Observations from the Gartner Identity and Access Management Summit
John ZurawskiGartner held their annual Identity and Access Management Summit in San Diego the week of November 14th. Having attended all of the previous 4 "IAM Summits", I was on the lookout for trends and new items in the area of "identity" and multi-factor authentication. From my perspective, if there was a trend, it may be summarized by stating that IAM may have "arrived" at a level of corporate consciousness and is expanding beyond being a subset in the security practitioner space. Several things contribute to my opinion.
I believe "the cloud", as in cloud computing, is causing more people to focus on the question "how do we make sure who is accessing our properties and data when it's "in the cloud". I believe that was a large driver, boosting attendance to more than 500 attendees this year's Summit.
The value of identity and authentication practices to the business and justifying the cost also seems to be growing concern. The attendees were greeted with thought leadership from Gartner's Business Intelligence practice and urged to start thinking of IAM as an element of corporate competence with real ROI.
Perhaps more convincing that authentication is "arriving", some of the focus session topics that drew sparse attendance at previous Summits were heavily attended this year. For instance, at 8 a.m. on the third morning of the conference, (when you might expect the attendees to be wearing down a bit) Ant Alan's presentation IAM Foundations: Best Practices for Authentication was a standing room only affair. I counted almost 200 attendees in the room.
I'm confident that growing concerns over audit, compliance and advanced malware threats like ZeuS, ZBOT and SpyEye contributed to the interest in authentication at all levels.
On a glamorous note, Chris Hanson of NBC's Dateline was the "headliner" for one of the main keynotes. Chris has done a number of shows on cyberscams and the danger of chat room predators preying on online teens. For those of you who have seen his "To Catch a Predator Series" did you notice he used a form of out-of-band authentication to eliminate plausible deniability when a 'predator' arrived at the Dateline "sting" operation? He did indeed! While engaging suspects online and making arrangements to meet teenage girls or boys, the suspects were asked to bring some very specific items with them to the rendezvous point. The items were particular to the online conversation and very unlikely for someone not involved in the conversation to have with them. (In some cases they had also provided their mobile phone numbers to the person they were to meet.) The items represented a brick and mortar confirmation that the person involved in the digital conversation was the person walking through the door. Voila, out-of-band authentication. Strong enough to get predators locked up.
Gartner Identity and Access Management Summit 2010
Beyond Education, Arming and Activating Your Users in the Battle Against Malware Driven Cybercrime
Robert SodenZeus, or Zbot, the malware Trojan unleashed by organized cybercriminals, is a game changer. Its logging technology harvests the correct logon and account information for online accounts and delivers it to the cyber-criminals. Its presence has been detected in 190 countries. Its many code variations make it difficult to be routinely detected. Educating end users to the danger is a start, but education alone is not enough. In a highly publicized incident last October, the Director of the United States Federal Bureau of Investigation, Robert Mueller, admitted he is more vigilant now about banking online after almost falling for a sophisticated phishing scheme. If someone with Mueller's level of expertise and awareness can nearly be victimized, the average end user is clearly at risk despite efforts to alert and educate them...
Risk analysis engines and assessment processes for logons and account activities are becoming common at financial services firms. The effectiveness can be improved by adding end user participation. When analytical tools flag an "at risk" event, the proverbial "someone" must review the flagged activity. Such manual processes take time and are error prone. Automated telephone contact directed to the legitimate account owner offering both context and approval/denial capability defeats cybercriminals armed with correct account credentials.
For example, if correct banking credentials have been harvested by Zeus, a criminal can access the account, but to obtain funds, must still transfer funds to an account to which they can withdraw funds. The bank's risk engine, by rule, flags the addition of a new payee or routing number to the account. The legitimate owner receives a call vocalizing the context of the transaction. "If you are transferring £11,000 to an account ending in 7723…" The legitimate user, who is not banking at the time, is permitted to cancel the transaction and raise a fraud alert. Unlike studying log files, this real time alert offers a big advantage to financial institutions. The certainty of knowing exactly when a fraudulent attempt occurred is very valuable. There is no concern that this was fat-fingering or an abandoned session. Immediate action relative to IP address and routing number blocking can be taken.
End users who have encountered phone based authentication processes have reacted favorably to the process indicating that it is easier than answering questions to which they have forgotten the answers, and reminiscent of the "pre-Internet" days when it was not unusual to receive a telephone call about an oddity at an account.
For more information on Phone-based out-of-band authentication or OOBA, visit: www.authentify.com
Download PDF version of article: "Beyond Education, Arming and Activating Your Users in the Battle Against Malware Driven Cybercrime"
