Everything is famously code-integrated today—cars are computers with wheels, appliances have Internet access, smart doors and houses are controlled from mobile phone apps, etc. With all this code around, security is more of a challenge than ever. A central pillar of security is identity access management (IAM): the technology that protects logins and controls access. In fact, this too, is becoming code to work with all the other code. Libraries for developers are essential, including ID controls in mobile and Web applications for initial sign on, single sign-on, federated sign-on, biometric authentication systems, and sensitive data access control. To maintain security across devices, IAM code must be wherever it’s needed, when it’s needed, and automated, just like any other code. And the better we do this, the more safeguarded we all are with our ubiquitous computers.
3. 3
Key business use cases
for Identity and Access
Management (IAM)
Enable access management for employee
identities (B2E).
Onboard partners and 3rd parties, and securely
give them access to company resources by
introducing minimal changes to the current
system (B2B).
Improve the digital user experience of customers
by streamlining operations with respect to identity
and access management (B2C).
Enable a 360-degree view of customer identity
data to assist company leadership to make
informed decisions.
Secure API access for both internally facing and
externally facing APIs, including cloud and IoT.
4. Key challenges related to IAM adoption
● Developers are under pressure to produce
⦿ Security considerations can conflict with time to market
⦿ Security reviews and approvals take time and consume effort
● IAM is not something you can add in at the last minute
⦿ Need to have a design, plan, policy & standards selection
⦿ It’s like UX - login experience has to be identified before the its construction
● And it can actually be worse with automation
⦿ Security automation can be hard to fix
⦿ Scanning tool selection & deployment requires specific ops skills
4
5. Meeting the challenges means getting the code right
● Provide security as code, keep developer focus in their IDEs
⦿ This helps developers bake security into their code & automation
⦿ Organizations can customize SDKs and libraries for standard processes & policies
● Policies expressed as code streamlines the security review & approval process
⦿ Security reviewers can check the code version & fingerprint
⦿ Preferably through automated scan results
● Developer skills are in high demand
⦿ Offer low code abstractions to improve productivity
⦿ Embed IAM knowledge in the code
⦿ Config and customize with GUIs
● Link apps to cloud services to ensure IAM keeps pace with innovation
5
6. Considerations for cloud native infrastructure*
● Clouds were designed to maximize sharing (e.g. for online shopping) and for
Web and mobile apps
⦿ Strong IAM is key to customer satisfaction and avoiding “over privilege” incidents
● Clouds have different “perimeter security” principles defined by:
⦿ Resource permissions and policies – by design allow internet access
⦿ IAM systems – by design allow internet access
⦿ Network constraints - can be bypassed by shared resources
● Misconfigured policies/permissions may allow direct external access to
company resources (regardless of network and IAM)
● Security teams can not prevent these misconfigurations
(since they can be done at the app level)
6
*See “Banking on the Cloud” Newcomer, Ivaturi, Schulman, HPTS 2019
7. How “Security as code” or “shift left” help
● Implement strong authentication policies (i.e. FIDO MFA) in code
⦿ Use config GUIs to configure desired authenticators and generate SDK
⦿ Pipeline builds include the IAM policies and auto test
⦿ Self registration to reduce admin overhead
● Auto detect and replace open source vulnerabilities
⦿ E.g. http-proxy versions prior to 1.18.1 to prevent possible DOS attack
⦿ Pipeline scan open source libraries for known issues and apply updates
● Detect and remediate crypto vulnerabilities in code
⦿ E.g. issue in AWS Crypto SDK for GoLang prior to V2 allows changing AES-GCM to
AES-CTR and reveal authentication keys
● Configure CI/CD pipelines to include Docker scanning, etc
⦿ Containers are immutable and cannot be patched
⦿ Put in the time to ensure the containers are secure
7
8. 8
Developer-focused
Identity and Access
Management (IAM)
Every service, API, device and person has a managed identity
● Digital identity is a critical part of digital business
● “Everything is code” - cars, phones, appliances, homes...
The digital identity developer is becoming more prominent than
the administrator
● Customer IAM needs to integrate with multiple systems
(CRM, CDM, CMS, Marketing Automation, etc.)
● Application developers lack IAM specialization
Organizations need an agile, event-driven customer IAM
platform that can flex to meet both new business opportunities
and new challenges.
● Across multiple environments, multi-cloud, on prem, hybrid
9. CIAM developer requirements
● Accelerating digital transformation initiatives requires an identity-centric approach
⦿ Leverage cloud based technologies for rapid deployment of critical apps
⦿ Rapidly pivot to new business paradigms as market conditions change
● Global privacy requirements can affect brand or create fines
⦿ Customers/users want a degree of control of how their data is collected/stored and
managed
● Scarcity of IAM specialized developers
⦿ Connecting disparate IAM systems to get a unified view of a customer/users can be
challenging, time consuming and costly
⦿ Business requirements change frequently and it becomes costly and time consuming
to continuously implement changes
10. How CIAM as code helps
10
Take the complexity out of managing user access and
enable building secure and frictionless customer
experiences in minutes
● Provide libraries and SDKs for developers to include in their application
projects early on
● Include code in CI/CD pipeline auto builds and testing stages
● Ensure security team reviews are more likely to be ‘check the box’ activities
than finding issues
● Reduce time to market by providing needed code - developers don’t have to
search for it