De perimeter is no longer de perimeter

“De-perimeterisation” of networks now extends to on-premise, public cloud, private cloud, Software as a Service (SaaS), Infrastructure as a Service (IaaS) and the biggest headache of all is these hybrid networks have to be accessed anywhere, anytime and using any device.

Image may be NSFW.
Clik here to view.

The other major issue is that Verizon’s latest Data Breach Investigations Report (DBIR) found that 63% of data breaches involve weak, default or stolen passwords. In short, enterprise - no matter how many layers of security they use – you simply cannot trust network defences alone.

So began an informative briefing by David McNeely, Centrify’s, Vice President of Product Strategy and the revelation that he is a geek at heart who has always had a passion for identity and access management (IAM) and more specifically Identity as a Service (IDaaS), Privilege Identity Management (PIM), multi-factor authentication (MFA), Single Sign On (SSO), and security – a dirty job but someone to do it! The remainder of the interview is paraphrased.

{loadposition ray}

Image may be NSFW.
Clik here to view.I have been involved in IAM in one way or another since the early 90’s when Internet and email were just taking off.

After completing a BS, Electronic Engineering, at Texas Tech University I naturally went into the tech field. My time with Netscape working on LDAP (Lightweight Directory Access Protocol) and Netscape’s later iteration as iPlanet and AOL kicked off the identity security passion. I joined ActivCard in 2002 to launch a new secure single sign-on solution. I joined Centrify when it was founded in 2004, and twelve years later I am still there and even more passionate.

In over two decades we have gone from having no concept of the dangers of linking almost every computer in the world (Internet) to trying to outsmart the bad guys that work 24/7 to take advantage of that. He recounted his recent experience at Black Hat 2016 conference where delegates were instructed not to use any public Wi-Fi or even the hotel Wi-Fi - only to use their cell phone to connect to the Internet with cable based tethering and not to use Bluetooth.

Back to all the acronyms.

Passwords are broken

Passwords are broken, and users have too much access and privilege. Staying with the status quo [passwords] is not viable. Centrify’s research found that 52% of employees share their access credentials with other staff, contractors, and vendors.

Organisations need to move from a position of having too many passwords and too much privilege for users to a situation where all have one account, a strong credential and privileged access is logged and monitored as a standard procedure, especially in a hybrid world.

Image may be NSFW.
Clik here to view.

We have to reduce identity silos so that users only need to remember their network identity and then we can kill off passwords by using technologies like SSO and MFA – but app developers need to embrace that first.

Image may be NSFW.
Clik here to view.

Can you explain PIM and how it enables access by suppliers?

Privileged Identity Management reduces the risk of security breaches by minimizing the attack surface through enforcing least-privilege access policies. Essentially “the keys to the kingdom,” privileged accounts provide unlimited access to an organization’s most critical data, applications, systems and network devices.

As more enterprises embrace the cloud, privileged accounts increasingly lie outside the corporate perimeter and are frequently shared by both internal IT and often remote third parties such as contractors and vendors. It is no surprise that privileged accounts are top targets for hackers and malicious insiders alike.

In order to enforce least-privilege access, first consolidate all user identities into a centralized identity management platform such as Active Directory. Next, lock down local administrative accounts and their passwords so that you can control who can use this account, also known as shared account password management. Additionally, when a user needs privileges to perform their duties, organizations can grant very granular set of rights on specific systems where those privileges are required, also known as superuser privilege management.

Image may be NSFW.
Clik here to view.

There are also applications or batch jobs that may need to login to another computer or application to perform its function, and these application passwords should be carefully managed and periodically rotated, also known as application-to-application password management.

Federated identity management enables an organization to establish trusted identity relationships with its outsourcing partners so that employees of the outsourcing partner only need to authenticate to their own company’s identity management system, without requiring them to remember yet another user ID and password for each of their company’s clients. 

Centrify also provides for secure remote access for these outsourcing partners so that they can perform their duties without requiring VPN access. Secure remote access is provided through the Centrify Privilege Service portal, which provides web-based access to server console interfaces for both UNIX/Linux as well as Windows, all without requiring any software or plugins to be installed. Application developers can also access internal web based application interfaces through the Centrify portal.

Let’s talk about MFA – multi-factor authentication

It is simple really. Instead of a just a login and password – single-factor authentication - at least one additional “factor” is used. That could be a smart card, one-time use token, something like a Yubico YubiKey USB device (David pulls his YubiKey out to show me), biometrics with iris, fingerprint or facial recognition or an SMS delivered code to verify.

Image may be NSFW.
Clik here to view.

David thinks two-factor-identification may need to go to three before long especially in mission critical situations. But there is a trade-off between security and usability and that is where Centrify comes in allowing security to be more configurable to role-based needs.

To protect critical systems, the first step is to enforce “least access” for all systems, limiting log in for an authorized employee to the minimum number of systems based on business need. Next enforce “least-privilege access” - the ability for an authorised employee to log in and temporarily elevate their privilege after MFA where the user is only in the high-risk state for a short time – the duration of the privileged activity – before defaulting back to normal.

You know many organizations have locked away root or admin accounts and enable access only by “break glass” process but the glass is continually broken. We have to make least-privilege easy, or they (system administrators, etc.) will not use it. We cannot let security slow them down in doing their job.

Why doesn't enterprise embrace all thes acronyms?

Simple – IT does not believe the risk is high enough but the fact is that every enterprise will be hacked and over half those hacks will use passwords to access systems.

We have to make sure we can prevent malware and the misuse of privilege, we have found that the old blacklist (prevent) approach does not work. Malware is smart and can always find ways to get around it – e.g. run blacklisted commands within batch files, etc. We recommend a whitelist (allow) approach which works better, but it needs to be granularly locked down via roles and simplified for administrators to use.

You have been at Centrify since its beginning in 2004 – what has changed?

I like that our solutions and roadmap has been driven by our customers. I like that we have built the Centrify solution from the ground up – organically – resulting in a tightly integrated solution that is simple to use vs. other solutions made of different components built by different teams or companies.

Centrify solutions work on-premise, in the cloud, or as a hosted offering with service in Australia. We have been channel-centric in Australia (using authorised dealers), and that has led to our product being applied from as few as say 20 seats to huge enterprise clients with thousands of seats.

What are the key messages you want to leave readers with?

As a global player, we see a lot of parallels with Australia and the U.S. and that is cloud adoption, SaaS, IaaS and a rapid migration to the cloud. An SSO/PIM/IAM solution is mandatory if you want good security to prevent a data breach.

Australia needs to adopt the least-privilege model instead of assuming the people with root or admin access can be trusted.

MFA is inevitable and should be a top priority for all.

And remember the internet is not a “pretty thing” but a deep, dark, place where it is not if but when you will be hacked.

 Image may be NSFW.
Clik here to view.