Q&A: The Movement Toward Identity-Centric Security June 2, 2016 by Lewis Barr In the first of a series of Janrain Data Security and Privacy talks, General Counsel and VP, Privacy Lewis Barr talks with miaa Guard co-founder Carlo Schupp. Based out of Belgium, miaaGuard provides managed services to solve online user identity and access management issues to enhance security. With a background in managed infrastructure security, Schupp left his job as a lead partner for Security and Privacy Services at Deloitte six years ago to start miaa Guard with a co-worker. Lewis Barr: Let’s talk for a little bit about identity and access management. What is it and why is it important, especially in the context of software as a service? Carlo Schupp: In the past, and still, many people believe that security is implemented by infrastructure. They are still thinking about firewalls and about VPNs and all similar technologies. But nowadays, people are bringing in their own devices, logging in from all over the world, and are using cloud applications as well as on-premises applications. So, it becomes very difficult to manage security through the infrastructure, because the infrastructure is everywhere and of all types. LB: Similarly, that makes me think of the Internet of Things where we have so many devices as well as individuals coming online and data being transferred from those devices to databases around the world. How does the customer identity and access management framework apply to IoT? CS: We are now treating devices the same way we treat individuals. Devices will have their identity and their identity probably will be associated with a human being, because there’s probably somewhere a client-device relationship. But the devices themselves will still have their own identity. Consequently, we will concentrate security around those devices, so that the devices protect themselves, as well as the data that they are collecting and processing. For example, if you have a thermostat in your house and you want to have it on the Internet, then you want to have the device control itself, rather than relying on some third party and hoping that they do a good job. LB: Let’s talk a little bit about policies. I’m a lawyer and, of course, policies are dear to lawyers’ hearts, but sometimes they raise the ire of of business folks who may not realize the necessary role they play. What role do they play in customer identity and access management? CS: It is indeed the policies that will drive the access rules. For example, does a doctor have access to a particular patient record or not, and do we need to put some constraints on it? Maybe he has access to a patient record while he has a patient-doctor relationship. But outside of that relationship, and, for example, during the weekend, maybe he doesn’t need that access, and maybe we remove that access during that period. These considerations need to be captured in a policy. That would be a good policy! LB: Could you describe some common access control mechanisms that organizations you’ve been working with are using to help secure their information? CS: Access control relative to applications is often embedded in the application, and also if the application is web-enabled, then it is maybe part of the web server. But we see more and more trends to externalize the control of access to the applications, so that you can have a harmonized way of controlling access to different types of websites and applications, etc. That trend is now apparent, and then it also becomes easier to apply a certain policy and to apply it rigorously and consistently across all your applications, and across all your sites, and all your data sources, and everything that you have. LB: In organizations large and not so large there can be lots of employee changes. Besides new hires, terminations and relocations, there are promotions and other movements within an organization. For example, Bob the engineer gets transferred from one division to another and now Bob is no longer writing code; he is consulting on the marketing side. So, how flexible are systems for access management? CS: Yes, exactly! That’s a good example. In the past, people were give permission to access certain things and then when the people changed throughout the organization, nobody dared to take away the permissions, and they only added permissions to access even more data or more applications. And the longer a person was with a company, the more permission he or she had. Now, by reviewing security as an identity-centric function, you give that person certain roles, business roles. And, of course, as a person changes functions in the organization you take away the old rules or permissions and you give the person new rules and that automatically will result in that person having a different type of access. In short, the access that a person has can follow that person throughout the organization or change as their role changes. LB: Related to this topic, what are some basic steps that you would recommend to organizations signing up for SaaS? CS: Well, there are two fundamental things to do. First is, think about the identity and make sure that you have a single identity for an individual, so that you won’t have 4,000 accounts of that person and a gazillion access rights and permissions spread all over the company. You have got to think identity-centric, so you begin to think, “Maybe I need to group all those identities together, and have them all at one place.” Second, be sure that access permissions are policy-driven. So, think about the policy that is attached to people, not a policy that is attached to some infrastructure or something abstract. Instead, think of a policy that speaks to which cases and under what conditions this person can access or not access certain pieces of data or an application. And then, if you have that policy, translate the policy into rules that can be applied in real time by the applications or your infrastructure using the identities you have collected. You can read more about the conversation on SecureID News and if you’d like to learn about our approach to security, visit our Trust side at http://trust.janrain.com/.