Reconsidering the IT security problems in a holistic view provides a broad prospective over the problem and relevant areas leading to it. Here, considering Identity and access management as a typical system made us to evaluate it in a different point of view called "systemic holistic approach". Therefore, through this approach we are going to introduce the relevant concepts and methods in terms of security issues.
Basically, Identity and access management as a system which provides the process and infrastructure by means of key components for administration and effective enforcement of well-managed access to digital resources and systems across an enterprise. Generally, what makes these systems operate differently is the policy on which the process of registering identity information of interest and providing to appropriate services such as authentication and authorization is based. [5] Ideally, IDMS is supposed to provide an environment by where separation of duties is implemented and enforced. Also, individual identities as the entities of the system are associated to correspondent access rights to specific objects within the environment, system or network. [9] Hence, in order to access a given resource, the users or entities must establish their identities affiliated with predefined rights or permissions to the resource with the system that user or entity is attempting to access.
As mentioned earlier, IAM initiates a process called as life cycle activity that involves the establishment, management and retention or deletion of digital identities. Moreover, IAM is an integrated system of business processes, polices and security-based technologies that facilitates control activities related to physical and logical access and manages digital identities centrally and specifies how they are used to provide access to information. [9]
Also, given the importance and sensitivity of information, we are in a situation where business needs to control the way that it manages more effective access to the information and applications distributed across internal and external application systems. Hence, besides enforcing proper data storage protection, the need of identity management could be really felt. In fact, Identity plays a crucial role in any computerized security system so, computer systems are expected to identify entities in the best way they can. This could be fulfilled through credentials that are supplied by authorized parties which could provide various methods to utilize identification of authorized subjects. This process of authentication could be effective when is followed by authorization process which is a control over the user's ability to read, write, modify or delete information, application and process or generally objects. [9]
The relationships between elements of IAM and how they might affect each other can be represented as the triangle illustrated in Figure 1. The lengths of the edges represent the proportions of the elements relative to one another in a given IAM system.[3] The comprising elements have mutual effect on each other so that varying the proportion of one element could be led to change the interaction of one or other elements in order to maintain the balance of the triangle. So, the whole system must provide process of access for a growing number of identities by defining new policies both inside and outside an organization so that technology transforms the way the industry categorizes security without compromising security or exposing sensitive information. Hence, the triangle analogy could be illustrative enough to describe the relationships and interactions of policies, processes and technologies in an ideal IAM system as well. [3] "…Every organization is different and the right mix of technologies, policies and processes for one company may not necessarily be the right balance for a different company so that each one needs to find its own balance represented by the uniqueness of its triangle." [3]
Figure 1: Essential elements of an identity and access management system [3]
1.2 IAM model
The Internet2 Middleware initiative group has featured the IAM system in a model (Figure 2) and made some things more cleared. As it is shown, if we consider the system resources and data objects on the left and systems and services on the right and the IAM infrastructure in the middle, then all the policies and procedures can be applied in that to maintain the whole system in constructive balance.[4]
Figure 2: Identity and Access Management (IAM) Model [4]
Obviously, the same identity information service is used to ensure that the right subjects access the right objects even in distributed environment. First, as it is shown on the light green box on the left in the diagram, to decide what is relevant from the source systems to the people in an organization and subsequently join and reflect the information into one identity entry assigned for each person in the community, it is needed to review the data across the enterprise. So for instance, in a typical organization like a campus if Bob has entries in financial aid, student union, and library, that relevant identity data would be recalled as needed and joined and reflected in one digital identity entry in the IAM system. [4]
After all that the identity information about a person is collected and approved then, it is possible to use tools to establish roles, grant access, and add group membership as represented in the blue Enrich Identity and red Apply Policy boxes on the bottom of the diagram. The resource owners can define some privileges with that resource. [4] "Consolidating the groups and privileges allows groups to change once in the IAM system and be pushed out to or accessed by the services in the collaboration package." [4] Also, the identity data could be enriched with authority data as shown in the boxes on the bottom of the diagram.
