Who are you? It’s a basic enough question. Maybe you ask by way of introduction. Or perhaps for a job interview. It could even be important enough to get you elected president!
We answer the question of who we are every day. We give our answer through passwords and fingerprints and multifactor authentication challenges and responses. We are the person on the other side of a password prompt. We are the intended user of a system. We can prove who we are. Or can we?
Threats From The Outside In
One of the biggest sources of attacks today doesn’t come from people brute forcing their way past your layered defenses. Instead, it comes from insiders or people with the access privileges of insiders. The growing number of attacks that came from spearphishing campaigns or from recon attacks finding unused accounts with elevated privileges is becoming increasingly shocking. Even though we teach people to avoid suspicious-looking emails they still click on them. We tell our administrative staff not to give too many rights to accounts and yet there are still service accounts running around with the rights to do far too much.
We all know this is a bad way to do things, right? We all have read time and again how important it is keep privileges low and find ways to remove them quickly in the event of a breach or when an employee leaves. We also need to regularly audit all those accounts to make sure they are accumulating privileges they shoudn’t have. For example, say one of the developer user accounts got added to the backup operators group because they needed to test something. The test worked and the developer forget to remove themselves from the group. Without an audit of the permissions to figure out what happened we may find ourselves getting exploited in the future because this developer was spearphished and his elevated account got the attacks further than they could have hoped.
Forging New Ideas
During RSA this year I had the chance to talk with Eve Maler of ForgeRock about some of these specific challenges. ForgeRock has built an identity management platform that gives security teams a lot of powerful tools they can leverage to fix problems like the ones above and many more.
ForgeRock likes to look at identity as a two-part problem. The first part of the problem is managing the relationship between the identity and the user. Things have an identity as they exist with the relationship they have with their users. So the Backup Operators group identity is tied to the operators contained within it, like service accounts or DR/BC team members.
The second part of the identity problem that ForgeRock tackles is the management of the identity over the term of a workflow. Identity is what privileges you need at a specific time for a specific task. Managing that assignment is critical to ensure that you only have what you need for the time you need it.
A great way to think of this is the idea of need to know classification systems. These exist above the codeword level of Secret and Top Secret. With need to know, you don’t get access to a particular piece of information unless you can demonstrate a need to know that info. How do you do that? By proving your identity and your workflow! You prove that you are the person that has been assigned to a role that has a need to know the information and you also provide the workflow for the need. So any general may not get to know the details of a very secret project. But if it’s the general assigned to that project and she gives the required proof of work on the project, she gets to know what’s going on.
Rock On With Security Tools
Extending these ideas into the enterprise with ForgeRock gives us a lot of flexibility in how we approach them too. One of the things I saw that I really liked was the ability to automate removal of privileges from identities when they aren’t needed. This solves the issues of old contractor or service accounts holding on to rights that can cause problems with a later breach. It also solves the issues of forgetting to remove old user accounts after termination or reassignment. By having an automated process that can go through and remove those rights, you don’t have to remember that you forgot down the road.
Another feature that caught my eye was the virtual honeypot. ForgeRock can troll your attackers by giving them something that looks like what they’re after but it is, in fact, a fake trap designed to help you gather information on them. Detection is a delicate dance of figuring out how to entice people to go deeper without revealing too much or spooking them into covering their tracks. ForgeRock’s virtual honeypots solve this problem but giving up fake data and drawing in the attackers so they’re forced to reveal more about themselves. This lets your response team figure out how to track them and what to do about them. All while keeping your actual security and identity data safe and sound.
Bringing It All Together
Identity management is becoming a huge part of what we do in security. We need to manage how people can access things and what they can do with the rights they have been given. But we also have to realize that those rights make them targets for attackers. So we need to move forward with securing those identities and leveraging modern technology to help us keep our users safe and secure while also allowing them to get their tasks and jobs accomplished.