CA's Dave Hansen On Convergence and Identity Management (Part 2)

| 0 Comments | 0 TrackBacks
Senior producer Sharon J. Watson continues her talk with Dave Hansen, corporate senior vice president and general manager, CA Security Management, about his perspectives on logical and physical provisioning. In yesterday's post, Hansen, talked about the convergence of badge provisioning and deprovisioning with overall IT systems access. Today, Hansen talks about the difference why an IP address may not always tie to a physical location and why the HR database could be the most important building block of a converged identity and access management system.

Sharon J. Watson: IP address and physical location: How are they the same and how are they different? I've heard logical vendors talk about using IP address to tell where a person is in physical space, and some of the physical guys have said no, that's not adequate.

Dave Hansen: It depends what "adequate" means, right? What level of granularity are you trying to get down to? Right now, there's enough information in CA to probably tell I'm in my office. Could we pull it all together? I don't know. That's kind of tricky. People would know exactly what switch port I'm logged into on a switch that's sitting on the sixth floor of the building. They would know that and could probably get into the Cisco switch, and it's marked, they'd know it's my office. But that's all logical stuff. The physical stuff has no idea where I am.  They should know I'm in the building unless I snuck out without using my badge, tailgated on somebody going out the door.  I'm in CA Islandia, but the only people who have a clue of telling where I am, because of the activity on the switch port, are the network guys.

SJW: And they're pretty comfortable it's you performing the activity....

DH: No, no. That's the thing. Someone could be in my office hammering away at the port. Now, I'm logged in, but that is the closest you could get, but that would mean having very good access to the switch data, from Cisco in this case. I think that's where some people are trying to get.

These are two very prominent threads in those two different [physical security and IT security] conferences. I see some of the literature from [physical security conferences] and they're absolutely saying how physical should be in charge of any type of access, physical or logical, for a person coming into the environment and should be responsible for that. The total converse is true on the logical side. So I think part of this discussion driving this is that people are trying to take both sides of their house to a new level and be much more aware.

....I had a physical security guy in my office last week discussing the potential, could someone steal code from us? Because he's engaged--if there's criminal activity, they engage the physical security guys who have all the relationships with the police, the FBI, our guys are former Secret Service agents, so they're all connected. So if someone ever stole something, whether it was a computer under their arm or data, the physical guys get involved. So they are all looking for ways to get more information to manage this more effectively.

SJW: Companies like AlertEnterprise, Imprivata, Quantum Secure, tout their ability to take all of those disparate physical access control systems a company might have and make those transparent to the identity management system. They take care of the integration so they can connect physical access rules and roles with logical roles created up in the identity manager. Is there a place for that?

DH: Absolutely. Yes. We've dabbled in this, done some custom work in this over the years, and that is the problem. So there's definitely a play for companies that do that abstraction layer, have all the badge systems feed into that, they will control the interface points there. For us, we have a hard enough time managing all the potential types of things we have to provision and deprovision to. If we had to go to every very unique, rudimentary badging system, it doesn't scale. We don't want to be experts in HID cards and smart cards and all that. There are a lot of people who do that.

SJW: What kinds of customers and vertical industries are interested in that level of convergence?

DH: The finance people get very involved. The financial services organization tends to drive a lot of this from regulatory requirements. You can have a stockbroker not licensed to trade in different places, like New Jersey and New York. They can trade in New Jersey and not New York. So knowing where that person is when they authenticate is key to them doing their job.

In highly secure environments, especially when it's intellectual property related, knowing where people physically are when they authenticate becomes a key factor. Then obviously the government [is] very interested in this type of technology. As they continue to roll out these smart cards, the infrastructure is going to be there where you're going to know physically more and more where somebody is.

I don't see people screaming they want to do this tomorrow. It's not something where someone wants to see where every employee is at every given time and all that, it's more for specific use cases. Tying this back to creating certain access levels via role and via physical side is key....

Within this role-based concept of provisioning, physical access by role is something that will start kicking in more and more as certain companies have the requirements to make definitely sure [specific] people are in certain areas. That's all the physical guys deciding, right? The logical guys don't give a damn where anybody is. The physical guys are like, why is that person on this floor? I think that's why these discussions are happening now.