Basically, diversity of identity store, protocols, encryption mechanism and policies make the Identity and access management initiatives more complex than most other IT systems. So, more significant and comprehensive strategies are needed to enhance the management of digital identities in a large network. Implementing standards, reducing the number of stores, delegating administration and improving the user authentication process in strengthening security are some of the solutions which are suggested so far. [2]
Chapter 2
Systemic Holistic Approach
2.1 Churchman's 5 considerations
In this chapter we will try to describe the IAM as a system using the Systemic-Holistic Approach. [12] In order to do so, Churchman's 5 considerations [11] will come in handy. Churchman offers these considerations as a mind plan to use when trying to define a system. Te considerations are
System objectives
System environment
Resources of the system
Components of the system
Management of the system
2.1.1 System Objectives
IAM has two main objectives as a system. The first and foremost is to provide a secure way of establishing identities, usually for persons and users but in some cases for other systems. The second objective is, after identities have been established, to provide access to resources respectively to the specific identity. A typical way of implementing these main objectives is that an identity should correspond to a specific role (identity establishment) and that role should have explicit access to some of the system resources. This approach is a white-list approach where each role has predefined access rights instead of predefined access-restrictions (blacklist approach).
Besides the main objectives, we can identify secondary - but still important - objectives of an IAM. The identity management would mean management of user/system accounts, roles, and privileges. Another important objective is the provision for coordination between different systems. Ways to import / export identities between IAM systems would facilitate the coordination.
2.1.2 Environment of the System
As described in [11] the environment of the system is containing the factors that are not controlled by the system and yet, interfere with its performance. The difficulty in describing the environment arises from the fact that the IAM is implementation-dependent. In order to describe the environment correctly we need to know which assets the IAM protects, who is using it and for what purposes. Another difficulty comes from the fact that it is rather tricky to define the limits between IAM environment and the environment of an organization that uses an IAM.
Users can be considered as part of the system but as well part of the environment. They reside inside the system but in cases of large-scale implementations they could be out of the limits of the system accessing it from the Internet or using tools and services that are not part of the system, thus being part of the environment. If the system is interconnected with other systems or connected to the Internet, then they are parts of the IAM environment as well. However it was not easy to mark the limits and we were going to demonstrate that with an example. In the IAM used at DSV, the identity cards that are used by the students to access specific rooms or parts of the buildings in Kista constitute an isolated system which is not connected (or shouldn't be connected with the Internet). What is interesting is that the same credentials (representation of identity) are used by students to access computer systems and connect to the Internet, or connect to DSV system resources through the Internet. In the first case the Internet is not considered part of the environment, whether in the second case it clearly does even though we practically discuss about the same IAM.
In the figure below we tried to describe the environment of an IAM system. The figure is a modified version of the one provided in the compendium [8]. We based this approach discussing the IAM used by social networking site. The IAM is part of the organization and included in the main block of the figure. Internet is the space in which the social networking site exists and thus part of the environment. Ecology and government, among other things, represent the legal issues involved. The license agreement that all users must sign is part of this. Collaborators can be advertisers that use the system to advertise products or application developers that use the site's framework to introduce their applications - plug-ins. Competitors are also a main part of the environment as the competition influences business plans .Attackers are placed in the limits of the environment as they can both reside inside the system but as well in many diverse parts of the environment.
Figure 3: Consideration of IAMS An open system in an environment [12]
2.1.3 System Resources
The resources of the system are the means it uses to perform the objectives. In that sense we can argue that in a low level, code is a resource to the system especially for organizations were the development of the IAM happens in-house. Financial resources include the capital and the money needed for the system to be sustained in a working state. The technological knowledge that is necessary to implement, deploy and support IAM systems is another significant resource facilitating the objectives realization. Last but not least, the human factor, people working for an organization, people implementing and administrating the systems.
2.1.4 System Components
For the system to fulfill its objectives several tasks need to be performed. As proposed in [1], shown in figure 5 the main components of an IAM system are identity and access and thus coincide with the systems' objectives. In that way our system is fairly easy to describe and understand. We believe that the processes and activities described in the model [1] are important but not as much as to fall into the category of components to our system. Identity establishment and Access Control are the main components of an IAM system even though they can be admittedly broken down to sub components as shown in the following figure.
