Gartner prediction on identity management

I loved this article from ZDNet on Garner’s prediction on identity management.

“Protected resources in the enterprise aren’t where they use to be and the move to the cloud has stressed and fractured identity and access management (IAM) to the point where it needs to be re-architected, according to Gartner.”

How true! There needs to be a way forward that is scalable to 6 billion persons worldwide! There is even mentioned “people-centric” approach. One prediction was that by 2020, over 80% of enterprises will allow unrestricted access to non-critical assets, up from <5% today, reducing spending on IAM by 25%. This is aligned to how transparency will have a new place in the society of the future.

I've been thinking and talking a lot about how we must turn how we do security upside-down, re-architec, do it different. The present approach is not working, and hasn't for a long time. I am referring to "people-centric", "device-centric", "information-centric" and a future with increased transparency. There is nothing new with the information-centric, this after all was drafted by the Jericho forum in 2002, their 10 commandments basically stated de-peremiterization of security controls, i.e. put the security as close to the information as is possible.

You should check out what Lequa is doing in the space of IAM. I am šŸ˜‰

Advanced Persistent Threats (APT)

APTsĀ are as David Lacey says in his post on Computer Weekly blog that we need to find some learning points from how we manage them. I agree that ticking controls as compliant is not the way forward, although clearly it can demonstrate “due diligence” and provide certain safeguards. My opinion is that most business owners really don’t care until they’ve been exposed to the consequences of this type of attack. I believe that the reason why is 2-fold:

1) they haveĀ invested in “security theatre” technologies for too long now, i.e. technologies that don’t improve security, but make you feel safer. Often the impulse to invest in security is triggered by scaring the audience into digging deep in their pockets, powerpoint slides, press reports, etc., it is like the boy that shouted “wolf” one time too many.

2) Secondly there is a serious lack of alignment between the technology/security technical parts of an organisation and the Line of Business (LoB). McAfee have written a really good book on this (Security Battleground) and I advise reading in order to focus your investment, and get the ear of the business owner having money to spend on security. They don’t mention technologies once. I have met once of the authors here in Sweden recently (Kevin T. Readon) and he is a sound guy, he really knows his stuff!

So what is theirĀ advice? Basically from a LoB angle focus on the 3Rs: 1) Rich, what makes your business rich?; 2) Ruin, what can ruin your business?; and 3) Regulations, what do you need to be compliant with? I would say to just demonstrate “due diligence”.

I also believe in deeply the stuff that David has been co-founder of that security should follow the information, or be close to the information, i.e. perimeter security is not the future (Jericho Forum). And I’m an avid follower of what Intel is up to with their VPro, security from the chip-level up (I know technically it is not a perfect description ;-)).

One of the major challenges I believe for now and the future is authentication/authorization with the BYOD trends, and the fact too that many of the APTs do attack humans. The most promising trends I seen to date is that from Lequa, they are placing the identity in the hands of the individual. No more PKI, or Identity Management top level down… that is not, let’s face it, scalable to 6bn persons worldwide? I don’t know if they will succeed, but if they don’t I still think that a bottom-up approach is the way forward, especially if this is integrated with what Intel is upto.