IAM What IAM and Dats What IAM: Accounts for Everyone! Robots Too!

you could really tell from the camera that you could pick up their reflection off oh yeah

good afternoon besides DC please welcome our next presenter at Garris much yeah thank you thank you good afternoon thanks for coming to my talk we're going to talk about I am that what I am and that's what I am so when the Pope is saying I hope people remember Popeye some of my students at the University they don't even know who Panik Halen is so talking about Popeye is like oh that's a an old stuff so here's a little Who am I so I just pulled it from my password file I am from Guatemala I work for 25 years in Honduras and I'm being worth living and working here in DC since late 2017 I

started working in security first assistant min and then I just read cliff Stahl's book the Cuckoo's egg and inst then compiled Satan maybe somebody remembers that package I compiled it and then just fell into the rabbit hole into security I've done some forensics some pen testing got some Mexican rats which i reverse-engineered back in the day done business continuity and disaster recovery and I've also taught at the universities in Central America the operating system and compilers and the compilers engineering course so I know how to like my superpowers I know how to exit VI and I know how to write regular expressions so yeah well just a standard disclaimer this representation of my views mine only and they do not

represent any past future or present employer so these are things that I learned and when for doing the current job that I have so but it also reflects on me in my past experiences and so what is this talk about this is not about amaz I am so I'm sorry if I baited you some well if you thought it was about Amazon I am this is not this is about the identity and access management process actually which is I got two definitions here one from ISO 27001 which is to prove that on the authorised users get access to the applications and systems and services or from ITIL to process and to work on the provision of changing and

revoking access rights to authorized users only so those are like the book definitions so that's what we're going to talk about and I felt compelled to give this talk because I saw a tweet somebody asking how do people in their organizations do access provisioning how do you create new users and I thought well actually identity and access management is a pretty cool defensive capability I mean it's something that if you focus this and I work for enterprise for work for work for setting giving access to users is a process that somehow gets neglected people get leave all the identities on the network on the Active Directory whatever and that I think that managing that gives you a

whole foot on the door on defensive capabilities I won't be discussing any commercial products and I want of course this is not a live coding or exploit hacking talk so we're just going to discuss about this process so actually as I mentioned this is a supporting process for defense or protection of the enterprise or your product services here's a couple of headlines that I got from the internet a guy who was kicked out of a company and deleted all the servers in Amazon rogue system administration who shut down servers and also some leftover identities have been used to compromised networks because they use passwords that were found in were dumps all the identities so killing

off all the identities from the step from the network from the active directory or the directory is a very useful process there's no thing for example okay a case I saw at a university the university allowed self registered self-service registration of email accounts so there was some cool student who created registrar at uni at the University dot edu so when when I saw that because I took the roll call for for given the the grades I saw what is why is this guy's address register I mean he's just a real guy so I asked him and he just could register people could just register whatever email address and that tied into the other systems or with

the university so what that was a big vulnerability which got fixed and this also creates up the issue of separation between okay you're providing services for your customers or you or your students you're somebody external to the organization but then you have the same domain or the same credentials that go into the payroll system for example so you have to segregate and create a barrier or somehow some way to differentiate what services are being provided for the external users and which ones for the internal users so we've heard that information security is a process it is not a tool so this is that this is what this talk is about actually talking about why provisioning

identities and users giving access to applications is actually a process that you have to build on top of some tools and we're going to see what kind of tools so that way you can begin I mean to create a secure environment but also to measure and improve and also create more visibility into the risks that you may have into your into your your security process it will also create a way to as an upper-level 12 to give you segregation of should this developer have access to production to the cash management system for example should this user who processes payments have also access to change the payroll this is a segregation of duties issue which also is made

visible when you implement an identity and user ID access management process a process is usually written like this this is a one I found in the internet where you make a flow chart and you describe what actions and decisions you take when you create a user so that's what kind of what we're going to talk about and also incorporate these patterns some of the patterns that we encounter when implementing Identity and Access Management are this the joiner when people come into the organization the mover when somebody transfers from one duty station to another they change jobs but within the organization so they need different permission somebody goes from accounting to HR to services to IT

