Published: 24 September 2015
By Andy Harris
Mainland Europe is always an interesting place to visit, their views on Infosec issues are always well considered. These days we're finding more extensive projects in Europe, so its worth considering what they are up to.
One of the main messages from the conference was Identity is the new perimeter which we've heard before. It seems odd that the message needs to be re-iterated since we're now a few years into the so called Hybrid Cloud world. Perhaps its an indication of just how well ingrained the message of 'Buy a bigger firewall is'. I feel that it has something to do with marketing spend of firewall vendors.
One of the presentations raised issue of Shadow IT or in other words the IT infrastructure that is bought in by the operational departments. This is clearly a very difficult area for CISOs to police since most of the time they don't even know that it is happening! These days it's so cheap and easy to buy an app for a specific purpose, and perhaps worse, its easy to get a 'Freemium' app that both does the job but sells part of the data on! (A classic example are the 'Freemium' Anti-Malware tools that sell your browsing history.)
Nemi George, Senior Manager -- Compliance, Security & Risk, Vodafone Group Enterprise
Some of the private conversations about what has been put on 'Dropbox' are probably the most common cause of premature aging in CISOs!
Two of the keynotes were suggesting the need for a huge identity repository, so that every application everywhere could know who is using it and check the credentials against federated services. While I understand that they are 'preaching to the choir' I'd be very worried about the compromise of this service. For balance I heard about how the Nederlands Postal Service holds the identity of all its staff and about 4 million customers. Its pretty clear that if you're in that business it helps to know who delivered what to who, where and when.
In our opinion, there are many occasions when identity should be transitory. From what we've seen of all the breaches lately the key issues are the lost of data that identifies customers. Between sessions we started to discuss the idea that during a web order, the identity of the customer is important until the moment that the product is shipped. From that point onwards the identity could be changed to a hash. The hash would confirm that the identity was once valid, and could verify against the same identity at a later date (for example a returns issue). Should an attacker exfiltrate a database in this state they would have a great deal of difficulty extracting any customer personal data. We did have a few thoughts about personalisation, which is key to some Internet retailers, so the hash could be used as an indirection.
Cost was seen as a key issue in Identity, it costs to get all that infrastructure in place. This means you need to be sure about where the paybacks can be made.
Of course its not just the cost of Identity managers, it's also the cost of enabling all the systems, applications and devices. This is where Osirium is an obvious win. The Privileged Account Management part of Osirium is all about arriving with an identity and leaving with a role. A key benefit here is that the 'system/application/device' side of the connection does not have to be identity enabled, only the inbound connection to Osirium. Thus, Osirium acts as an Identity Federator for your entire infrastructure.
Tom Guyatt, Professional Services Manager, Osirium
Nemi George from Vodafone made the point in his well grounded presentation. He described how staff from many countries delivering a 24/7 service need to use a specific account on specific systems to make well controlled changes. He went on to describe how they used Privileged Task Management to wrap up the changes into a menu driven system. He told the conference how over the last 3 years this system has performed 2.5 million changes, and that means 2.5 millions times that staff did not need to access privileged credentials.