SAN FRANCISCO — For years, we’ve heard measured, well-reasoned, tempered suggestions that the IT security team within an organization should coalesce or collaborate or do something with “co-” as a prefix with the human resources (HR) team.
The reason has been because HR understands the roles people play in an organization — probably better than IT — as well as which information resources employees need to accomplish their tasks.
But in perhaps the strongest statement made to date that HR should actually take on an information technology role within organizations, Lina Liberti, New York City-based CA Technologies Vice President for Strategy, told CMSWire at the RSA Conference here last week that “business owners” should assume management roles with respect to digital identity.
It is digital identity that determines, within an organization, whether an account associated with an employee is granted access rights and privileges to access resources on the network, or to view and edit particular documents.
“Instead of it just being the IT administrator that’s granting access,” said Liberti, “it’s really, ‘I’m the manager. I know that you’re going to need access to these applications, or not.’ Instead of it going to the IT person, it’s going to the business owner.”
By that phrase, Liberti does not mean the chairperson or chief shareholder, but the person who owns responsibility for how employees conduct themselves in their designated roles. In larger organizations, she acknowledged, these are often human resources personnel.
Previously, CA had been making the case that its Identity Suite services were geared in such a way as to provide IT personnel with comprehensive tools, while at the same time giving certain other stakeholders in digital identity a rich — or, at least, rich enough — user experience.
“For Security Executives, it (Identity Suite) offers a comprehensive identity governance solution with an intuitive, business-friendly user experience,” reads a recent CA white paper (PDF, registration required). “Business Leaders can enable their business because the Suite provides an outstanding user experience, resulting in improved internal and external customer and partner satisfaction, loyalty, and retention rates.”
But the case CA’s Liberti is making now turns up the volume on this suggestion, and in so doing, introduces a clever new argument to the discussion, having to do with the notion of “privileged access.”
It’s the continued presence of admin accounts, and restriction-free privilege levels on corporate networks, that makes many malicious attacks on corporate networks — quite likely a majority — so successful. An attack may trigger some kind of fault in the operating system (one of the more popular ones being a “stack overflow”).
In the effort to mitigate the failure, the OS often foregoes the usual process of validating requests for privilege elevation. That’s how malicious processes can obtain privileged access to systems.
Liberti now makes the case that privileged access can indeed be an affair managed by IT and infosec personnel, because usually it’s only accounts associated with them that would ever need access to everything. (Arguably, that in itself is a dangerous course, but it’s a fair compromise for now.)
“The use of privileged identities isn’t as contained or managed as it needs to be,” said Liberti.
Historically, she said, identity management packages offered fine-grained control of every little privilege and permission, under the guise of a kind of “Fort Knox Security,” as she calls it.
The problem these packages created was that organizations turned off by the “Fort Knox” metaphor would end up foregoing the use of those fine-grained controls, as a way of avoiding the pain of using the security package for what it was designed for.
This ended up leaving gaping holes that could be exploited by run-of-the-mill exploits like stack overflows.
So the experience of managing access has to change, she contends, in order for someone — IT, HR, anyone — to want to take ownership of it.
With respect to managing everyday users, stated Liberti, “it really doesn’t need to be the IT person. And more and more companies are looking at identity management and governance, and doing more self-service, which is really what we’re focused on with our technology.”
But with regard to the specific class of identity where privilege must be assumed, only IT would, or should, know why that’s the case. So IT managers may be granted authority to delegate privileged access, using special tools geared exclusively for them.
“It’s the IT person, because it’s IT users,” she said.
Once this distinction between the two classes is made, Liberti suggests that a new concept for authentication policy can be applied to general users — everyday employees, or in the case of networked and distributed applications, partners and customers.
With this model, no privilege is granted whatsoever to any general user by default. We’ve seen the basis for this model before, but in CA’s latest incarnation, whatever privileges are granted to any person are temporary.
Under the covers, a continual process of challenge and response effectively reasserts each user, whose account must continually prove itself valid. Authentication systems such as Kerberos have actually enabled this policy for years, but in the era of hybrid cloud architectures and federated identities, the practice of challenge and response policy may have actually waned.
Indeed, she acknowledged, cloud-based platforms have their own privileged access levels which are supposed to be restricted to their own corporate use. Except, since operating systems define privilege as a lack of restrictions as opposed to a wealth of validations, such restrictions are usually fantasy.
I asked Liberti whether CA’s system lets accounts accrue privileges over time, so that single-sign-on (SSO) systems such as CA’s own could come to recognize certain users almost automatically. She didn’t take the bait.
“Yes, you start off with no privilege,” she said. “But you never want to accrue it and keep it as you move. You want to accrue it for the role that you’re in, and then lose it, start [over] with no privilege, and get the access that you need.”
It’s a counter-intuitive process for anyone who dislikes being forgotten by TSA agents as they pass through the same security checkpoints week after week. But CA hopes that, by hiding all this renegotiation under the covers where users don’t have to see it, all they’ll experience is smooth sailing.
It’s the latest theory for how organizations can effectively manage digital identities without falling victim to the traps their own operating systems lay for them. There have been several theories already. But now, its success depends upon more departments than just IT.