they need to be not so there needs to be some way to notify and understand what happens when people change jobs within the organization so that's like a a mover process also the lever when somebody leaves the organization you need to to do something delete identities cancel passwords move the email address to other place also understand what is the birthright access what do you need to give your users when they just come into the organization and also the term of recertification that's a pre alloc process that you do to ensure that users have their access they require so I mean if I gave you access to the accounting system two years ago do you still need it today that's

something that you have to to be recertifying constantly to understand like a secondary control of what these accesses mean for the organization and those patterns are implemented into this lifecycle events this lifecycle when you create a user you onboard them then you request access to their applications we're doing beyond what's the bird right then you manage them when you transfer when you off pour them when they leave the organization but and frequent issues people who get rehired into the organization they leave and they come back so you need to be reviewing that and re certifying the access periodically so that's a constant circular or cycle I mean a constant cycle of events that you are going to be

doing when managing identities and accesses on this level it is also a large project it's something that you got a plan for you got a design what is the scope how are you gonna do the governance on this who's going to be responsible for even deciding how are you gonna write user identities is it gonna be first initial last name is it's gonna be first name dot last name is it gonna be that kind of thing has to be designed and govern then you write then you design design and architecture how are you going to implement those processes and then you go and create permissions catalogs for each of applications and implement a tool for

doing that but you can still be doing processes that do not require specific tools for that so to understand what I what this identity and access management landscape can be I created an alignment table for this so I give you like a bingo card the center one is free roll your own you create your own identity and access management fully add up to your organization but then we can see for example for the lawful good you can implement a research firm better solution something that's on a quadrant or wave you know that's lawful good you can implement an open source solution which is neutral good or you can implement a new product from a start up

that nobody knows and that's chaotic good you can be neutral by implementing I am right entity an access management ticketing app you do GRS or ServiceNow any ticketing app chaotic neutral may be outsourcing it to social logging like Facebook Google or Yahoo ocean and no lawful evil of course paper-based forms I mean that's like way back neutral evil you write your own LDAP direct Delta editing scripts and that's like the BOF h comic strip I mean like something like guy doing scripts and creating users with scripts and clearing evil for me it's doing all through email which is hard hard to follow her to understand what's happening and you do not get a complete picture so this is something

that I thought I thought I'd I create for uh for you to understand what Identity and Access Management can mean over a large panorama a landscape of options and with that you will implement an architecture you will need some some way of creating the system of record who's going to be your master source of data that's going to be giving you identities is it going to be the payroll system is it going to be the HR system is it going to be the email directory is it going to be Active Directory maybe no Active Directory is a is a bad idea it's gotta be some something official something that the company or the organization says these are the official

users that we have to have here then you in the middle you have the eim service so that's the tool or application that you have which is also connected to external identity system or record this is Federation I mean that's like when connecting to cloud based services some authentication provider if you want to give them a fee you have many issues but the federated services as I said the AM services usually implement connectors or interfaces or api's into some applications and then those connectors use the actually manage the database and network provisioning the database whatever those are managed or controlled by the eim application or service completely so more complimentary issues around Identity and Access Management this is

something that's coming for example the MFA provisioning are you giving your users something like like MFA I sure ad MFA or Google Authenticator whatever you need to provision those also yeah you also have to think about privileged user access management how are you going to differentiate normal users from users who have privileged database administrators system administrators server administrators networking how are you going to provide separated or segregated view of those who have more privilege so that you may do something like risk scoring saying okay this system administrator has admin permissions over a server that contains the payroll what's that does that give me those does that encrypts the risk is he he's going to be

of course a better target for phishing or hijacking of his account and you can also tie Identity and Access Management into physical access badges for example you can provision badges what badge are you going to be and that requires an integration into the physical security system of the building for example to provide physical access but it's not all technology because actually the identity access management is mostly business driven you must align to your hiring process well how the company moves what's the rotation for example there are some government entities which hire people for one week and then they send them to another post and rehire them in nor paused there's a lot of rotation what do contracts what happens when the