SJW: The logical people might see the value in knowing where a person is physically, especially if they are in an area it might not make sense for them to be in, and what they are doing there, and might it have something to do with their data?

DH: People are just starting to think that might be a problem. The logical guys are moving to a model where they want to be flexible and agile, and they want people to be able to access stuff anywhere any time. That's the mantra right now. Work from home, commuting, telecommuting in a big way. We closed a ton of offices so people can work from home, and we have to provide now much better access through VPN and wireless connectivity and all that. So their goal from an IT perspective is to be very responsive to the changed demands of the business.

So generally speaking, the "where" becomes less of an important question to them. I think there are going to be some bigger issues people run into so that "where?" is going to start hurting them. It's just a matter of time. As we make the environment so much more flexible and conducive to a modern and younger workforce coming out that demands being able to work in the park and everything that us older folks aren't used to, it's going to push that.

One of the things people wrestle with now is that people in remote offices [come in] through another wireless access point that's unsecured, and other people are getting into the network. They're starting to worry about that, but that's a relatively new thing because the pressure to provide access anywhere anytime is probably bigger than their concern about the security and the data. So security officials are all concerned about this, but they're getting railroaded by pressure to put more and more access points out there.

SJW: That's an interesting tension given that compliance rules have just exploded over the last ten years or so.

DH: It's a very difficult balance today. If we can mitigate the risk and still allow the flexibility, it becomes a very powerful organization. You don't want employees to feel like they have all this overhead and constraint on how they work and the flexibility of their work arrangement, and you have to balance that with a level of control and compliance that regulatory agencies put on everyone today. That's why you need different levels of authentication.

I've always looked at the physical system that might be the thing that helps because leveraging that as the second factor of authentication generally keeps the compliance officers relatively satisfied.

SJW: Dave, we're about out of time. What had you come prepared to talk about?

DH: When you look at [identity management convergence], it has two pieces: one is supporting the provisioning and deprovisioning of the physical system from the logical. So the logical guys don't have that. Some guys probably think they do; they don't. It all sits in the authoritative HR data store; in most companies, that's probably an ERP application. They need to work toward relying on that to provide access and take it away from the physical side. That's one big piece.

People either do it with integrated systems or email or a workflow model. But that's the key fundamental building block on this--and then being able to certify that if people left, their physical access was removed. That's a key audit objective. That's an important take-away.

It's one of the key, key areas: you don't want to terminate someone and find out their badge still works. You can end up with some very, very bad situations.

That problem can be solved a lot of ways. The tighter you get the integration, the more audit will be satisfied on your compliance level. The whole multifactor authentication piece will be pushing hard. It'll be interesting to see those card systems fight out to be that. Today, my badge is not conducive to that. I have the standard HID proximity badge but it's not a smart card so it doesn't have any credentials stored on it.

I think the government, especially in the U.S., the initiative around smart cards, will drive that to be the standard, and then using that as the multifactor authentication with either biometrics or facial recognition technology is the other big piece that will be coming, and government will probably lead that in US.

SJW: So, the HR database is the authoritative store for data.

DH: It has to be. I don't sell those, so--I've been in arguments with customers who think Active Directory is, but if Active Directory is, that means your IT department owns the on-boarding process of an employee, and when I say that, they say, oh s---t. I say, you don't want to own that, that's not IT's role. It's interesting have that discussion: 99 percent see it, but some people will argue that point.

It's absolutely critical that HR owns the on-boarding process, and in any of these things, that HR be heavily involved in these types of projects.

