Archive for March, 2013

MDM in the context of IAM

While BYOD is not the newest phenomena in the IT and Security area, i just had my first project not only touching an Mobile Device Management platform. As part of the identity lifecycle it’s necessary to get control over mobile devices that are used by the end user. While this is pretty easy reg. mail integration (as soon as the user gets deprovisioned, the mailbox access is no longer possible), it’s not that easy to handle reg. profiles and own apps.

In my customers case, they do have MobileIron deployed in their infrastructure. As part of the deprovisioning process they came up with the requirement to retire devices used by the terminated employee within their MobileIron instance, which would take all the certificate based access from that device to the customers wifi and network resources.

As the MobileIron API does support HTTP requests to retire devices, it was necessary to have the device ID for an device in order to retire it. But lucky wise there is an HTTP web request to get a decent set of device attributes from MobileIron. We choose the most convenient and quickest approach: extending our IAM database model with an table to store the data of mobile devices with an foreign key link to the employees table. Calling an dedicated HTTP request within MobileIron, we got an CSV back from MobileIron carrying the decent set of attributes. This CSV then get’s imported into the IAM system. This process happens every hour.

As an employee now get’s terminated, we also kick off a process to retire all devices that are known for this employee in MobileIron. So far, this is satisfying the customers requirements.

For an later phase, this does also satisfy additional requirements that will come up (or already came up in while defining upcoming phases of the IAM strategy): being able to use the data from an governance and access management perspective does also answer questions such as “Who is accessing the enterprise network with what kind devices?” or “Are there devices with an software release that is not safe to let them touch the enterprise network and enterprise resources?”.

To cite a good IAM guy i did a project with: “Building an IAM implementation is like building a house: it’s all based on a strong foundation.”

I expect to see more projects coming up with even deeper integration between IAM and MDM as the BYOD wave is still rising…


Ian Glazer – Killing IAM in Order to Save it

It’s just nothing more to say, it’s just Ian Glazer: Killing IAM in Order to Save it

Categories: IAM, Identity, Strategy

Passwords must die – but how?

It’s been a while since i had a chance to pick some time for my blog. I still have several topics to deal with in my pipeline, but as today is going to be a lazy sunday staying in my Hotel in Louisville, KY, i decided to take a shot on an burning hot topic thats been on top for a while: #PasswordsMustDie

As you might have seen in the news, on twitter or in various blogs, Evernote got hacked these days and it’s reported that usernames and passwords (no matter if they were crypted or not) where taken. I wonder how much of those passwords are used with other services as well, in the worst case they are used with the same email address. I think at least 60% of the taken password / email combinations are being used for other services as well as this is the most common mistake we all do: We reuse passwords. We shouldn’t reuse them, but as a matter of fact, we do. By doing so, we’re exposing ourselves to an enormous risk. But we do accept it.

What could be ways out of this misery?

  • Biometric Authentication
  • Token based authentication
  • Multi-Factor-Authentication

Let’s take a look at all of those.

Biometric Authentication

Some Laptops today do have a fingerprint reader that can be utilized to authenticate a user. My HP laptop issued from my employer does have one of those and i use it at least for the windows based authentication. The same laptop also offers a face recognition via the built-in webcam. I’ve never tried that feature since the webcam is not working properly. On the other hand, i do remember a presentation on an Laptop (i won’t name the vendor) that would allow to bypass the face recognition with a good photo print. Just looking at my brand new MacBook i’m currently using to type this article, there is no fingerprint reader, but it does have a webcam. Looking at other devices or computers in my family, there are also devices that do not have any of those. So on these devices there is no way to do biometric authentication without any additional hardware. So as long as not all devices by default do have a fingerprint reader, there is no way to roll-out biometric authentication to all the mainstream services.

Token based authentication

Token based authentication does require a service to issue a token to the user. But how’s the user identified by the service? The user has to give something to proof the identity. So this requires potentially a username and a password or other attributes to be communicated between user and service. Sure, there are SSO applications doing that in an enterprise infrastructure. But how about home users? What do they use to initiate a token based authentication? They could use for example other account from other services that do integrate with the service they want to use, like Google or Facebook. And how are the Google account or the Facebook account secured? Typically by a username and a password. Only a smaller number of people i know is using two factor authentication using their phone to authenticate with Google.

Multi-Factor Authentication

Using multi-factor authentication does require not only a password or a pin, it also requires at least one more factor to be authenticated with. This could be certificate, a security token being calculated by a device or an application, it could be also a biometric component such as fingerprints or an face recognition scan. As discussed earlier, fingerprints or face recognition are pretty much out of the game as not all the devices are support those features. Most of you do know the RSA tokens issued by our security departments or customers to use them for logging into the network or remote into the customers network. As these are bound to an network specific infrastructure component, this would result into a bunch of of tokens to have them with me all the time. And certificates? Not only one major certificate authority has been hacked in the past times.

So what’s the conclusion out of this?

As much as i agree that passwords must die, i don’t see any chance to make that happen pretty soon. It would require at least an standard for a mixture out of token based authentication and multi-factor authentication. But no hardware tokens please. How about a multi-plattform token application for smartphones? Oh, right,… what about non-smartphoners? You see, it’s long way to go and we just started it using first services offering alternative ways to authenticate like SSO with Google.

What could be done to make passwords more secure in the meantime?

  1. Use strong passwords (combination of lower case and uppercase letters, numbers and special characters)
  2. Don’t reuse passwords (i know, it’s not pretty convenient)
  3. services do need to enforce password policies and password change intervals
  4. if you’re using SSO with Google or Facebook, try to ensure that you’re passwords are ultra-strong and enforce yourself to change them from time to time

All of this is nothing new, but as the Evernote-case does remind us to reset our account data and authentication information, we do need to remind ourselves on how to deal with passwords in a safe way until they die.

Categories: Cloud, IAG, IAM, Identity, Security, Strategy