contract gets expires but gets renew how fast how soon how soon are you hiring people do you need do you hire people who only need some kind of a specific access on the email but they don't need to access the network or only network but no email like security guards for example or four of them for tiny time stamping they sometimes keep network access only and also for temporary or seasonal access how are you going to manage the access to the for example to the POS for people who only come here for working for the Halloween or for the for the holidays so that's something that your process has to take into account and also move on a line at the

speed of what the business needs and I also mention robots this is something that's coming I mean the robots are coming more many many companies are implementing robotic process automation and one of the issues with robotic process automation is that since their robots are about the current technology for robotic process automation is about impersonating a natural user and interacting with the applications that the company has you need to provision identities for those robots - and those are unattended identities yet they are not service accounts they are like a normal user accounts and they are dependent on what appliqu on the application of the end application security also so you have to provision those robots not only in the in the

network or Active Directory but also you also have to provision them in to the actual applications that the robots are working on the robots may be started ephemerally I mean you can some companies start 500 robots in the morning to do some transaction processing Dutson does need it and then they shut them down in the evening and they want or they need that the password gets rotated and change it because the identities are not attended so nobody's gonna know if you're using your password whatever you need to design governance around robots so robot identities somebody the company has to understand that you need to design how are you going to work with those identities how

are you gonna give them access and also how are they going you're going to be assigning them who can request a robot identity for example there's a flipside to the robot you can the I am process can use the robots also to the provision application so I mean robots can also work for you for security purposes so work that's a cool example work with legacy or old applications black screen black screen green screen applications a robot can type and the remove users from applications or servers that are not integrated into this new services based architecture there's also a difference between what's business and consumer I am is it's a different issue when you create a gmail account I don't know if

Google employees for example have use their Gmail account to log into the payroll system or do this to the benefit system but those are different I mean consumer based I am it's also about creating applicants in public sites it's mostly API driven it can be outsourced like social login but Federation is needed and useful and a problem with consumer I am is that many the identities are created in a disposable fashion they are created just for tweeting something or they are created for just buying a ticket they are created for space for just enrolling into a mailing list and then you get a lot of users that are created or identities that are created and that

they have to follow a process there and there also the privacy is different and regulations for public sites the right to forget for example is your if your hi-fi account still active for example I mean you have maybe you register ten years ago and see it still active does it still has the password does the work can somebody do that with the their account so social or consumer identity is a different issue what are some of the challenges that we have when working with a diam process actually that sometimes the business process is not ready to be automated it's fairly a dark the you have special types of contracts which need to be buried or

moved or whatever also the scale how many people are you hiring or of boarding or transferring each day week month when you have different geographies different locations they they have different resources you have to provision into that's a problem for example for with companies that have around grown by acquisition they may have a different email system in a different office and you have to provision into that or even a separate Active Directory tree integration with legacy applications is also an issue how are you going to integrate with with applications that all the hub that even running on all platforms like do has even or or all mainframes and also the integration into IT service delivery for

ticketing for provisioning users for providing services to users and for delivering even a computer to them some of the benefits that you get when you implement an identity access management process is for example that you can make when you standardize on the owner process when you agree with the business and you implement that standard process you actually make this flow more smoothly everybody knows how a user is created nobody's going to call you in the middle of the night to ask for this urgent renewal of a contract because the process is implemented automated the identity database can also provide service to other applications of education switch for example require authorizations or workflows can benefit from using this to know understand when

people trance when a person transfers from a group to another group to another department work workflow applications are are impacted by by transfers for example and an identity and access management process can provide visibility into that it also provides a path to risk scoring to understand what accesses to what applications are more riskier than others for example your timesheet application is less risky than posting ledger transactions so you can create like a risks or score for every person in the organization you can also improve turnaround times automation for provisioning requests because since this is now a process that's streamlined and automated you can create forms which automatically provision an accounting to the accounting system for example and it