The other piece is the driver to provision more and more users that are external. Look at CA: 13,500 is a manageable number to provision. You think about how many are coming in--how many changes you're doing every day, it's not a crazy amount. You don't provision 13,500 a day. But--we have hundreds of thousands of customers hitting our website for support. If you want to come in and download a patch, you have to have an authenticated account. So creating those accounts has to be automated and integrated and if it's not, it's hugely expensive. So the pressure from provisioning from the web for customers, partners and others out there is also driving a lot.
Senior producer Sharon J. Watson continues her talk with Dave Hansen, corporate senior vice president and general manager, CA Security Management, about his perspectives on logical and physical provisioning. In yesterday's post, Hansen, talked about the convergence of badge provisioning and deprovisioning with overall IT systems access. Today, Hansen talks about the difference why an IP address may not always tie to a physical location and why the HR database could be the most important building block of a converged identity and access management system.

Sharon J. Watson: IP address and physical location: How are they the same and how are they different? I've heard logical vendors talk about using IP address to tell where a person is in physical space, and some of the physical guys have said no, that's not adequate.

Dave Hansen: It depends what "adequate" means, right? What level of granularity are you trying to get down to? Right now, there's enough information in CA to probably tell I'm in my office. Could we pull it all together? I don't know. That's kind of tricky. People would know exactly what switch port I'm logged into on a switch that's sitting on the sixth floor of the building. They would know that and could probably get into the Cisco switch, and it's marked, they'd know it's my office. But that's all logical stuff. The physical stuff has no idea where I am.  They should know I'm in the building unless I snuck out without using my badge, tailgated on somebody going out the door.  I'm in CA Islandia, but the only people who have a clue of telling where I am, because of the activity on the switch port, are the network guys.

SJW: And they're pretty comfortable it's you performing the activity....

DH: No, no. That's the thing. Someone could be in my office hammering away at the port. Now, I'm logged in, but that is the closest you could get, but that would mean having very good access to the switch data, from Cisco in this case. I think that's where some people are trying to get.

These are two very prominent threads in those two different [physical security and IT security] conferences. I see some of the literature from [physical security conferences] and they're absolutely saying how physical should be in charge of any type of access, physical or logical, for a person coming into the environment and should be responsible for that. The total converse is true on the logical side. So I think part of this discussion driving this is that people are trying to take both sides of their house to a new level and be much more aware.

....I had a physical security guy in my office last week discussing the potential, could someone steal code from us? Because he's engaged--if there's criminal activity, they engage the physical security guys who have all the relationships with the police, the FBI, our guys are former Secret Service agents, so they're all connected. So if someone ever stole something, whether it was a computer under their arm or data, the physical guys get involved. So they are all looking for ways to get more information to manage this more effectively.

SJW: Companies like AlertEnterprise, Imprivata, Quantum Secure, tout their ability to take all of those disparate physical access control systems a company might have and make those transparent to the identity management system. They take care of the integration so they can connect physical access rules and roles with logical roles created up in the identity manager. Is there a place for that?

DH: Absolutely. Yes. We've dabbled in this, done some custom work in this over the years, and that is the problem. So there's definitely a play for companies that do that abstraction layer, have all the badge systems feed into that, they will control the interface points there. For us, we have a hard enough time managing all the potential types of things we have to provision and deprovision to. If we had to go to every very unique, rudimentary badging system, it doesn't scale. We don't want to be experts in HID cards and smart cards and all that. There are a lot of people who do that.

SJW: What kinds of customers and vertical industries are interested in that level of convergence?

DH: The finance people get very involved. The financial services organization tends to drive a lot of this from regulatory requirements. You can have a stockbroker not licensed to trade in different places, like New Jersey and New York. They can trade in New Jersey and not New York. So knowing where that person is when they authenticate is key to them doing their job.

In highly secure environments, especially when it's intellectual property related, knowing where people physically are when they authenticate becomes a key factor. Then obviously the government [is] very interested in this type of technology. As they continue to roll out these smart cards, the infrastructure is going to be there where you're going to know physically more and more where somebody is.

I don't see people screaming they want to do this tomorrow. It's not something where someone wants to see where every employee is at every given time and all that, it's more for specific use cases. Tying this back to creating certain access levels via role and via physical side is key....

Within this role-based concept of provisioning, physical access by role is something that will start kicking in more and more as certain companies have the requirements to make definitely sure [specific] people are in certain areas. That's all the physical guys deciding, right? The logical guys don't give a damn where anybody is. The physical guys are like, why is that person on this floor? I think that's why these discussions are happening now.

