The Advent of Adaptive IAM: Security in Motion

Categories: IT Security

“Opportunities multiply as they are seized”

-Sun T’zu, the Art of War

“It is difficult to understand the universe if you only study one planet”

-Miyamoto Musashi, Book of Five Rings


Go Rin No Sho, Source

RSA announced today a new solution to help customers ensure trusted identity and access management across enterprise and cloud environments, and this demands a little more diving into how IT and IAM are changing.  So let’s start at the beginning with what IT is all about.

The mission of IT is enabling connections between the right users and the right data.  Of course, this must be done under the right conditions; and interactions, activities and transactions can take many forms.  However, it is essentially about the right users connecting with the right data under the right conditions.  When this happens correctly and verifiably according to easy to understand policies, things are good; and when it happens incorrectly, we get the looming threat of malicious or careless insiders and the invasive presence of malicious outsiders.

The establishment of an IT environment that can do this in a predictable, repeatable and secure way has been the domain of Identity and Access Management (IAM), and while IAM is a venerable discipline (with roots that go back to AAA (A) and further), it has arguably stagnated in recent history and is being challenged by new, fast, disruptive trends.  Let’s start with the two biggies here: the consumerization of IT and all-things-cloud megatrends.

On the one hand, the “consumerization of IT” is leading to devices and identities’ departure from traditional IT environments: social networks, iPhones, ‘Droids, tablets, Macs and more all mean the CIO has less and less control over what devices connect to corporate data and the environments they abide in or traverse.  This is potentially disruptive to all things IT, meaning that when the effects of consumerization of IT are finally felt, full bore, the IT landscape could look radically different (we arguably have evolved from government-driven IT and the military-industrial complex to an Enterprise-driven, COTS world and now are approaching a “consumer-industrial” complex going forward where individuals have better IT departments than companies did a decade ago!).

On the other hand, the IT infrastructure itself is being Cloud-ized: alternate computing stacks are making their appearance, with CIOs controlling less and less of the explicit IT stack than ever before.  The temptation is to shout out that the perimeter is dead, but that’s a little simplistic.  It’s much better to say that these two trends demand a re-thinking of the perimeter (more accurately perimeters) and have massive implications on security, and most of all, have massive implications on IAM.

Now, let’s talk for a moment about the perimeter.

The Great Wall Source

Contrary to popular belief, “the perimeter” still exists in much the same way that the Maginot Line, Hadrian’s Wall and the Great Wall of China still exists.  Perimeters are all still there, and in the case of the Great Wall still serves a purpose as a tourist attraction producing revenue and as a symbol for a nation (the other two serve as reminders of different sorts).  The “perimeter” in an IT context is much less relevant today than it was before; but there are still functions that it performs and, unlike the perimeters I mentioned above, it still serves some limited security context.   However, the days of the perimeter being an effective primary means of defense are done.

The future, though, is extremely bleak for the utility of “the perimeter.”  The more the IT stack leaves and the more devices leave, “the perimeter” is done.  New perimeters will emerge and be useful to some degree, but ultimately, it’s not about perimeter-based security.  And in the world of connecting users to data, the old IAM solutions aren’t simply redundant, they are archaic fossils of past IT.

We need a new IAM doctrine.

This isn’t about just “consumerizing” or “cloud-ifying” IAM.  This isn’t just a response to trends or an attempt to hitch the IAM wagon to a new mule.  It’s about changing the way we do IAM in such a way that it is fundamentally more adaptive: able to on the fly re-orient and adapt to changing subject-and-object (i.e. person/device and application/data) in any given IT connection.  Where the old IAM world struggled to provision static users to static machines and apply some enforcement controls in a predictable, perimeter protected environment, IAM should be able to deal with the traditional environment as a simplistic instance of something much bigger.  Adaptive IAM should be the mechanisms and processes for enabling someone to connect from anywhere, on anything, to anything appropriately and transparently: if access isn’t right, deny it.  Otherwise, business should go on without impedance.

