Identity-Centric SecurityCA's Firestone on How to Take IAM to the Next Level
Recent breaches indicate that stronger controls are needed to protect key corporate assets - especially identities. So, how can organizations protect identities and credentials, while at the same time improving the overall user experience?
It all comes down to identity-centric security, says Steve Firestone, General Manager of the Security Business, CA Technologies.
The concept of identity-centric security stems from the ubiquity of mobility and remote access, Firestone says, with so many employees and third-parties accessing critical data from outside the traditional firewall.
"That's opened up a very interesting relationship between the people who need access to information and where those people are," Firestone says. "And, really, we think that the key point to that is the identity.
"And as identity flows outside of an organization," he says, "that really becomes the central point that you can manage."
In an interview about identity-centric security, Firestone discusses:
- Lessons learned from recent breaches;
- New strategies for privileged access management;
- How organizations and simplify their core identity management functions.
Firestone leads the Security business unit at CA Technologies. He is responsible for ensuring the company's products, services and partnerships protect and enable customers' businesses. By managing identities, enabling access and protecting information, CA's Identity and Access Management (IAM) solutions help make sure the right people and right devices have the right access to the right information across all environments - from mainframe and distributed to cloud and mobile.
TOM FIELD: At the outset, why don't you tell us just a bit about yourself and your role at CA Technologies please?
STEVE FIRESTONE: I've been at CA Technologies for a while, and in my current role I'm responsible for the security portfolio, which as you might imagine is pretty exciting. As part of CA Technologies and our broader portfolio of solutions, security is one of the focus areas and something we're pretty excited about. In my role, we're definitely focused on the identity and access management portfolio and glad to talk to you.
Identity-Centric Security Defined
FIELD: So, Steve, CA has been talking about the concept of identity-centric security as a critical need today in the new application economy. Take just a moment to explain exactly what the identity centric security is and why it is so important?
FIRESTONE: Identity-centric security is important to us, and I'm going to start with setting the context of the way business used to operate. So, in the past, companies would have all of their employees come to an office or be on their intranet, and it was all behind a firewall, and employees were really the key accessors of information and the key threat. As companies have evolved and we've started to leverage cloud and SAS applications, and as people have started leveraging the company's information, whether it is through bring your own device or partners outside of the enterprise, that's opened up a very interesting relationship between the people who need access to information and where those people are. And, really, we think that the key point to that is the identity.
And as identity flows outside of an organization, that really becomes the central point that you can manage and the central thing that you can really hang your hat on. And so as applications start to go broader outside of the enterprise and data is everywhere, identity really becomes critical to that hybrid environment. And also, as the number of users increase, as we start to go outside of the enterprise and to get into more than just employees, scale becomes really important.
So I think identity-centric is really about saying that it's about either people or things that need access to applications that a company has. It could be their data, or it could be basic applications to do their work. And so that identity, whether it's a human or it's a thing or it's another application, becomes really important as we go into the next generation.
Breach Trends and Lessons
FIELD: Steve, there has been a lot of publicity recently. You can't avoid it relating to very public breaches of corporate and customer information. So from your perspective, what should IT and security executives be considering when they are trying to prevent their organization from being the next headline?
FIRESTONE: Very appropriate topic and very timely. Breaches are a concern to all of us, and I think the main advice is to make sure that we're doing all we can to help out. There is no perfect solution. It's really about a layered approach and focusing on what we need to do to try to help our organizations to be safe. Most of the breaches lately have been about attacking a privileged user, and if we want to get access to the crown jewels [then we want to get to] that privileged user who may have access to the maintenance or updates or access to something that might be the enterprise's crown jewels. And the attack vectors, as we've just talked about in identity-centric security, start to evolve even outside of the enterprise. So, really the focus is about putting in the right infrastructure, the right protections around an identity and of course about that privileged identity or that privileged user, and making sure that we add the next level of security to those privileged identities.
FIELD: Steve, CA recently made a major acquisition related to this topic. Tell me a little bit about that and why acquisition is so important?
