Group to shed light on secure identity management threats

By Robert Westervelt, News Editor, SearchSecurity.com 28 Oct 2009 | SearchSecurity.in

Digg This!     StumbleUpon     Del.icio.us

The consequences of failing to adequately address identity management issues could have a profound impact on digital forensics as law enforcement try to find ways to couple digital and physical identities and ultimately bring cybercriminals to justice. But identity management innovation is not keeping pace with the constantly changing threat landscape making the need for further research more critical than ever.

That is the message being driven by the Center for Applied Identity Management Research (CAIMR), a non-profit organization based in Washington D.C. that is helping government agencies, including the Secret Service shape law enforcement investigations, develop defenses and adjust policies outlining secure identity management. The organization is made up of the Secret Service, the Department of Defense, a collaboration of universities as well as private sector companies, including IBM, Symantec Corp. and Visa Inc.

"When we moved into the digital realm I don't think we were prepared for dealing with identity management," said Gary R. Gordon, executive director of CAIMR."It's been a process where we've had to catch up."

With 2009 marking a year of economic uncertainty resulting in staff layoffs and company mergers many enterprises are focusing on tried and true identity management and access control processes to identify insider threats and maintain continuity. But while businesses begin to understand the nature of insider threats, security professionals remain under constant pressure to address the rapidly evolving threat landscape that targets account credentials and places a high value on identities.

Identity management challenges: Is Identity Management as a Service (IDaaS) a good idea? Identity Management as a Service (IDaaS) is new on the managed security service provider scene. Comparing access control mechanisms and identity management techniques: In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate and offers up some best practices for both. Identity and access management 2009: Staff cuts, insider threats: Identity and access management in 2009 will be drastically different from 2008, most notably because staff reductions may result in a new crop of malicious attackers.

Gordon said he sees identity management evolving rapidly to meet the current threat landscape. CAIMR is creating a database of the current threats to identity management, creating threat scenarios to understand the capabilities that exist and help mitigate those threats. The organization is hosting a panel discussion on the subject this week at the CSI 2009 Annual Conference in Washington D.C. The organization is expanding on the areas it has identified, including cybersecurity as it relates to digital forensics and linking physical and digital identities, information protection to identify attack vectors and eliminate vulnerabilities, information sharing to focus on shared data sets to improve authentication and policy and privacy to better shape legislation.

The CAIMR Identity Dynamic Risk Assessment Project is creating a database of attack scenarios and possible targets so organizations can use analytical software to link threat scenarios with the current defense capabilities, Gordon said. The analysis will help the organization understand where the current gaps are for further research as well as help member organizations develop identity management solutions based on need and identify future threats. Law enforcement can use the analysis to speed investigations while the Department of Defense can create attack scenarios that specifically target identity management technologies to develop appropriate defenses.

"While there are various concerns and challenges that each of the entities have, there is a considerable amount of overlap as well, so everyone could benefit," Gordon said

SearchSecurity radio:

One of the major challenges has been to categorize the threats. For example, identity theft threats, which have led to thousands of data breaches, can be mapped to various scenarios, such as phishing, malware and other attack vectors that hackers are using. Other threats plague the financial service industry, such as keeping tabs on potential insiders and the healthcare industry, which is struggling to protect patient identification in digital format.

"There's a lot to this landscape," Gordon said. "We need to have a much richer picture of what exists and then we'll be able to focus on the specific needs."

The data can also be used to better balance privacy with policy decisions. Gordon called privacy a key component to identity management. Legislators could call on the research to better understand the consequences and unintended consequences of what their trying to do, he said.

Tags: Identity management, authentication and access control solutions,  Hacking countermeasures,  Enterprise risk management strategies,  Business compliance management,  Risk Management Strategies,  Threat Monitor,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity management, authentication and access control solutions Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Security awareness is the key... cultivate employee loyalty Preventing password fatigue with single sign-on (SSO) authentication How to choose online data backup services for data protection Protecting enterprise networks from new mobile application downloads Hacking countermeasures Noted cryptographer on SSL, encryption and cloud computing Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Firewall audit tools aid compliance 11 application security tweaks for a secure SDLC Zeus Trojan continues reign infecting 74,000 PCs in global botnet Enterprise risk management strategies Noted cryptographer on SSL, encryption and cloud computing What's a risk management strategy worth to your S&P credit rating? ISO 27001 certification: Preparation in four steps Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection Information rights management helps L&T protect its knowhow Cloud Security Alliance releases top cloud computing security threats Voice data security risks on the rise, say experts

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary man-in-the-middle (MitM) attack  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary