Jan 03, 2016
“Identity Management”The Threat
AFCEA TechNet Europe 2009
Symposium and Exposition
5 June 2009
Colin Rose - Quarter Past Five Limited
Let me introduce myself
• Colin Rose• Presenter• Guest / Customer / Foreigner / Visitor• Director / Shareholder / Employee• Son / Brother / Friend• Trainer / Trainee• Mechanic / Gardner / Decorator /
Plumber……• Was / Is – ME!
“Identity Management”The Threat
AFCEA TechNet Europe 2009
Symposium and Exposition
5 June 2009
Some Themes
• More questions than answers• Core truths• Identity crisis
Is “identity” the right word?• Where “identity” fits.
What is “The Threat”?
• The same as ever• In any system involving people• Look to ourselves• Presumptions / assumptions• Complacency
What am I?
• CVN-76CVN-76• USS Ronald ReaganUSS Ronald Reagan• HomeHome• Weapons PlatformWeapons Platform
If You Drive One of These
What am I?
• CVN-76CVN-76• USS Ronald ReaganUSS Ronald Reagan• HomeHome• Weapons PlatformWeapons Platform
• TargetTarget
Core Truth
• What am I trying to achieve?• What value do I have?• What do you want me to do?
• Availability
• Accuracy• Exclusivity
Is Identity The Right Concept?
The Key or The Lock?
• Identity is one half of the equation• Remember “USS Ronald Reagan”
Your identity is honestly not important• The matching of your identity is
important• Why Match?
To Demonstrate Authority.
Traditional “Identity Management”
Identity Management?
• Passwords• User Names• RSA Key Generators• Fingers• Faces• Eyes
Where Does My Identity Fit In?
It Was Easier in Days Gone By
• Make a big complicated lock• Put the lock on a strong box• Put the crown jewels in the box• Lock the box• Keep your keys safe• Watch the box
It Not That Different Today• Make a big complicated lock
Encrypted biometric verification• Put the lock on a strong box
Secure databases – controlled access• Put the crown jewels in the box
Understand what you wish to SecurePlace them within the secure area
• Lock the boxImplement all your security measure
• Keep your keys safeManage your passwords / tokens /
biometrics• Watch the box
Audit/monitor/test/assess/update - iteratively
The “Identity Landscape”
• It’s just numbers• Replicate your finger• Replicate your data input• Replicate your data for comparison• Duplicate your identity• Change the authorised access• By-pass the identity check• Invent an identity.
First Principle Targets
• Identity management is the Key• The Asset being protected is the Goal• Take your eye off the Goal and….
The Other Team will Score
• Asymmetry - The means are just as good as an end
Keep your eye on the ball
The Identity TargetsAttacking the Identity Management
System
• How is the identity created?• How is the identity stored?• How is the identity checked?• How is the identity-access control
managed?
Potential Future Issues & Identity Management
Hacking
The
Cloud
Potential Future Issues & Identity Management
• The Cloud & Social Networking – Information Systems Used by Digital Natives
• New User Interfaces
My Precious
The TargetsBack to First Principles
• Exploit trust in the system• Erode trust in the system• Where is the value?
REMEMBER
Exclusivity
AvailabilityAccuracy
Nothing New Under the Sun“It’s only the scenery that changes”
• Understand your requirements• Understand what you are trying to
secure• People – Process – Technology• The enemy without – the enemy within• Complexity creates confusion• Strength breeds complacency.
A Little “Heretical” Question
Do you want easy access to important things?
The easier the access for you
The easier the access for them
Thank You
Was
Is
Some Landscape?
Some Landscape?
Verify Identity
Some Landscape?
Verify Identity
Check Access Rights