This requires an ability to handle emergent patterns and to adapt to and even to interpret policies on the fly in more situations than can be prepared for in a traditional stimulus-response world.  IAM must be adaptive in order to survive and thrive.  What does that mean specifically though?

I think I can boil this down to a few “big idea” concepts that underlie creating a truly “Adaptive IAM” and not just rehashing and claiming future proofing of IAM by adding a prefix with the word “Cloud” or a SaaS descriptor to a SKU.  Here are the basic ideas, although I think these will take more than one blog to fully flesh out:

  1. A new understanding of boundaries and “Dynamic Security Perimeters”: wherever users interact with data, controls have to follow.  This means an adaptive creation of trust zones and connections in a form of Situational Perimeter rather than a priori logical or physical one.
  2. Identities and Data are symmetrical: the things we do on one side of the equation are applicable on the other side of the equation as well.
  3. We need to get much deeper and more granular around both Identity and Data halves of the equation:

a.       Identities: we need a system that can account for…

1.       Multiple devices, real and virtual, per user

2.       Multiple identities and roles per user

3.       Mobility and fluidity of users

4.       Combinatory effects of attributes around users

5.       Geo-location of users

6.       Less binary authentication of users: not a yes / no but rather a “degree of trust” that someone is who they say they are

b.     Data: if this is symmetrical, we need to account for the same things around data as we do around people!

1.       Multiple applications and environments for data

2.       Multiple filters and ways that data is used

3.       Mobility and fluidity of data

4.       Context of data

5.       Geo-location of data

6.       Less binary states of data: not just encrypted / unencrypted but format or function preserving and states that define degrees of utility and degrees of entropy in data

4.  We have to foster new competencies in the center of the new IAM doctrine that enable the first principle.  These are…

a.       Better policy management: policies and authorization models have to be “model-able” and dynamic, repeatable and predictable

b.      Improved transaction context: authorization will depend on context and complex conditions around identities, data and transactional pathways.

c.       Intelligence: we must be able to apply improving, value-adding cognitive applications, machine learning and “Big Data” style analytics.

If we don’t do this, IT will be held back.

Not only are the disruptive trends above happening, but we see an explosion in the number of people, and their diversity, as well as an explosion in the quantity of information and the complexity of systems that people are employing.  In the old days, a fixed set of employees on a pre-determined SOE and a one-to-one ratio of people to machines would access a fixed number of applications and the databases behind them.

Now imagine expanding to partners, customers and the general public as virtual machines multiply exponentially and lose the smooth 1-to-1 mapping of one OS to one machine and then the continued, exponential growth in data too.  That’s going from a one-to-one-to-a-few (person-to-machine-to-data) world to a many-to-many-to-many world.

It’s time for IAM to become Adaptive.  It’s time to take security from a sitting still proposition and a plumbing exercise in IT and to put it into action.  Security needs to be done on the run and in motion, and therefore the only IAM that will survive is that which not only adapts but is adaptive by design.

Adaptive IAM is at the heart of RSA’s announcement.  You’ll see this as we add more now to our IAM portfolio specifically to enable the management of hybrid environments and offerings in identity federation, integration between authentication and authorization and, frankly, as we lay the foundation for Adaptive IAM as the heart of our mission with the RSA Cloud Trust Authority.

Sam Curry

Sam Curry is Chief Strategy Officer and Chief Technologist at RSA, The Security Division of EMC. Mr. Curry has more than 20 years of experience in security product management, development, marketing, engineering, quality assurance, customer support and sales. Prior to his current role, Mr. Curry held positions as CTO, VP Data Protection, VP of Product Management and General Manager at RSA and, prior to that, was VP of Product Management and Marketing for a broad information security management portfolio at both CA and was VP Product Management and Chief Security Architect at McAfee. He is a frequent speaker at industry events and has been quoted in Forbes, Bloomberg, CNET, Technology Review, PC World and Computerworld. He has also appeared on Tech TV, CNN and MSNBC. Mr. Curry holds degrees in English and Physics. Subscribe to Sam's RSS feed