Ishan Kumar on 2/11/16 8:52 AM
Paul Hill is a Senior Consultant with SystemExperts. Previously, he worked in the IT Department of the Massachusetts Institute of Technology where he played a leadership role in the evolution of identity services. He is recognized as one of the industry’s foremost experts in Microsoft technology, was involved in the creation of the Kerberos Consortium and played a leading role in the development of Internet2 specifications.
UnboundID: Why was Kerberos created and what has been its impact on the IT security industry in the last few years?
Hill: The primary motivation was that it was an academic environment, and you can’t always control who is on the network, so MIT needed a security protocol that could protect the network from hostile eavesdroppers. Today, Kerberos is widely adopted across the country as a standard authentication system, it’s even used in cable TV modems. Most large companies have deployed Kerberos as an authentication method.Kerberos is also highly interoperable. MIT has established the Kerberos Consortium which pulls together developers from Microsoft, MIT and Apple and others, to do interoperability testing every year. There is one feature that has not been widely adopted by organizations, however, which is the ability to create trusted relationships between companies. You can use settings within the protocol allowing companies to exchange information securely, but most organizations use other standards such as SAML or OAuth for these purposes.
UnboundID: How do you see industry responding to today’s security threats and issues?
Hill: One trend is that finally, we are seeing wider scale adoption of multifactor authentication (MFA). It used to be that you would only see MFA being used at large well-funded regulated companies, but now even startups are starting to incorporate it. If you look at the massive breaches of the last few years, most could have been avoided if everyone was using MFA.
Another evolving area is sandboxing of incoming email, using products such as FireEye. This method involves looking at the behavior of data as it is coming into the network, such as an attachment. If there is suspicious information about it, the attachment will be deleted before it gets to the recipient.
Finally, companies are applying big data analytics to log and event monitoring. Splunk is one product that facilitates this. By looking at anonymized data from customers all over the world, products using this technique can see trends in traffic which may suggest new and evolving threats. The vendor can then deliver new rules to create alerts for customers about the new threat. Analyzing data in real time is now more viable and essential to being proactive about security.
UnboundID: Can you describe some challenges with identity management technology and privacy and security?
Hill: Passwords are still a big area of concern. When a user loses a password and needs help resetting it, that creates problems if the process isn’t designed well or followed correctly. Some attackers are very devious and can do a great job of convincing the support person to reset a password when they shouldn’t.
There was a case recently with an Amazon customer who had an account that was flagged as having some suspicious activity, and still, the attackers were able to get someone to reset the password and gain access. Technology is actually not the hard thing – it’s getting simpler, but when there are humans involved to verify the identity, it gets more difficult. Humans are still the weak link.
UnboundID: How do you advise large clients today on creating the ideal ID management architecture for their business?
Hill: A lot of this goes back to the fundamentals, things we’ve been talking about for about 30 years. When creating accounts, make sure all steps have been followed and be sure you know who the person is. Review accounts frequently and get rid of obsolete accounts.
Too often, employees have more access than they need for their job title. A company that’s growing quickly and where people are changing roles frequently encounters this, because when an employee changes jobs, they still have authorizations from the old role. For instance, a systems administrator is promoted to a senior management role and he still has privileged access to all the machines.
Processes for resetting passwords are critical, and that gets harder as a company grows and the administrators don’t know all the employees any longer. That’s when you need to institute a more formal way of authenticating an individual over the phone. There should be different questions than a consumer service like a bank. An employer has more detailed personal information such as the Social Security number and start date for employees, and they should use that data for identification. Whereas, on a consumer site, the questions are much more general and a hacker can use social media profiles to take a good guess at the answers. Companies need to be very careful with the questions that they ask for identity authentication.