FIRESTONE: We recently acquired Xceedium, who is a leader in privileged access management. We did this because their offering provides some very strong controls over privileged users and really is a step into where we think the world is going. And what that means is that as we start to get outside of the enterprise where applications live. We need to control privileged access, and that might be to a platform as a service or an infrastructure as a service. The example that I give is that if you had an Amazon [account], for example, and you're the owner of that Amazon [account], that privileged identity can go off and add storage or add services to it, and it becomes a very interesting control point to an enterprise's applications that may run in Amazon. But Amazon is accessed through APIs, so one of the things that Xceedium did was to leverage how to insert technology into an API to be able to manage privileged identities. And in addition, other cloud capabilities, whether it be with VMWare or other infrastructures, that privileged identity could be very interesting if it were compromised. So we saw that technology that forethought into managing diverse environments, diverse resources, and also doing it in a very high performant way. One of the Xceedium's strengths is its ability to have a small footprint and do a lot with it. In addition, delivering it in a very easy to consume and great method is strong. And that complements our host-based security solution where we have that last mile covered.
So between the Xceedium work and what we have, we think that we're in a very strong one-plus-one-equals-three position to help to address the previous question about 'what can we do to do everything we can to prevent breaches and to enable business as it moves outside of the four walls in the enterprise?'
Improving the User Experience
FIELD: Steve, a moment ago you used the word "easy." As we all know, security and ease don't often go hand in hand. So how can organizations ensure that they have strong security in place while still enabling the business, the organization, to improve the overall user experience so it is as easy as it can be?
FIRESTONE: The first step that when we think about security and easy is really to demystify security. When we start talking about protocols and very difficult technology concerns, it really puts people off. People don't want to be around security that is complicated or difficult to use. People will avoid it. And in fact in other industries, they'll call that an abandonment rate. In other words, if you go to the grocery store and you want to buy something, and every time you buy something you get a call from your bank or your credit card that says, 'Hey, you know are you really who you claim to be, and for this twenty-cent transaction, is there a problem ...' that's not going to work. You're going to go to someplace where it should know that you go to that grocery store every time and that you do that purchase.
Well in the same way, when we start to talk about identity and access management, if we use terms that are unfamiliar, if we leverage other systems that are very complicated to implement and you need very strong computer science to implement it, it will not be leveraged. It will not be used. It will not become that brick in the defense of what's going on.
So simplifying it - and the way that you simplify it is to think of solutions in business people and business language or business terms, having a business catalog that is friendly to what you're working on, and the ability to install something to get that infrastructure up and running very quickly to make it easy so that people want to partner with you and they don't see security as an obstacle, but rather an enabler of doing business.
And especially as we start to see mobile apps and we see the Internet of Things coming out there, as we want to embrace people and innovators who are doing things, we need to make security a part of it, but we don't want to make it all about security. Rather, making security easy to enable the business that happens on your mobile device or your tablet or as we go out to partners and innovators.
FIELD: Steve, let's talk about another recent CA acquisition. You recently acquired the leading identity management company, IdMlogic. So tell us a little bit about that acquisition and how it relates to this issue of improving the user experience in the application economy?
FIRESTONE: So IdMlogic, first of all, they are one of the top identity experts in terms of in identity and access management. And they put together a solution that really was in place to the business users, so the terms that you might need when you're accessing your application that are important to you, they would instead of calling it XYZ system or you know SAP27 they'll use it as, oh this is the resume system or this is your payroll system. And using terms like that is very comfortable for someone to say, 'hey, I would like access to my learning system or my reward system,' and then tying that business term to the things and keeping all of the difficult technology that happens behind the scenes making that simple and easy to use.
< In addition, one of the attack vectors for whether it's a privileged user or an employee is to try to get access to that identity, and one of the defenses against that is to have a governance process that uses analytics and that uses really a healthy system to just question whether or not this individual should continue to get access to what they need. And if you do that in a friendly way, maybe an email periodically to say, 'does this individual or this role still need access to this information?' it closes down that orphan ID problem that we've seen before where we get a lot of identities into a place, people change jobs, leave companies and some of those identities stay around. With IdMlogic solutions combined with our identity solutions, we help to close that.
