People Centered Security: Themes from The Gartner IAM Summit
Growing up, we get a lot of conflicting advice. We are told “look before you leap” but also “nothing ventured nothing gained”. The book of clichés is littered with other examples. The world of Identity and Access Management is similarly conflicted. On the one hand, IAM should be transparent to the user and simple to administer. On the other hand, IAM must enforce the principle of least privilege. These goals are mutually exclusive. Why? It is just too complex to define specifically the fine grained access each user needs in order to perform their job and manage that access over time in a dynamic work environment. The result is too many job roles, too many exceptions and ultimately weaker, not stronger security.
The final keynote address at the Gartner IAM summit offered some refreshing concepts that should help many organizations sort through the clutter that is getting in the way of better security. These concepts also align with how SSH Communications Security is helping organizations solve some nasty security issues that put their most valuable assets at risk. Gartner introduced the concept of “People Centric Security” (PCS). PCS is based on a few principles that are too often sacrificed in the pursuit of security:
- Simplicity. We know that complexity is the enemy of security. Complexity makes it easier for the bad guys to hide what they are doing because their activities are obscured in a sea of false positives that result from rules that are just too complex.
- Trust. The vast majority of users are trustworthy. It can be counterproductive to treat them otherwise.
- Monitor. This is a foundational component of PCS. The better the monitoring capability, the greater the trust that can be given to users. This enables simpler rules resulting in better security.
Does this relate to how SSH Communications Security is working with customers? Absolutely.
Many of the organizations we work with have lost control of the privileged identities that have access to root accounts, service accounts, applications and data bases. Typically this is an issue that has built over time as Secure Shell keys were added to the server environment but often not removed. In our experience, servers typically have anywhere from 8 to 100 Secure Shell authorized keys in various accounts, including root. Multiply that by ten or twenty thousand servers and you get a staggering number of identities and authorizations that may or may not serve a valid purpose. How do we tackle this? First we simplify. Through discovery and monitoring we can identify what keys are not serving a valid purpose (generally they are not used) and remove them. The good news is 80 or 90 percent of the problem can be solved in this manner. We then centralize and monitor. This gives IAM personnel the visibility and control they need to allow needed authorizations without putting in burdensome roadblocks to legitimate work.
The final guiding principle of PCS is to use monitoring as a critical component of security, and to focus monitoring efforts on the most valuable assets. Our focus as a company is to provide transparent monitoring that detects unauthorized activity – such as attempts to exfiltrate sensitive data, adding “back door” authorizations, or attempts to hop from system to system.
So there you have it: Simplify, Enable, Monitor. Focus on the assets that are most important.