Opinion: IT security for your enterprise, have you got it all covered?
By Dimuthu Leelarathne, director of solutions architecture at WSO2
Cyber security and the resultant risks, if not addressed properly, was a hot topic in Colombo recently. And it’s now taken the spotlight globally as well with various discussions taking place to commemorate US cyber security month. Even a top regional study released in Singapore recently concluded that “Sri Lanka is among top 10 countries in the Asia Pacific region impacted by and facing growing threats to cyber security.” All this buzz is now prompting enterprises to reflect on their own IT security to ensure the best possible measures have been taken to prevent any breaches or leaks.
So, how ready is your enterprise? Most would say they’ve got it all covered - you’ve got network-level security in place, you’ve included some sort of operating system security, and you’ve run all tools to verify application security. A continuous expansion of your application portfolio will result in your enterprise having scattered identity and access control policies that are not integrated. What this essentially means is that your IT system will be exposed to security threats and vulnerabilities. What’s required is a well-designed identity and access management (IAM) system that’s able to offer a simple, yet effective security solution to even the most complex enterprise IT network.
Today, most enterprises have many systems that are provisioned over time where authentication and authorization are maintained within the application itself. Yet, they’ve not identified the need to incorporate a proper IAM system to ensure overall security. Some of the adverse effects of multiple applications maintaining ad hoc identity and access management include stale identities and access management rules, password exhaustion, challenging access control reviews and audits due to repetitiveness, inconsistency, and conflicts of identities.
Manual systems are not scalable, and very risky
On top of these, there’s a lot of gruelling manual work too that can result in errors, thus posing further risks. For instance, when employees leave the company, or job roles change, or even when new customers are added to and removed from the system, these specific changes should be instantly reflected on identity and access management policies as well. As the application portfolio grows, the procedure becomes more difficult and time-consuming with a high possibility of tasks falling through the cracks.
It ultimately boils down to having a system that’s scalable in the long term. In the old-world environment, it’s difficult or nearly impossible to review employees’ user access rights at regular intervals on all systems due to its distributed nature. It’s also challenging to introduce formal user access management standards and procedures, while there might be privileged accounts that would need to be controlled and periodically reviewed across all systems.
For starters, we can take heed from globally applicable concepts aimed at protecting the general public and enterprises from risks imposed by the absence of proper access control policies. Among some key guidelines are secure management, assigning, and controlling of user access rights; dissemination of tasks and associated privileges among multiple users; adjusting user access rights when responsibilities change; revoking user access upon termination; providing a uniform access policy; managing access based on business roles; and managing allocation of user credentials.
In an enterprise, managing user credentials and access rights in an ad hoc way to meet these requirements is highly inefficient, costly, and prone to errors. The complexity is even greater if some systems are cloud based software-as-a-service applications while others are on-premise. And an IAM system will help smoothen things to a great extent. It’s also important to note that there are different types of identities - on one-side you’d have internal identities like employees and contractors while on the other there are external parties like customers, partners, etc. Customer identity is a distributed one that can come from social networks and self-registered attributes and the control of that identity lies with the customer.
The scale of a customer identity can grow significantly and the focus is on the individual and user experience driven by market needs, which leads to self-registration and self-maintained profiles. Employee identity lies with the organization; it has a central point of control. Employee identity begins when a person joins an organization and ends upon termination of his/her employment contract; therefore, it’s a validated and verified identity. To effectively manage these two groups, it’s best to adopt two separate IAM systems. These can be built using open source technology given its huge success in handling sensitive areas like information security as the integrity of the code is generally validated by a wider pool of users (or commonly referred to as the ‘many eyes’ theory).
A validated ‘identity provider’ with open source software
At the heart of the IAM lies a piece of software called ‘identity provider’ (IdP), so to get things off the ground, an enterprise would first need an IdP that supports open standards. The IdP would ideally have a central database of all users, their attributes, roles, and credentials; therefore, the complete user base can be managed from a central point. Some IdPs have account provisioning capabilities built in allowing the central user base to be provisioned to other applications based on different rules. The primary functionality of IdP is to support single sign-on (SSO) protocols for authentication, enabling centralization of authentication. All modern IdPs support open standards, such as SAML, OIDC and IWA (windows authentication session). Different applications are built by various vendors who use a variety of technologies. But in the end, all applications should authenticate users with a standard set of SSO protocols.
In the case of external identities, the IdP must incorporate social identities by having an ‘identity bus’ capability that allows it to communicate with multiple external IdPs using different SSO protocols, such as Facebook and Google, to authenticate users, but using a single authentication protocol to interface with enterprise applications like websites, portals, etc. More sophisticated IdPs also have the ability to introduce advanced features, such as multi-factor authentication, one-time passwords, and mobile connect, among others.
( -- Dimuthu focuses on cloud technologies, the WSO2 Carbon Framework, and WSO2 Identity Server, and also leads efforts in setting up an IAM system in WSO2. She is an Apache committer and a member of the Axis2 Project Management Committee, having also contributed to the Apache Rampart and WSS4J projects.
Dimuthu has conducted several WSO2 technical webinars and has published technical articles and tutorials on open source technology. For comments/ feedback on this article email dimuthul@wso2.com. Visit wso2.com/events to join their October meetup and webinars on cyber security -- )