists in a single place and that single system interfaces with other applications makes it much easier to integrate and re-use. If you are able to have identity as a service that is independent of an application then it becomes easier to bolt it onto the next application," said Christman.
Where is IAM going in the future?
"There are going to be two major initiatives that are going to come forward in the near future. One is the broader adoption of two factor authentication," said Christman.