SJW: The logical people might see the value in knowing where a person is physically, especially if they are in an area it might not make sense for them to be in, and what they are doing there, and might it have something to do with their data?

DH: People are just starting to think that might be a problem. The logical guys are moving to a model where they want to be flexible and agile, and they want people to be able to access stuff anywhere any time. That's the mantra right now. Work from home, commuting, telecommuting in a big way. We closed a ton of offices so people can work from home, and we have to provide now much better access through VPN and wireless connectivity and all that. So their goal from an IT perspective is to be very responsive to the changed demands of the business.

So generally speaking, the "where" becomes less of an important question to them. I think there are going to be some bigger issues people run into so that "where?" is going to start hurting them. It's just a matter of time. As we make the environment so much more flexible and conducive to a modern and younger workforce coming out that demands being able to work in the park and everything that us older folks aren't used to, it's going to push that.

One of the things people wrestle with now is that people in remote offices [come in] through another wireless access point that's unsecured, and other people are getting into the network. They're starting to worry about that, but that's a relatively new thing because the pressure to provide access anywhere anytime is probably bigger than their concern about the security and the data. So security officials are all concerned about this, but they're getting railroaded by pressure to put more and more access points out there.

SJW: That's an interesting tension given that compliance rules have just exploded over the last ten years or so.

DH: It's a very difficult balance today. If we can mitigate the risk and still allow the flexibility, it becomes a very powerful organization. You don't want employees to feel like they have all this overhead and constraint on how they work and the flexibility of their work arrangement, and you have to balance that with a level of control and compliance that regulatory agencies put on everyone today. That's why you need different levels of authentication.

I've always looked at the physical system that might be the thing that helps because leveraging that as the second factor of authentication generally keeps the compliance officers relatively satisfied.

SJW: Dave, we're about out of time. What had you come prepared to talk about?

DH: When you look at [identity management convergence], it has two pieces: one is supporting the provisioning and deprovisioning of the physical system from the logical. So the logical guys don't have that. Some guys probably think they do; they don't. It all sits in the authoritative HR data store; in most companies, that's probably an ERP application. They need to work toward relying on that to provide access and take it away from the physical side. That's one big piece.

People either do it with integrated systems or email or a workflow model. But that's the key fundamental building block on this--and then being able to certify that if people left, their physical access was removed. That's a key audit objective. That's an important take-away.

It's one of the key, key areas: you don't want to terminate someone and find out their badge still works. You can end up with some very, very bad situations.

That problem can be solved a lot of ways. The tighter you get the integration, the more audit will be satisfied on your compliance level. The whole multifactor authentication piece will be pushing hard. It'll be interesting to see those card systems fight out to be that. Today, my badge is not conducive to that. I have the standard HID proximity badge but it's not a smart card so it doesn't have any credentials stored on it.

I think the government, especially in the U.S., the initiative around smart cards, will drive that to be the standard, and then using that as the multifactor authentication with either biometrics or facial recognition technology is the other big piece that will be coming, and government will probably lead that in US.

SJW: So, the HR database is the authoritative store for data.

DH: It has to be. I don't sell those, so--I've been in arguments with customers who think Active Directory is, but if Active Directory is, that means your IT department owns the on-boarding process of an employee, and when I say that, they say, oh s---t. I say, you don't want to own that, that's not IT's role. It's interesting have that discussion: 99 percent see it, but some people will argue that point.

It's absolutely critical that HR owns the on-boarding process, and in any of these things, that HR be heavily involved in these types of projects.

The other piece is the driver to provision more and more users that are external. Look at CA: 13,500 is a manageable number to provision. You think about how many are coming in--how many changes you're doing every day, it's not a crazy amount. You don't provision 13,500 a day. But--we have hundreds of thousands of customers hitting our website for support. If you want to come in and download a patch, you have to have an authenticated account. So creating those accounts has to be automated and integrated and if it's not, it's hugely expensive. So the pressure from provisioning from the web for customers, partners and others out there is also driving a lot.

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/47

Leave a comment