Optiv's Ian Cumming spoke at the company's Toronto event. (Photo by Howard Solomon)

Published: September 20th, 2017

As strategic solutions director for identity and access management at security vendor Optiv, Ian Cumming knows a lot about IAM issues from the infosec team’s side.

He also knows it from the victim’s side: Cumming has been stung by data breaches at companies that held his personal data three times. Among other problems someone fraudulently filed a U.S. tax return in his name trying to get a refund.

So when he spoke Tuesday at an Optiv customer conference in Toronto about the impact of poor identity and access control on corporate networks he had personal insight.

The “wall-type defence is not working,” he said. “Its a matter of when not if” there will be a data breach.

“The investments we’ve made so far in security have been useless because we chosen not to focus on identity, but the things we traditionally focus on” including endpoint security, data loss protection, application security.

Yet compromised credentials and loss of access control are behind most breaches, he said.

There are interim solutions such as two-factor and multi-factor authentication, with single sign-on to make the user experience better.

Ideally, though, CISOs should assemble solutions that make a “solid, portable representation of user identity through a formal IAM program which extends to all security-related applications.” The goal is to put identity at the centre of security.

“If we understand who the user is, if we can tie back to a single user entity we can understand and assign risk,” Cumming said. Then mitigating controls can be put in place to freeze access to a privleged account or accounts.

It is vital security teams identify when credentials have been breached so the horizontal and vertical movement of an attacker through the network can be discovered.

But, he complained, there are two obstacles: One are managers who insists on having an administrator account or their work will be slowed. “They think about convenience,” Cumming said. “You think you’d like to be in business tomorrow and for many days afterwards.”

The other obstacle, he argued, is inability of thousands of security products to communicate the data they capture with each other.

While a number of industry associations have sprung up to create interoperability standards –including the FIDO Alliance, Digital Risk Alliance, Identity Pus Alliance, C3 Alliance, Cyber Threat Alliance – he urged enterprises to join the two-year old Identity Defined Security (IDS) Alliance, which aims to integrate IAM infrastructure with enterprise cyber security technologies.

The IDS Alliance started as a vendor group –backers include Optiv, Ping Identity and Vmware – but Cumming said it now has an enterprise focus, including a customer advisory council.

In an interview Cumming expanded on this.

There are some interoperability data standards, he said, such as SAML (Security Assertion Markup Language) for authentication. While it’s “fairly easy” to implement, he also described it as “big, heavy … from a business perspective its pretty slow.”

“There’s such a proliferation of vendors out there doing niche aspects of security that if you look at their little microcosm they do it extremely well. But if you look at how businesses need to run today, you have to have that intercommunication, you have to have a framework for sending at least least user context (information) back and forth. And its not just an authentication credential. It’s how they (users) authentication, its the assurance you have that the user is who they say they are and being able to tie that completely back to an individual.”

The IDS Alliance hopes to be driven by security customers, who have the real business need, Cumming said. Ultimately solutions will be able to be created so the security team will understand who is using what access and for what purpose.

This isn’t the first call for vendors to work together. In 2015 Cisco Systems said vendors have to collaborate on offering integrated threat defence architectures that provide visibility, control, intelligence, and context across many solutions.

In the end, Cumming said, identity is not just a way to stop data breaches but also a business differentiator that helps the enterprise do better business with employees, customers and partners.

“Traditionally identity has been seen as a cost of doing business, but with convenience factors like being able to self-register, self-password reset, being able to sign up for enhanced authentication services for consumer or employee to enable themselves and be productive quickly is the differentiator.”