Identity Management: Threats and Core Truths Symposium

2. “Identity Management” The Threat AFCEA TechNet Europe 2009 Symposium and Exposition 5 June 2009 Colin Rose - Quarter Past Five Limited

3. Let me introduce myself • Colin Rose • Presenter • Guest / Customer / Foreigner / Visitor • Director / Shareholder / Employee • Son / Brother / Friend • Trainer / Trainee • Mechanic / Gardner / Decorator / Plumber…… • Was / Is– ME!

4. “Identity Management” The Threat AFCEA TechNet Europe 2009 Symposium and Exposition 5 June 2009

5. Some Themes • More questions than answers • Core truths • Identity crisisIs “identity” the right word? • Where “identity” fits.

6. What is “The Threat”? • The same as ever • In any system involving people • Look to ourselves • Presumptions / assumptions • Complacency

7. What am I? • CVN-76 • USS Ronald Reagan • Home • Weapons Platform

8. If You Drive One of These

9. What am I? • CVN-76 • USS Ronald Reagan • Home • Weapons Platform • Target

10. Core Truth • What am I trying to achieve? • What value do I have? • What do you want me to do? • Availability • Accuracy • Exclusivity

11. Is Identity The Right Concept?

12. The Key or The Lock? • Identity is one half of the equation • Remember “USS Ronald Reagan”Your identity is honestly not important • The matching of your identity is important • Why Match? To Demonstrate Authority.

13. Traditional “Identity Management”

14. Identity Management? • Passwords • User Names • RSA Key Generators • Fingers • Faces • Eyes

15. Where Does My Identity Fit In?

16. It Was Easier in Days Gone By • Make a big complicated lock • Put the lock on a strong box • Put the crown jewels in the box • Lock the box • Keep your keys safe • Watch the box

17. It Not That Different Today • Make a big complicated lock Encrypted biometric verification • Put the lock on a strong box Secure databases – controlled access • Put the crown jewels in the box Understand what you wish to Secure Place them within the secure area • Lock the box Implement all your security measure • Keep your keys safe Manage your passwords / tokens / biometrics • Watch the box Audit/monitor/test/assess/update - iteratively

18. The “Identity Landscape” • It’s just numbers • Replicate your finger • Replicate your data input • Replicate your data for comparison • Duplicate your identity • Change the authorised access • By-pass the identity check • Invent an identity.

19. First Principle Targets • Identity management is the Key • The Asset being protected is the Goal • Take your eye off the Goal and…. The Other Team will Score Keep your eye on the ball • Asymmetry - The means are just as good as an end

20. The Identity TargetsAttacking the Identity Management System • How is the identity created? • How is the identity stored? • How is the identity checked? • How is the identity-access control managed?

21. Potential Future Issues & Identity Management

22. HackingTheCloud

23. Potential Future Issues & Identity Management • The Cloud & Social Networking – Information Systems Used by Digital Natives • New User Interfaces

24. My Precious

25. The TargetsBack to First Principles • Exploit trust in the system • Erode trust in the system • Where is the value? REMEMBER Availability Accuracy Exclusivity

26. Nothing New Under the Sun“It’s only the scenery that changes” • Understand your requirements • Understand what you are trying to secure • People – Process – Technology • The enemy without – the enemy within • Complexity creates confusion • Strength breeds complacency.

27. A Little “Heretical” Question Do you want easy access to important things? The easier the access for you The easier the access for them

28. Thank You

30. Was

31. Is

32. Some Landscape?

33. Some Landscape? Verify Identity

34. Some Landscape? Check Access Rights Verify Identity