Making Sense of the Noise at RSA Conference 2017
RSA Conference 2017 was bigger than ever, with a record crowd of over 43,000 attendees. It definitely felt bigger and more energetic than last year, with the crowds often making it difficult to walk around, and a challenge to visit booths and learn about new technologies. As a vendor though, it was terrific from a lead-generation perspective.
My observations include a definite trend toward identity-centric security, which has the potential to confuse buyers. It seems like many vendors are using similar words to describe technically (very) different approaches to security. I can understand why this would be confusing for buyers looking to get educated. This is not the place to analyze or critique specific vendors’ messaging or offerings, but instead I’d like to offer a few guidelines for enterprise security folks trying to make sense of the many vendors talking about overlapping areas. Rather than try to define these oft-nebulous categories, I think I’ll offer a few relevant (and hopefully thought-provoking) questions for potential buyers of these categories. These are intended to provide you with a better understanding of how these products might work in your environment.
Identity and Access Management (IAM)
IAM systems are well-known for serving as an identity store, and providing authentication service for users and applications (single and multi-factor). They also should be responsible for providing the business processes around the identity lifecycle (Joiner-Mover-Leaver), and managing the provisioning of the underlying applications. Some questions to ask:
- How does the IAM system interface with IT and security elements other than applications?
- How does it extend to cloud and network environments?
- Does the IAM system have a policy model that is consistently enforced across all these environments? (This last question is key to truly providing identity-centric security).
Privileged Access Management (PAM)
PAM solutions control access to key systems by brokering privileged user authentication and connections. They provide a number of benefits and functions, and from an identity perspective there are several questions to ask.
- How adaptive is the policy model for access?
- How can user access adjust based on context?
- Is the PAM solution appropriately broad to cover the scenarios you’d like to cover?
- Is a PAM solution even the correct answer? Many PAM solutions protect applications by obfuscating credentials, rather than via network access control. This is an interesting (read: complex) area where IAM, PAM, and network access controls often overlap.
Most organizations have a combination of authentication mechanisms, including traditional on-premises directory systems, RADIUS servers for multi-factor authentication, and cloud-based Identity systems with SAML. There are a few questions relevant to identity-driven security:
- How adaptive is the authentication system, relative to user context?
- Can it support a model where users authenticate in different ways depending on attributes such as location, time of day, or the resource being accessed?
- How can the authentication system adapt to changes in the server infrastructure, such as new cloud server instances being launched?
Organizations are facing an increased and more complex need for secure, remote user access to services. Not only are there more types of users needing to access on-premises services, more and more services are migrating away from the traditional data center to cloud or co-located sites. And all enterprise users are remote from these sites, imposing new requirements. Some questions to ask:
- How fine-grained control does the remote access system provide?
- If all users obtain the same, broad network access, what are the implications for security and compliance?
- How are remote access policies expressed? Are they meaningful to the business, and can thus be developed collaboratively
Network Access Control (NAC)
NAC solutions are used to control machine access to the network, typically by performing some sort of device or user validation before assigning a valid IP address. These systems often use the IEEE standard 802.1X. While reasonably mature, these systems can suffer from being inflexible and difficult to deploy. Some questions to ask:
- What kind of user and device attributes can be used to determine network access?
- How fine-grained are the access policies? How can I model which users can access specific services (and not just access to entire subnets or VLANs)?
- How does the solution adapt to changes in user or system profiles?
- NACs don’t solve the remote access problem at all – do I want another siloed system?
Security is a complex topic, and has an inherent tension as it strives to achieve a balancing act between allowing and disallowing access. We believe that taking an identity-centric approach is the right way to accomplish this, and I hope that these questions will help steer you in the right direction.
Learn more about Cryptzone’s approach to identity-centric access control by reading this white paper: Securing the Shifting Network Perimeter with Cryptzone AppGate