Figure 4: Relationships between IAM components and key concepts [2]
The key components of IAMS can be classified into four different categories by following questions: [10]
Who are you? (Identification)
Verification that individuals are who they claim to be is an essential operation of a healthy identity and access management which should be done before identity attributes are entered into the IAMS. The question "who are you?" could be simply answered by some simple unique identifiers such as an Id or a username assigned to an individual entity. [10]
How do we know? (Authentication)
Verification of the individuals who registered and identified in identification process associated with corresponding unique identifiers. Often, this process could be done with various authentication strategies enhanced by related technological infrastructure. Simplest form of authentication used so far could be passwords and the least common one is said to be biometric identification.
What services and operations are available to you? (Authorization)
As mentioned before, one of the essential elements of an IAMS is policy so based on a defined policy in an organization hierarchy, the system determines which subjects could have intended access to which objects. So, the authorization process based on policy store of IAMS could be enriched and enhanced by data or information or policies including all user roles, behavior, attributes, access channels and resources requested.
Is the information about you secure? (Privacy and User management)
Providing Identity or user's security issues is another key component which consists of user life cycle management, password management and generally defining administrative functions such as maintenance of user identity and privileges.
Access Management
Identity Management
Identification
Authentication
Authorization
Privacy and User Management
Identity and Access Management
Providing the right object with right access at the right time
Figure 5: IAM components
2.1.5 System Management
System's management depends on many factors which can be part of the system itself or not. Often managerial issues are handled externally, meaning on a level above the system. Issues like that involve discussions about the kind and the level of protection an organization needs, about how the financial resources should be distributed and which parts are available to the system, or even about how the organization deals with attacks through its security policy. We can divide the management of an IAM system into 4 discrete categories:
Identity Life Cycle Management: Deals with additions and removals of identities from the system, following an employee layoff for instance. Modification of rights and roles also fall into this category.
Password management : Deals with management of user passwords and credentials as well as password management for special accounts ( administrative, emergency )
Access Management: The key management aspect of the system controlling the relations between roles and objects. Determines who is available to access what and when.
Compliance Management: Ensures primary process execution through controls that might be i.e. employment verification, identity revalidation, privilege authorization review.
Figure 6: Management components of the system [2]
2.2 IAMS Framework
Figure 7: Details of the framework and the methodology for Security Informatics - the Systemic-Holistic Model. [12]
With the help of figure we will try to evaluate the system according to system theory concepts. Viewing the system as an epistemological device and taking into consideration the framework for security informatics [8] we can organize it into three dimensions: Content/subject areas, Levels of abstraction, and Context orientation.
Content/subject areas includes technical (collect-process-store-communicate-display) and non-technical (operational- managerial/administrative- legal - ethical/social/ cultural) aspects,
Levels of abstraction includes physical/construction - theory/model - design/architecture, and
Context includes geographical space and time reference. [8]
Technical aspects of the system consist of administrative issues and technological aspects such as access-control mechanisms whereas non technical aspects include managerial activities and legal or ethical issues will be discussed in the last part of the report. In figure 8, we found a really nice representation of the level of abstraction from physical and constructional layer up to design and architectural layer.
