340 likes | 352 Views
This symposium explores the threats and core truths related to identity management, addressing concepts such as the value of identity, the role of matching, and the importance of secure systems. Key topics include cybersecurity, biometrics, and cloud technology.
E N D
“Identity Management” The Threat AFCEA TechNet Europe 2009 Symposium and Exposition 5 June 2009 Colin Rose - Quarter Past Five Limited
Let me introduce myself • Colin Rose • Presenter • Guest / Customer / Foreigner / Visitor • Director / Shareholder / Employee • Son / Brother / Friend • Trainer / Trainee • Mechanic / Gardner / Decorator / Plumber…… • Was / Is– ME!
“Identity Management” The Threat AFCEA TechNet Europe 2009 Symposium and Exposition 5 June 2009
Some Themes • More questions than answers • Core truths • Identity crisisIs “identity” the right word? • Where “identity” fits.
What is “The Threat”? • The same as ever • In any system involving people • Look to ourselves • Presumptions / assumptions • Complacency
What am I? • CVN-76 • USS Ronald Reagan • Home • Weapons Platform
What am I? • CVN-76 • USS Ronald Reagan • Home • Weapons Platform • Target
Core Truth • What am I trying to achieve? • What value do I have? • What do you want me to do? • Availability • Accuracy • Exclusivity
The Key or The Lock? • Identity is one half of the equation • Remember “USS Ronald Reagan”Your identity is honestly not important • The matching of your identity is important • Why Match? To Demonstrate Authority.
Identity Management? • Passwords • User Names • RSA Key Generators • Fingers • Faces • Eyes
It Was Easier in Days Gone By • Make a big complicated lock • Put the lock on a strong box • Put the crown jewels in the box • Lock the box • Keep your keys safe • Watch the box
It Not That Different Today • Make a big complicated lock Encrypted biometric verification • Put the lock on a strong box Secure databases – controlled access • Put the crown jewels in the box Understand what you wish to Secure Place them within the secure area • Lock the box Implement all your security measure • Keep your keys safe Manage your passwords / tokens / biometrics • Watch the box Audit/monitor/test/assess/update - iteratively
The “Identity Landscape” • It’s just numbers • Replicate your finger • Replicate your data input • Replicate your data for comparison • Duplicate your identity • Change the authorised access • By-pass the identity check • Invent an identity.
First Principle Targets • Identity management is the Key • The Asset being protected is the Goal • Take your eye off the Goal and…. The Other Team will Score Keep your eye on the ball • Asymmetry - The means are just as good as an end
The Identity TargetsAttacking the Identity Management System • How is the identity created? • How is the identity stored? • How is the identity checked? • How is the identity-access control managed?
Potential Future Issues & Identity Management • The Cloud & Social Networking – Information Systems Used by Digital Natives • New User Interfaces
The TargetsBack to First Principles • Exploit trust in the system • Erode trust in the system • Where is the value? REMEMBER Availability Accuracy Exclusivity
Nothing New Under the Sun“It’s only the scenery that changes” • Understand your requirements • Understand what you are trying to secure • People – Process – Technology • The enemy without – the enemy within • Complexity creates confusion • Strength breeds complacency.
A Little “Heretical” Question Do you want easy access to important things? The easier the access for you The easier the access for them
Some Landscape? Verify Identity
Some Landscape? Check Access Rights Verify Identity