“Identity Management”The Threat

AFCEA TechNet Europe 2009

Symposium and Exposition

5 June 2009

Colin Rose - Quarter Past Five Limited

Let me introduce myself

• Colin Rose• Presenter• Guest / Customer / Foreigner / Visitor• Director / Shareholder / Employee• Son / Brother / Friend• Trainer / Trainee• Mechanic / Gardner / Decorator /

Plumber……• Was / Is – ME!

“Identity Management”The Threat

AFCEA TechNet Europe 2009

Symposium and Exposition

5 June 2009

Some Themes

• More questions than answers• Core truths• Identity crisis

Is “identity” the right word?• Where “identity” fits.

What is “The Threat”?

• The same as ever• In any system involving people• Look to ourselves• Presumptions / assumptions• Complacency

What am I?

• CVN-76CVN-76• USS Ronald ReaganUSS Ronald Reagan• HomeHome• Weapons PlatformWeapons Platform

If You Drive One of These

What am I?

• CVN-76CVN-76• USS Ronald ReaganUSS Ronald Reagan• HomeHome• Weapons PlatformWeapons Platform

• TargetTarget

Core Truth

• What am I trying to achieve?• What value do I have?• What do you want me to do?

• Availability

• Accuracy• Exclusivity

Is Identity The Right Concept?

The Key or The Lock?

• Identity is one half of the equation• Remember “USS Ronald Reagan”

Your identity is honestly not important• The matching of your identity is

important• Why Match?

To Demonstrate Authority.

Traditional “Identity Management”

Identity Management?

• Passwords• User Names• RSA Key Generators• Fingers• Faces• Eyes

Where Does My Identity Fit In?

It Was Easier in Days Gone By

• Make a big complicated lock• Put the lock on a strong box• Put the crown jewels in the box• Lock the box• Keep your keys safe• Watch the box

It Not That Different Today• Make a big complicated lock

Encrypted biometric verification• Put the lock on a strong box

Secure databases – controlled access• Put the crown jewels in the box

Understand what you wish to SecurePlace them within the secure area

• Lock the boxImplement all your security measure

• Keep your keys safeManage your passwords / tokens /

biometrics• Watch the box

Audit/monitor/test/assess/update - iteratively

The “Identity Landscape”

• It’s just numbers• Replicate your finger• Replicate your data input• Replicate your data for comparison• Duplicate your identity• Change the authorised access• By-pass the identity check• Invent an identity.

First Principle Targets

• Identity management is the Key• The Asset being protected is the Goal• Take your eye off the Goal and….

The Other Team will Score

• Asymmetry - The means are just as good as an end

Keep your eye on the ball

The Identity TargetsAttacking the Identity Management

System

• How is the identity created?• How is the identity stored?• How is the identity checked?• How is the identity-access control

managed?

Potential Future Issues & Identity Management

Hacking

The

Cloud

Potential Future Issues & Identity Management

• The Cloud & Social Networking – Information Systems Used by Digital Natives

• New User Interfaces

My Precious

The TargetsBack to First Principles

• Exploit trust in the system• Erode trust in the system• Where is the value?

REMEMBER

Exclusivity

AvailabilityAccuracy

Nothing New Under the Sun“It’s only the scenery that changes”

• Understand your requirements• Understand what you are trying to

secure• People – Process – Technology• The enemy without – the enemy within• Complexity creates confusion• Strength breeds complacency.

A Little “Heretical” Question

Do you want easy access to important things?

The easier the access for you

The easier the access for them

Thank You

Was

Is

Some Landscape?

Some Landscape?

Verify Identity

Some Landscape?

Verify Identity

Check Access Rights