A Trip Report from RSA Conference 2016: Modern Identity Management

For anyone who went to RSA Conference 2016 to get updated on the state of modern identity management technologies and practices, you undoubtedly got your money’s worth and came back to your office with plenty of ideas on how to improve your organization’s approach. Given its foundational role in information security, the topic of identity not only had its rightful place as one of this year’s 27 conference tracks, but it also organically wove its way into countless discussions on other cybersecurity topics.

As always, the big question is, “How you can distill the insights and inspiration gained at the RSA Conference for those who could not attend?” Further, how can you use these insights to set and guide an agenda for your organization’s ongoing improvements?

The following is one man’s trip report from RSA Conference 2016 on the topic of identity, organized in four sections to align with the different personas you’ll find in your office:

1. For Technology Enthusiasts: Endless Innovations to Address an Ancient Problem

It seems hard to believe, but the truth is that the oldest problem in information security—addressing the fundamental question of “who are you?” to an acceptable level of assurance, at a reasonable cost, in a manner that can be easily deployed and practically used—has not been fully solved.

As noted in the session “Who Are You? From Meat to Electrons and Back Again,” “a flyby of recently discovered and invented mechanisms to digitally identify a person makes it clear that it’s not for lack of options.” This entertaining talk will provide the technology enthusiasts in your organization with a snapshot of dozens of different methods for authenticating the identity of individuals, from the painfully well-known to the delightfully new and obscure in the categories of biometrics, cognitive, and wearables.

By getting these innovations out in the open, you can accomplish at least three important things. First, everyone can have some fun bonding over their favorite cool or quirky technologies. Second, it lessens the chance that, months from now, a serious identity management project will get dragged into the weeds when someone forwards a link about one of these technologies, since everyone will have seen it before. Third, the fact that innovations like these continue to take place underscores the fundamental importance of the identity management problem. If this problem didn’t matter or if it had already been solved, people wouldn’t continue to invest their time and money into trying to address it.

2. For Pragmatists: Being Smarter About When Identity Technologies Are Used

Recent research from Aberdeen Group confirms that identity management capabilities are not only being seen as the means for control, compliance, and cost efficiencies when protecting the organization’s applications and data, but are also an essential business enabler for the organization’s users. After all, the users are the way that organizations hope to achieve their strategic business objectives, so a stronger focus on the user experience with respect to identities is welcome, if not long overdue.

Balancing these two objectives means making smart, deliberate choices about identity technologies to minimize the friction in the user experience while still mitigating security-related risks to an acceptable level. For example, many organizations use transparent authentication methods to provide an appropriate level of identity assurance for normal circumstances. They then apply stronger, more visible methods for a higher level of assurance when an analysis of user behaviors and environmental factors indicates a higher-risk scenario. This is the main takeaway from the session titled “Don’t Use Two-Factor Authentication . . . Unless You Need It!” It’s not really a new message, but it’s very important to put it in front of the teams that support current projects.

3. For Forward-Thinkers: Applying Technologies and Standards to Architect a New User Experience

Google’s login page no longer has a password field.

That’s the hook that should get the forward-thinking people in your organization interested in checking out the session called “Identity Standards at Work in Google’s Mobile-Focused Future.” If they’re working on new or next-generation initiatives, they will want to be updated and inspired by these examples from the vanguard of modern identity management.

The basic vision is the same as the one above—to streamline the user experience while still maintaining a level of identity assurance that is appropriate for the organization’s appetite for risk. However, the focus here is how this vision can be realized by incorporating some of the many identity-related standards that have been steadily evolving in recent years from organizations and initiatives such as the OpenID Foundation, the Open Identity Exchange, the Open Standard for Authorization, and the Fast IDentity Online Alliance.

4. For Pragmatists, Part 2: Addressing the Risk of Managing Privileged Identities

While the first three items on the trip report are all about identity management technologies that are newer, faster, and better, this fourth item is about dealing with the ubiquitous problem of managing privileged identities—the credentials that provide access to the numerous enterprise accounts with powerful administrative privileges and control over an enterprise’s IT infrastructure. The session “Are You Worthy? The Laws of Privileged Account Management” provides a solid overview of the problem, along with a point of view about the best practices that comprise a solution. This is an issue that should be dealt with in the here and now, if it hasn’t been already.

Further research from Aberdeen quantifies why this is such a problem. Attackers are quick to gain access to enterprise systems and start getting enterprise data out, with 65 percent of successful data breaches beginning data exfiltration in 90 days or fewer. However, current enterprise practices leave this window of vulnerability wide open—58 percent of privileged accounts have not had a credential change in 90 days or more.

Use these tips to get the various players in your organization on board with new identity management efforts, and your company will be well on its way to a safer and more secure network.

No Comments