The consequences of failing to adequately address identity management issues could have a profound impact on digital forensics as law enforcement try to find ways to couple digital and physical identities and ultimately bring cybercriminals to justice. But identity management innovation is not keeping pace with the constantly changing threat landscape making the need for further research more critical than ever.
That is the message being driven by the Center for Applied Identity Management Research (CAIMR), a non-profit organization based in Washington D.C. that is helping government agencies, including the Secret Service shape law enforcement investigations, develop defenses and adjust policies outlining secure identity management. The organization is made up of the Secret Service, the Department of Defense, a collaboration of universities as well as private sector companies, including IBM, Symantec Corp. and Visa Inc.
"When we moved into the digital realm I don't think we were prepared for dealing with identity management," said Gary R. Gordon, executive director of CAIMR."It's been a process where we've had to catch up."
With 2009 marking a year of economic uncertainty resulting in staff layoffs and company mergers many enterprises are focusing on tried and true identity management and access control processes to identify insider threats and maintain continuity. But while businesses begin to understand the nature of insider threats, security professionals remain under constant pressure to address the rapidly evolving threat landscape that targets account credentials and places a high value on identities.
Identity management challenges:
Is Identity Management as a Service (IDaaS) a good idea? Identity Management as a Service (IDaaS) is new on the managed security service provider scene.
Comparing access control mechanisms and identity management techniques: In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate and offers up some best practices for both.
Identity and access management 2009: Staff cuts, insider threats: Identity and access management in 2009 will be drastically different from 2008, most notably because staff reductions may result in a new crop of malicious attackers.
Gordon said he sees identity management evolving rapidly to meet the current threat landscape. CAIMR is creating a database of the current threats to identity management, creating threat scenarios to understand the capabilities that exist and help mitigate those threats. The organization is hosting a panel discussion on the subject this week at the CSI 2009 Annual Conference in Washington D.C. The organization is expanding on the areas it has identified, including cybersecurity as it relates to digital forensics and linking physical and digital identities, information protection to identify attack vectors and eliminate vulnerabilities, information sharing to focus on shared data sets to improve authentication and policy and privacy to better shape legislation.
The CAIMR Identity Dynamic Risk Assessment Project is creating a database of attack scenarios and possible targets so organizations can use analytical software to link threat scenarios with the current defense capabilities, Gordon said. The analysis will help the organization understand where the current gaps are for further research as well as help member organizations develop identity management solutions based on need and identify future threats. Law enforcement can use the analysis to speed investigations while the Department of Defense can create attack scenarios that specifically target identity management technologies to develop appropriate defenses.
"While there are various concerns and challenges that each of the entities have, there is a considerable amount of overlap as well, so everyone could benefit," Gordon said
One of the major challenges has been to categorize the threats. For example, identity theft threats, which have led to thousands of data breaches, can be mapped to various scenarios, such as phishing, malware and other attack vectors that hackers are using. Other threats plague the financial service industry, such as keeping tabs on potential insiders and the healthcare industry, which is struggling to protect patient identification in digital format.
"There's a lot to this landscape," Gordon said. "We need to have a much richer picture of what exists and then we'll be able to focus on the specific needs."
The data can also be used to better balance privacy with policy decisions. Gordon called privacy a key component to identity management. Legislators could call on the research to better understand the consequences and unintended consequences of what their trying to do, he said.