Group to shed light on secure identity management threats

By Robert Westervelt, News Editor 27 Oct 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

The consequences of failing to adequately address identity management issues could have a profound impact on digital forensics as law enforcement try to find ways to couple digital and physical identities and ultimately bring cybercriminals to justice. But identity management innovation is not keeping pace with the constantly changing threat landscape making the need for further research more critical than ever.

That is the message being driven by the Center for Applied Identity Management Research (CAIMR), a non-profit organization based in Washington D.C. that is helping government agencies, including the Secret Service shape law enforcement investigations, develop defenses and adjust policies outlining secure identity management. The organization is made up of the Secret Service, the Department of Defense, a collaboration of universities as well as private sector companies, including IBM, Symantec Corp. and Visa Inc.

"When we moved into the digital realm I don't think we were prepared for dealing with identity management," said Gary R. Gordon, executive director of CAIMR."It's been a process where we've had to catch up."

With 2009 marking a year of economic uncertainty resulting in staff layoffs and company mergers many enterprises are focusing on tried and true identity management and access control processes to identify insider threats and maintain continuity. But while businesses begin to understand the nature of insider threats, security professionals remain under constant pressure to address the rapidly evolving threat landscape that targets account credentials and places a high value on identities.

Gordon said he sees identity management evolving rapidly to meet the current threat landscape. CAIMR is creating a database of the current threats to identity management, creating threat scenarios to understand the capabilities that exist and help mitigate those threats. The organization is hosting a panel discussion on the subject this week at the CSI 2009 Annual Conference in Washington D.C. The organization is expanding on the areas it has identified, including cybersecurity as it relates to digital forensics and linking physical and digital identities, information protection to identify attack vectors and eliminate vulnerabilities, information sharing to focus on shared data sets to improve authentication and policy and privacy to better shape legislation.

The CAIMR Identity Dynamic Risk Assessment Project is creating a database of attack scenarios and possible targets so organizations can use analytical software to link threat scenarios with the current defense capabilities, Gordon said. The analysis will help the organization understand where the current gaps are for further research as well as help member organizations develop identity management solutions based on need and identify future threats. Law enforcement can use the analysis to speed investigations while the Department of Defense can create attack scenarios that specifically target identity management technologies to develop appropriate defenses.

"While there are various concerns and challenges that each of the entities have, there is a considerable amount of overlap as well, so everyone could benefit," Gordon said

One of the major challenges has been to categorize the threats. For example, identity theft threats, which have led to thousands of data breaches, can be mapped to various scenarios, such as phishing, malware and other attack vectors that hackers are using. Other threats plague the financial service industry, such as keeping tabs on potential insiders and the healthcare industry, which is struggling to protect patient identification in digital format.

"There's a lot to this landscape," Gordon said. "We need to have a much richer picture of what exists and then we'll be able to focus on the specific needs."

The data can also be used to better balance privacy with policy decisions. Gordon called privacy a key component to identity management. Legislators could call on the research to better understand the consequences and unintended consequences of what their trying to do, he said.

Tags: User Identities and Provisioning,  Secure User Authentication and Authorization,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT User Identities and Provisioning Microsoft's Charney details new botnet protection, IdM technology at RSA How to perform an Active Directory health check Windows management tips: How to backup and restore Active Directory Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Poor privileged account management practices leave security gap Content-aware IAM: Uniting user access and data rights Microsoft Windows 7 DirectAccess pros and cons Schneier-Ranum Face-off: Is perfect access control possible? Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Poor privileged account management practices leave security gap

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary