Current Filter: Security>>>>>Feature>

   

One of the most important capabilities of a strong IAM solution is the ability to set granular access policies. "It is through these policies that IT administrators can ensure users are not subject to a host of applications they don't need to do their jobs and, perhaps more importantly, not gaining access to applications where they can inadvertently put sensitive company data at risk. Providing identity and context-based access controls gives IT the tools they need to craft the right policies for the individual or group."

Once a user's identity has been established, data loss prevention capabilities can associate any data that is accessed with a particular individual. "Content-based data access policies allow IT to more finely establish a set of controls, with the flexibility to provide gentle warnings or block an attempt, if a user tries to move specific data outside the enterprise," adds Popp.

Putting in place a common control point allows IT to:

• Authenticate all users, so only legitimate ones gain access to sensitive data
• Ensure access to the right applications for the right job, so application access is not called into question
• Prove data access controls are in place and track events
• Log all events to help ensure that proving compliance is not an issue.

"The key is creating a user-friendly central control point and establishing a policy of use for all users: remote or on-premise," he concludes. "If users can gain access through numerous access points and authentication is not strictly enforced, then there is no concept of identity, users become invisible, tracking access to data becomes impossible and the information IAM provides becomes suspect, making proving compliance unachievable."

UNCERTAINTY AND TRUST
People normally associate IAM with the identity and rights of 'people'. In the near term, the problem will extend to 'things' - but how do you identify things in the 'Internet of Things' (IoT)? An easy answer, according to Basil Philipsz, managing director, Distributed Management Systems (DMS), is client certificates and secure links - use secure sockets. "Unfortunately, it seems it is the only technology at hand, but, whilst appropriate for the 1990s and strengthened by TLS versions more recently (TLS1.2 in 2008), confidence has seeped away with the Heartbleed and POODLE debacles in 2014," he says.

"However, the fundamental weakness is the uncertainty of trust in certificates that underlies this technology. Several reasons are given for this, including advances in factorisation of RSA, the uncertainty of what private keys have been revealed - particularly after Heartbleed, the exploits of spoofing certificates and the resultant continuing menace of Man-in-the Middle (MiM) attacks."

The objective is to provide a completely new and more relevant approach, better suited to the evolving Internet of Things where command and control functions need protection and efficiency, and importantly need a different communication topology. "The aim is to produce a methodology that provides mutual authentication and secure sessions, but which resists Insider Attacks and MiM attacks," he advises. "In the IoT, the typical topology is not just server and web client, but server, local hub and local satellites. Examples of this tri-party communication include server, ground station and local UAVs, and server, home hub and local, intelligent sensor-based controllers. There is little degradation expected between the hub and the local satellites, so efficient, encrypted UDP messages can be used."

Page   1  2  3  4