no longer need somebody to work on that ticket and also go to the application and create the user it can be automated you can also provide identity intelligence like user behavior analytics about how are you gonna do be doing with this because the now you have a centralized identity database data store and you can then provide ok this person is not logging has not logged on for for a week yet he has a license for this application which we requested so you can provide a lot of application and Intel a lot of intelligence to the to the organization just by centralizing the identity database some other side benefits and this is not like the direct

benefit but like a side benefit this makes users productive but also more secure by using for example self-service Password Reset self-service access provisioning workflows so that they did not they can request up emissions to applications we can reset their passwords that's something that instead of calling too into the helpdesk to reset their password they can do it themselves not only for I mean the network or Active Directory with the con can also reset passwords for applications you can also integrate with other provisioning processes such as physical access badges telephones equipment delivery phone the laptop have you seen those people in Twitter who I'm new in this company they gave me a t-shirt and whatever it's so swag you can deliver

swag also because you you didn't have a notification when a new user comes into the organization and you can also impact the bottom line in the sense that now subscription-based licenses for example mean money and when you can do when you the provisional user at the right time then you can delete and reclaim licenses that you are no longer needed you can think of a cost of an III five license or a Creative Cloud license when you the provisional user automatically when the contract ends then you that means less money you do not need to be buying incremental licenses for that you can recycle them and also some contract or temporary users which the identity and

access management program knows it can no not to provision those expensive licenses to those users that don't need it itself going just up one size fits all strategy for progression there is an open source solution it's called key cloak it gives you centralized service for account provisioning and management it also does Federation into Active Directory or any LDAP directory and allows you to give to your applications easy path into single sign-on from a centralized database so it's a project that's supported by rail hat so it's being developed constantly so what is the future roadmap for this for identity and access management for the process it's actually to move from the security from from to move the

process transition that identity access management from within the security organization to its own process its own program and from the technology bring your own identity I mean you bring the identity that you have that's like validate and notarization of identities where you bring your user from another company into an this company machine learning also it's being implemented for permission provision in a recertification something that seeing anomalies detecting anomalies into this user has a permission that not all of the persons in this role have for example does something that's coming the identity proofing or notarization and the talk that was here before IOT device identity validating that also devices have identities and onboarding them into the network given them access

so thank you I hope I hope I've that you'll enjoy the presentation thank you for coming and I don't know if we yeah we have time for some questions if Thank You Doris do we have any questions hi if you can tell us a bit more about Key Club this open source yeah that you meant it okay yeah Keith Lucas um it's an open source package it's very powerful in the sense that you can implement it in its Carberry it's got very a lot of connectors too but mostly open source applications and active directories so one of them it's got an API so you can build your own connector to for example to a database to specific

database that you need to provision user accesses but it only gives you the component that allows you to create identities centralize them and manage them but they don't and of course delete them and change attributes but it doesn't have a workflow per se or a lifecycle within so it's just because I think it's going to be developing in further or new versions they're going to implement a workflow over that but right now it only allows us our repository for centralizing identities and giving you single sign-on features that you can you can make a cloak act as a proxy for your application so you do not you don't need to develop any identity features but you

can just hook on to the right lobe Gibbs yeah so it's being developed

so I recently became aware of Hoshi Corp Sentinel which is a basically policy as code it allows with the hash score products it allows you know you to encode user creation policies or access policies through through code itself for the their underlying products like like terraform or vault or someone right I don't know if key cloak has anything like that or do you know of any other products that basically allow you to encode your access management rules or your some of your I am rules in code itself and manage them through code maker software defined at the only prototype seen is like you know terraform yeah that allows you to do that so now I don't know for any other

ones this is but they are building something at the this is interesting and key on blockchain encoding into a blockchain identities are rules yeah but that's that's being developed yeah I don't know the name of a product that's doing it thank you [Applause]

[Laughter]