Figure 8: IAMS Architecture [13]
Chapter 3
Threats
3.1 Introduction
There are several issues you need to deal with before you can make a fair assessment on what threats there are to an IAM. The system will be useless if it is not able to protect the information that it is designed to protect. That means that not only does the system itself need to be unbreakable but its users need to understand why it is used. A very common security breach in Identity and Access Management Systems is that the users provide the attackers means of entrance or in provide the information that is supposed to be protected. For instance, what is the point of building a wall of security around your confidential data if you keep copies of it on your laptop, which in turn you leave unprotected in your car whilst going into the supermarket? One of the main methods to combat security issues must therefore be to inform the users of the IAM and possible threats to it. In the following sections we will discuss several of the most common threats to the IAM, starting with the user threats. Those are the threats that are performed by attacking the system through the user in various ways. After the user threats we will focus in some of the threats that attackers use to try to breach the system itself. These include backdoors, worms and other kinds of malware. These threats are not exclusive to the system, users of the system can also be the subject of these threats, but they are more commonly used to compromise the security of the individual user. As you can see it is difficult if not impossible to categorize threats in this way. Our attempt to do so nevertheless should be seen more as an attempt to explain the possible origins of attacks in order to be able to more clearly see the whole picture. We will tie this together with a discussion around the word safer, which seems to be a mantra for everyone who adds yet another feature to the IAM. The danger, we mean, is that the less the user understands about the technical problems/solutions, the easier it is to attack their ignorance. Before we reach that discussion however, we will take a look at some of the threats that may originate in third party applications (or communication with the same) inside the system. If there are exploitable weaknesses in them, they may be a way into the system, similar perhaps to a backdoor.
3.2 Threats to the users
The United States Department of Justice says that "[i]dentity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain." [6] Some like to think of identity theft and identity fraud as two different things, identity theft being the act of stealing the identity and identity fraud being the wrongful use of it [7], but in our discussion we will treat the two as the same thing. One claim that USDOJ makes is that most identity thefts have financial motives and this seems to be backed up by statistics from other sources.
The chart in Figure 11, shows the different types of identity thefts and financial motives for stealing an identity is a huge chunk of the chart. Utilities fraud can occur if someone uses their child's clean credit report to be approved for utilities such as electricity and water. [10] The USDOJ definition also says that it is enough to use personal data for it to be considered identity theft. In other words using someone else's credit card information without explicit permission is seen as identity theft, and so is using a password that does not belong to you to log in to a resource.
Figure 11. Overview and description of each type of identity theft, based on Federal Trade Commission complaint data [10]
Identity theft does not necessarily have to be committed on a person. An example of when a governmental institution's identity being borrowed or stolen could be seen in September this year when reports from several news sources revealed that people from inside the Swedish parliament were manipulating the Wikipedia. Sensitive details were removed on numerous occasions and famous Swedes were slandered. The story originated from a television program on TV8 called Aschberg and most big news outlets reported about the story, among others Aftonbladet on the 22nd of September. [11] Although the attacks could have been made by anyone, including someone who used a computer in the parliament's public library, it clearly shows that the parliament has an identity which needs to be protected. Representatives of a government manipulating public sources to try to hide compromising information could if taken to the extreme, pose a threat to free speech and be a dent in the democracy.
Phishing and pharming are two common techniques for attackers to try to get the user to reveal their identities. A phisher is someone who will try to fish for a user's identity. Usually this is done by sending an e-mail posing as someone else to an unsuspecting user. For instance, the attacker might try to pose as a bank and send out an e-mail containing a short message of why the customer needs to log in to their account or send their login information to the bank. Often there is also a link to a dummy site where the user is requested to enter this information. Sometimes these mails are impersonal using language like "Dear customer" rather than their names. These kinds of messages are sent simultaneously to millions of users. A more targeted attack of a similar nature is when the impersonal information is replaced by names retrieved from other sources. The phisher has gathered enough information to be able to address you in person and even knows which banks and sites you visit. This is a type of phishing referred to as spear-phishing. [12] There are several other methods of phishing, some more complex than others. The best methods for combating phishing is to inform users of what not to do and (this might be the most difficult to accomplish) to work together to create some standard by which companies communicate with their customers. Never respond to mails and never reveal personal information to anyone over e-mail, telephone or means other than the ones provided to you when you are logged in. Usually phishing sites created to lure users into logging in or revealing login credentials are easy to detect because their URL is different from the site they try to impersonate; often just by a letter or two but the signs are there if you remember to look for them. This may also be the case for pharming but this is more difficult to detect for other reasons.
