Podcast Interview — ID and Access Management: The Role of Standards

Mark interviewed by Information Security Media Group

Click through to listen the podcast (8:32 duration), which covers:

• The role of IAM in today's extended enterprise;

• Why some security pros find IAM deployment challenging;

• New authentication technologies and solutions being deployed.

Transcript

Geetha

Hi this is Geetha Nandikotkur, Managing Editor for Asia and the Middle East with Information Security Media Group. I caught up with Mark Perry, Asia Pacific CTO at Ping Identity, recently in Singapore. Mark, who is based in Australia, specialises in identity and access management and discusses why practitioners across the banking, financial and other sectors find it complex to deploy identity and access management solutions, and suggests simple and unique ways to leverage the innovations happening in this space for ensuring better security and authentication.

Welcome and thanks for joining the conversation Mark.

Mark

Thank you Geetha.

Geetha

It is always observed the practitioners, not just the banking sector but various other sectors, find it really challenging to deploy identity and access management solutions. Why is that perception so?

Mark

Yes, that's probably true historically, that Identity and Access Management has been complex and because it's really an integration project. The complexity is more around how you work with your existing systems and your new applications. I think that’s changing. I think that with the new modern technologies we have, with the new protocols that work around REST, it enables people to deploy systems more easily, and also the integration becomes more easy and certainly the skills that are out there are becoming cheaper and easier to find, which also helps.

Geetha

You’re right. The digitisation has really increased this complexity so which component of this entire deployment process is more challenging?

Mark

Look, I think again it's the integration pieces which are the most challenging so… and again traditionally it's been the provisioning of identity data, which is been really hard to do, very expensive. Often people are writing software to do the integration instead of using off the shelf integration methods there and then conversely, it's been Access Management and authentication which has been the easier parts of identity management to implement.

Geetha

So what have been the common architectural level challenges that the practitioners need to really worry about?

Mark

I think the first thing really is people should be using the open standards out there, instead of using proprietary technologies where possible. By using open standards, and those standards are OAuth and OpenID Connect and SAML and so on, people can actually implement and integrate very quickly because this is a well-known pattern and is widely now supported by the various vendors. It enables people to really piggyback off the work of the industry and provide the security they need while working to a framework that works.

The more difficult parts are the things that need custom development and with custom development there is often that required but it's difficult to maintain that software, and if there are security issues in the code, then it's very expensive to go and remediate those generally.

Geetha

So are there new methods of authentication?

Mark

Yes, yes! I think the major thing there is that traditionally, people have been using SMS as a communication mechanism for one-time passcodes and so on, and the NIST [National Institute of Standards and Technology] organisation in the US has now said that should be deprecated and phased out of most organisations because of the security issues. So we've seen over the last few years people turning to push notifications via the smartphone apps because that is a secure private channel between the operating system vendor and the app, compared to SMS which is a public channel.

And then on top of that people are layering other innovative multifactor solutions like facial recognition or voice recognition which can be used across many different platforms…

Geetha

… more biometric based.

Mark

…biometric based, exactly. And again, there is a standard for that called FIDO, which I’d encourage people to look at, because that is a standard way of enabling biometrics and removing some of the security issues around storing biometric data.

Geetha

So what are the challenges? Is this biometric authentication foolproof?

Mark

Oh look, I don’t think you can ever say anything’s foolproof! I’m not silly enough to say that! But I think the idea really is to store enough data about the biometric in a very secure location, and generally that is on the device. So the secure enclave in iOS and also Android allows people to at least have some security over where that is actually stored rather than storing it in a server environment, which is potentially hackable. So I think that's the first thing people should do and the FIDO standard actually provides for that.

I think the other thing is: don't rely on one particular method. I think it's important to have a wide range of authentication methods and be able to select the authentication methods depending on the risk of the transaction, using data about the user, where their device is, and whether device has been jailbroken, and so on, enables you to produce different authentication decisions at different times.

Geetha

You being the CTO for APAC, what are the new innovations happening around this identity management?

Mark

Yes, it's really interesting. I think that couple of years ago I would have said it's all about improving the security of backend systems — so preventing breaches and managing passwords more securely, and so on. It's really flipped in the last couple of years to be focused on consumers, to increasing user experience and people being able to retain their customers, reduce churn, and improve their NPS [Net Promoter Score] score. I think the important thing there is that the technologies can be used for both scenarios. It’s not one or the other.

And I really think that a lot of the learning that's happened by using these new REST-based technologies can be used for employee-facing applications as well, and we’re seeing some of that in the region now.

Geetha

So when you’re saying “REST-based”, what does that indicate?

Mark

By using REST as a communication protocol, it really is very simple for developers to consume, and that makes it easier to roll out new applications and also to secure the communication channel. You can use API gateways and API security functions much easier than older methods.

Geetha

You also mentioned about tokenisation. Has that picked up in this region?

Mark

Yes, I think that the shift to OAuth and OpenID Connect, and representing information about the end user in a token, that can be signed and encrypted, has really revolutionised the way we work in this industry. I think in the past we’ve been working with proprietary cookies. It's been hard then to bring in new technologies to work with that style of legacy architecture and yet by moving to a standard like OAuth, it's enabled a lot of things to happen more quickly.

Geetha

So the entire scenario is changing now and companies — banks, critical infrastructure companies — are becoming victims of new threats. Do you think the identity management technology — does it have enough controls to secure against these new age threats?

Mark

Yes, look, I think that's a good question. I think that firstly people should realise that using passwords alone is not secure and that multi-factor authentication is a base level requirement now. It doesn't matter whether you’re securing access for employees, or for customers, it's just required. Using a secure method of authenticating people will help in those situations. The other thing is to stop using legacy methods of providing access to people, especially employees. Traditionally when somebody starts in an organisation, the person who is already in that job role will have their access rights copied to that new person, and of course if that person’s been there a long time, they will end up with a lot of access rights that maybe they shouldn't have. So managing access to applications and the access rights at an individual level is very, very important, and I think the new modern technologies in that piece, around entitlements management, helps to build that out as well.

Geetha

So what would be your advice to the practitioners, the CISOs, of all organisations when it comes to securing their microservices and mobile services?

Mark

I think that using OAuth as the security mechanism is a requirement and again to look at using off the shelf products where possible, to enable that to be built quickly & easily, and maintained easily as well. And work on the parts of your application or service which you own the IP for, and you're able to then develop to bring your uniqueness to market. We as software vendors have spent a long time getting this right and… look, we see identity as being the core of transactions on the internet and having a secure Identity infrastructure is really key to then enabling a whole lot of new services.

Geetha

Thanks Mark, for your insights on the new approaches practitioners need to take in deploying IAM solutions for better security.