Typical Use Case
FIELD: Steve, I can see this has been deemed particularly compelling for organizations with large numbers of employees who want to improve say their IT efficiencies by moving more functions out to the user. Would you describe for us what would be a typical use-case at one of your customers?
FIRESTONE: If we think about identity and access management in general, what's going to happen is we'll have an application that somebody needs access to. And one of the flows that I like to use in the particular case of identity and what we were just describing was that we might have access to customer information, and customer information is pretty sensitive. If I'm in the sales organization or in the field organization and I use that system, I want to know and be able to record my customers, my relationships with that customer, and to really keep a close supportive nature with my customers and treat them as partners. But if I've done something innovative in the field, maybe my IT operations area started to notice that innovative use of information or innovative system and they've invited me to maybe change my job from being in the field to being in the IT department or maybe in the production part of IT ... well, I'm changing jobs really within the company from being in the field to being in IT. So I will now watch, get access to production systems and maybe help up to update those production systems or create and requirements for those production systems. So that's a different job than having access to my customer list. How do I remove that access from my customer list so that I can get the production systems? And then what happens if the development organization sees the great innovation that I'm doing and they invite me later on to change jobs into the development group? I would want to have access to different types of systems and maybe because of separation of duties not access to that production environment. Our software makes that easy.
In another environment, we all have heard about single sign-on. We've heard about making things easy to access and making it easy for users as we've talked about. Well, single sign-on is more than just one person trying to access two or three applications. It's really about a personalized experience for what you're trying to do. So you may sign in on your tablet or your mobile device; you may have a thing that is authenticating in. What we want to be able to do is provide a personalized experience to that application on the backend, and that application which might be the sales list, it might be your payroll, or it might be some learning that you have to do - each of those has different requirements. So our solutions help to only expose that information that a particular application needs, and not give you access to everything or share too much too frequently.
And then as we've talked about with privileged identities, as we've identified the crown jewels in our organization, whether that's our customer list, financial information, maybe some of our strategy, maybe it's our source code - whatever those crown jewels are, we have to perform operations on those. And as we put the privileged users to that, there are capabilities within our products to make that very easy so that the executives of an organization can say that they have done everything they can to safeguard those privileged identities. And that might mean providing a just-in-time password for a particular shared account, so instead of somebody taking Steve's password and using it to be able to access a privileged account, they really can't do that. Steve goes to a change control process and then when he is about to run a program just-in-time, we put in the password and maybe Steve never even sees what that password is. And we also record what Steve is doing as a privileged user, because that's a great attack point. And so just like if you had a camera at a bank, we would record what's going on and that knowledge of recording, the ability to go back and look at that becomes a very interesting capability.
In addition, as we think about exposing or broadening out who can access to this information as our partners our innovators get access to some of our crown jewels through remote capabilities like tablets and phones, we need to know when to question what they're doing. If somebody comes in and accesses an application Monday through Friday and they always do a certain type of pattern, but all of a sudden they come in on a weekend to do that, that might increase the risk that they're not the person who was accessing it. But maybe every fourth Sunday they do come in, so we need to be smart about that. So having authentication solutions that allow you to have a second factor is something that is really important, and being able to do all of this at the scale you are today and the scale you want to go in the future are example use-cases of how identity and access can be used.
The Starting Point
FIELD: If you could sort of boil it down, what would you recommend that organizations focus on so that they can simplify and streamline their core identity management functions, while still protecting themselves against the breaches we've talked about today?
FIRESTONE: What I would look to is a longer term architecture that has to take into account the opening up of the enterprise, the identity-centric approach, so that we'll have a transformation and be able to open up ... but also be able to protect the information that we need. And so partnering with a vendor who can provide the capabilities, but also makes it easy to let the tablets, the phones, the Internet of Things to have access to that information. And so having a vision and then backing that up to very simple-to-use, easy-to-deploy solutions that help along the way, so that down the road when it's time to enable your business and be an identity-centric business that we're ready with technology in place that gives us the best chance to defend against while enabling our business.