Security

Hacker or user? How to tell friend from foe

With so many staff and customers operating outside the conventional firewall, firms are rethinking their controls and security - which is where the identity perimeter comes in.

Firms are having to push the boundary of authorised access far beyond traditional firewalls. Photo: Shutterstock

If you are receptive to the ideas of the Jericho Forum security thinktank, then you may well accept its view that organisations can no longer rely on the firewalls that used to mark the extent of their control over IT infrastructure.

Of course, in most cases the firewalls are still there. But they have had to become increasingly porous as more and more of the legitimate access to IT applications takes place from beyond their limits. Furthermore, with the increasing use of software as a service (SaaS), many of the applications are themselves beyond the firewall.

Legitimate users need to be distinguished from the hackers who are increasingly focused on targeting a given organisation's IT infrastructure, often by passing themselves off as legitimate users.

Supporting remote users as well as internal ones and keeping criminals and hacktivists at bay requires pushing the boundary of authorised access far beyond traditional firewalls to user-access devices. Hence the concept of the identity perimeter.

The technology that can enable this concept - single sign-on (SSO) - is not new, but many of the ways it is being used are.

The traditional suppliers in identity and access management, namely CA, Oracle and IBM, have had SSO systems for many years. The primary use of these products has been to save users remembering multiple usernames and passwords, which is considered a security issue because if they have too many, they start writing them down.

These vendors have had to adapt to a new set of competitors that have designed their SSO systems to support the trends of rising numbers of remote users who are often using their own devices, and the increasing use of SaaS.

More recent arrivals in this market include Ping Identity, Okta, Symplified and SaaSID, while a more established specialist, Imprivata, has found a niche for SSO in healthcare.

Link legitimate users and resources

These systems aim to make establishing a safe identity - wherever the user happens to be - the ultimate perimeter to a given business's IT activities. They link legitimate users with the resources they require, with the SSO system acting as an identity bridge.

However, these systems can do much more and in some cases these additional capabilities are more about access to applications and data sources than identity - especially when it comes to dealing with customers. Indeed, there are cases when the SSO system need not know a user's identity at all in the first instance to start providing value.

Imagine an inquisitive would-be tourist turning up at a travel agent's website. They may just want to get a feel for the cost of air travel, car hire and hotels before considering making a booking. The SSO system can provide federated access to the resources needed to get quotes, adding more detail when the prospective customer actually decides to book something.

Of course at that stage an identity needs to be established. To an extent, a consumer can make up an identity at this point, perhaps by inventing a username. But this identity will need to be linked to a real email address and a genuine means of payment.

Opening up more resources

At this point the SSO system, in conjunction with other services, is starting to establish and improve the quality of the identity of the new customer. Once established, this identity can be used to open up more resources - for example, the customer's transaction history as seen through the booking system.

Other transactions, in particular business-to-business ones, rely on acquiring identities from existing systems. For employees of a given organisation, these identities will generally come from an internal directory of some sort, most commonly Microsoft Active Directory.

However, when it comes to opening applications to partners and other external business users, the most valuable source of identity is likely to be an external one, such as the partner's own internal directory or the membership database of a professional body.

For consumers and business users, social-media sites such as Facebook and LinkedIn are becoming accepted sources of identity in certain circumstances.

This trend means SSO systems increasingly need to be able to access multiple sources of identity for authenticating users. To make this process as simple as possible, the SSO system itself and the sources of identity need to be standardised.

Identity and access-management standards

A number of standards have arisen in identity and access management to support this need, including the lightweight directory access protocol, or LDAP, for storing identities and the SAML security assertion mark-up language for sharing them. An understanding acceptance of standards and a given vendor's support for them should be an important aspect of the criteria for any SSO evaluation.

The ability to access identities from a wide range of sources and link them to multiple applications enables more integrated and efficient business process and supply chains.

Here, car dealerships linking in to a manufacturer's ordering systems and lawyers linking in with court management systems and law-enforcement bodies are good examples. The SSO system can also broker policy about what a given user can do with a given resource and define templates for different roles, simplifying the provisioning of users.

Perhaps more importantly, when the relationship with a given user ends, deprovisioning them from the SSO systems ensures access to all resources is cut at a stroke.

There are many benefits to be gained from extending access to IT applications and resources to users working way beyond traditional firewalls, but a means of enabling, monitoring, controlling and stopping access will always be needed. SSO can be an effective way of achieving this.

Quocirca's report, The identity perimeter is free to download for TechRepublic readers.

About

Bob Tarzey is a director at user-facing analyst house Quocirca. As part of the Quocirca team, which focuses on technology and its business implications, Tarzey specialises in route to market for vendors, IT security, network computing, systems manage...

3 comments
robo_dev
robo_dev

The article headline asks how to tell hacker vs. user but does not answer the question. How does SSO do that? It would be good to mention when the author of the article works for one of the companies mentioned in the article. To simultaneously talk about remote access, web site authentication, cloud, and enterprise SSO in one breath is terribly confusing. You don't use SSO for enterprise remote access (it's SSO by definition), you don't expose your SSO and AD to your web apps, and most enterprise security people are not likely to extend their authentication services out through their firewall to their business partners. Now if you're talking Cloud and SaaS, that's a whole different story. But in this case the whole app is 'outside the secruity perimeter' so putting the authentication out there is only logical.

readingman
readingman

To me SaaS represents one of the biggest challenges to IT in terms of general management and control. In the old days if a department wanted an app they came to IT who deployed it and monitored it and managed it. Now any department can buy any SaaS app and put any data they want up there without having the processes to provision and importantly deprovision users. Its the wild west out there. If I might be so bold - OneLogin is certainly worth looking at and adds to the level of security by including free 2FA.

cquirke
cquirke

Identity awareness can only help you so far, as long as se still use the dated model that any code running within a logged-on session acts as intended by the human user. UAC is a baby-step towards fixing that, but it's still a huge problem, especially where the connected device is outside IT management's control.