Pharming is when the attackers get access to the DNS and are able to change the link to where the address directs you. An attacker may for instance change the information that would lead you to your bank to instead take you to their dummy site. This is more deceptive because this happens even though you type the correct URL in your address field, but it still cannot hide that the address is wrong. [13]
Installing malware could be another way to obtain sensitive information from someone. An attacker could for instance install software that reads the key-presses and reports on them to the attacker, so if you use the keyboard to log in to your favorite social network, he will be able to see what you typed and on which site.
3.3 Threats specific to the IAM system
Malware hidden in a computer could be a direct threat to the system. One incident worth mentioning is the attack carried out to Heartland Payment Systems. They process the cards for 250000 companies (restaurants, retailers etc.) in U.S.A. and someone managed to install software that was able to extract names and credit card numbers among other things. News of the breach reached Heartland through VISA and Mastercard reports. The latest updates indicate that up to 130 million records may have been stolen, which does not have to mean that it has affected 130 million people. [14]
Inside jobs are difficult to prevent any other way than to make the punishment or fear of punishment greater than the possible reward. Limiting an employee's responsibilities is one way to possibly limit the rewards and monitoring and logging activities could provide help after the fact.
3.4 Threats through third party systems
Poorly constructed software could pose a threat to entire systems. If the software has serious security holes it may be possible for an attacker to use it to install malicious software. If there are serious security holes in the browser your company is using, this may be a way for the attacker to enter and because it is very hard for most companies to work without being in some way connected to the world, these attacks are unlikely to cease.
Computer Sweden reported on September 29 - 2009 that criminals use open source software in a higher degree than before. They get the help of unsuspecting contributors, who think that they are involved in the development of a legitimate project. This way they are able to get the help of skilled programmer who help make the code more sophisticated. When they deploy the malicious version it has been altered to suit their needs. [15] An argument is made that if this method is used, it will also be easier to detect the malicious code, but so far it seems that the pros of this method outweigh the cons.
Does yet another applied technology make the IAMS safer?
There are many new technologies emerging in this field. There are biometric systems and smart cards. New functionality is coded into the software, sometimes adding yet another step that the user needs to pass in order to make safe transactions. The common mantra seems to be that it makes the system safer, but is that really the case? On one hand it could be argued that technology that is harder to crack is safer but usually that also means that there is more technology which the average user knows little about. Users are frequently attacked because they often have little knowledge of the details of the technology used to protect them. If you add yet another thing, do you add a new layer of protection or do you add another point of attack for the criminal.
Then there is the problem that we actually may start to believe the propaganda. Setting things straight is not a trivial task even today, so what will be the case when nobody believes your identity can be stolen?
There is also new technology that is intended to make life easier for all multiple identities (people who have an extended collection of passwords and usernames for a multitude of resources.) OpenID is one of these resources intended to solve these problems. The intention is that you keep all identities locked up behind the identification process of your choice (fingerprints, password etc.) and instead of logging in to the resource you want to access, you identify yourself through OpenID. Basically you do what you have to do to confirm your identity and OpenID takes care of the rest. [16] There are some concerns, however, and these are also pointed out in the article. One problem is that if someone manages to break into the system, she has immediate access to all your passwords. So it would seem that no technology that provides an improvement is without its drawbacks.
Conclusion
We investigated a typical Identity and access management system in a holistic point of view so that, we could recognize and address different parts of the system that have internal and external interactions with internal and external systems and environments. In essence, initially systemic holistic approach to this system enabled us to identify how the components of the system could be affected in terms of existing security issues and how these could be defined and designed to provide a healthy Identity and access management system.
Also, applying the Systemic-Holistic-Approach on an IAMS allowed us to deepen our analysis, and understanding of such systems. We used notions and ideas from the SHA model to overcome the complexity of IAMS and examine it through multiple abstraction layers.
Finally, we have specified different threat categories to IAM model. We have mentioned earlier that the chain is only as strong as the weakest link that is why we tried to identify a wide range of different threats in the environment of IAM systems. The threats we categorized were originating from the user, poor account management practices, third party software and specific threats to IAM system or software itself. Therefore while using an IAM system, these threats should also be taken into account and it should be noted that IAM systems are just a brick on your so called "security wall".
Chapter 6
