Wednesday, January 07, 2009

Identity and data security go hand in hand

I've been meaning to write about this for some time, but CA's acquisition of Orchestria (which I wrote about here) just happened to be the compelling event that kick-started my thought processes.

I don't think anyone's completely worked out how Identity Management (IDM) and Data Leakage Prevention (DLP) or even data security in general should (or will) come together just yet. During my time working in the data security arena, IDM was typically an afterthought in most of the environments I dealt with.

My view for quite a while has been that IDM and DLP go together because in a unified solution, there is a more complete security context with which access control decisions can be made.

DLP products at the moment are VERY data-centric. Policies tend to not cater for identities, roles or access controls but rather what data is being accessed, how people are trying to access it, where they are accessing it from and what they are trying to do with it. Sound familiar? It should if you've had anything to do with IDM or information security in general, but hold that thought. From a data security standpoint however, DLP is about data identification, classification, usage and wrapping controls around it all. Or as a customer's CEO once said during my time at Verdasys, "protect my data but don't get in the way of my business".

IDM on the other hand, is more about controlling access to resources and wrapping it all up with an "accountability" ribbon. I'm over-simplifying of course, because there's all the automation bits and pieces that lead to more efficient processes and so on that I've completely ignored, but bear with me for now because the point here isn't to define IDM to the nth degree.

Allow me to take a step back for a minute and try to distill what it is that information security professionals are trying to solve when we talk about protecting organisational assets. It's not actually that complicated. An organisation has a "bunch of things all over the shop". There are buildings, rooms, offices, applications, databases, file systems, servers, disks, CDs, DVDs, USBs and all sorts of other bits and pieces. There's also bits of paper lying on desks, but technology can't fix that directly. It's more about security awareness and training, but I digress. Back to the point at hand...

The "things all over the shop" are essentially just a means to an end. They are required to house company resources and at the core of these company resources is information. Information in its most basic form is data. This is my long winded way of saying that all we're trying to do is protect access to data and control how it is used. Even all that Governance, Risk and Compliance (GRC) hullabaloo is about making sure data is not misused and if it somehow is, that there is end-to-end traceability, accountability and transparency so you can forensically figure out what happened. Of course, if you had protected that data properly in the first place, there should be no need to go hunting for the smoking gun. But 100% security is a pipe dream, hence the need for a good audit trail (which itself is also data - and can be modified to hide illegal activities if not protected).

So let's recap. You can name all the company assets you like that security tries to protect, but in the end we are trying to protect data and control how it is used. Most things tie back in some way to the "organisational crown jewel" that is information. i.e. data. That's why our profession is usually referred to as "Information Security". What does this mean? IDM tries to protect data. DLP also tries to protect data. The difference is the approach and focus.

IDM attempts to address this by focusing on people and process in a "business centric" manner. DLP or data security (to use a broader term) attempts to address this in a data-centric, "bits and bytes" manner. In some ways, you could view IDM as a top-down approach while DLP is bottom-up. This is the crux of why I've thought for quite some time that IDM and DLP/data security go hand in hand (my obvious self-interests aside): IDM keeps trying to gain additional contextual information to make better access control decisions and DLP keeps trying to make business sense of all this data flying around.

Because IDM focuses on business, people and process, quite often it's the low-level things that are more difficult because there are more unknowns. That is, the things you don't know about that you need to figure out. If there is no automated way to do so, it can take a lot more time. That's why there's a market for products that claim to address risk management, role mining, identity mining and security monitoring. These are some of the typical gaps that need filling whenever you implement an Enterprise Identity and Access Management programme. They need to be filled so you can use them as input to implement proper security policies that are aligned with business and reality instead of the "out of the box" policies you get from the vendor.

One of the most crucial low-level considerations is in trying to figure out what you're trying to protect. Quite often, the consultants will only go as far as the applications. Access controls are more often than not very course-grained. With the advent of all the entitlement management initiatives floating around today, access control is starting to get more fine-grained but they can only go as far as discrete actions people make within the IT environment based on a pre-configured set of policies based on statically defined resources.

In other words, a resource will be defined a certain way until an administrator changes the definition. The blind spot is actually the underlying information or data associated with the resource, which is a key part of this thing we call the security context that's required to make an enforcement decision. Information is dynamic and as such many resources are dynamic by nature. For example, one moment a document might be sensitive but the next moment not because someone deleted all the sensitive information. This dynamic nature of organisational resources is something the IDM software vendors haven't quite solved yet, although Oracle's Adaptive Access Manager is a step in the right direction (I wrote about this here). The reason they have not solved this is largely because much of it is based on information and data being taken into consideration when making access control decisions in real time.

DLP products do a pretty good job of identifying data at rest (e.g. on disk or in databases), data in motion (e.g. across the network or actively being used by people), classifying information and enforcing controls on actions based on security policies. They are typically lacking in the following aspects:
  1. Providing an easy way to tie their policies into a central policy management point across multiple systems (which is what Symantec and McAfee are trying to do).
  2. Having any notion of identity awareness beyond being able link policies back to distinct user accounts (i.e. personas instead of actual identities) or roles within a particular namespace (e.g. a particular application). For example, in many cases the only notion of identity is someone's Active Directory account and Active Directory role memberships.
The first point is something the large vendors (such as CA) should be able to address given that it's something they should be looking to do with their existing security products.

The second point is important because many DLP customers are starting to include things such as behavioural analysis and more "pro-active security measures" on their wish-lists for product features. The problem is that to be able to do this in a useful manner, the products need to be identity aware.

Information security has always been reactive. Many products come out with "whiz-bang" features that claim to be "intelligent" but the reality is that organisations only fix things once something bad happens. I'm not taking a swipe at operational security in general. All I'm saying is that information security professionals can only be as good as the limits of the tools available will allow them to be. The promise for a long time has been that there would be more products that allow for the operational security teams to be pro-active or better still, have software make decisions adaptively based on real-time threats instead of using static, potentially outdated policies based on assumptions made that could cause issues because of potential "blind spots".

IDM and data security are complementary. Each goes a long way towards addressing the other one's shortcomings and blind spots (although not completely). The key is that we need to figure out how to put it all together so that we can get closer to the reality of pro-active security measures. A data-aware Identity and Access Management infrastracture allows for micro-grained, dynamic, adaptive access controls and more context-aware policies and controls.

1 comment:

chuck said...

Interesting thoughts... right on the mark with the current hype and activity on data security and data leakage with CA's acquisition, Symantec/Vontu and RSA/Microsoft relationship.

Although data security and leakage have been challenges since data has been network accessible, most recently, I believe some of this increasing activity is due to the growth in Sharepoint. Prior to the Sharepoint revolution (some may not like the word revolution.. but Microsoft shops seem to be increasingly growing their deployments and MS revenues for Sharepoint growing dramatically) the main form of data leakage was email, although laptops, CDs, etc played a role. Unlike most other enterprise products, in Sharepoint everyone is a user and an administrator creating a dynamic collobaration while making the CSO nervous. As shops that are Microsoft centric, making their Sharepoint portals accessible to their patners, I believe that the data leakage problem has become more mainstream issue with high risk for the enterprise.

To your point - the current DLP solutions are identity agnostic and as the market matures, I belive customers will start asking for identity awareness. The DLP identity awareness requirements may intersect with the entitlements management products that do fine grained access controls, forcing IAM vendors to have DLP in their portfolio.
Chuck