Evolution of ID, Access ManagementRSA CTO Offers Advice on Overcoming IAM Complexity
The big change to ID and access management over the last few years has been its growing complexity, owing to the evolution of the cloud and mobility. RSA's Sam Curry offers advice on overcoming the challenges.
Curry, chief technology officer for RSA, the security division of EMC, sees security control being because of organizations embracing cloud computing and mobile devices.
"You went from owning both where your apps and data were stored and how people accessed it to owning nothing and having to at a distance apply IT policies and by default security policies as well," he says in an interview with Information Security Media Group's Tom Field [transcript below].
And with the increase in end-points and data leaving an organization's immediate control comes the desire from criminals to get to the data, Curry explains.
In facing this IAM hurdle, security professionals need to stay current. Their new role has split into two - one part focusing on risk management and the business, and the other continuing to hone the technical skills needed. "You sort of [need] to have two broad skill sets in order for you to be able to do all of it," Curry says.
In an exclusive interview about IAM, Curry discusses:
- The role of IAM in today's extended enterprise;
- Why some security pros are ill-prepared for IAM challenges;
- Emerging technologies and solutions being deployed now.
Curry is Chief Technology Officer, Identity and Data Protection business unit and Chief Technologist for RSA, The Security Division of EMC. He has more than 18 years of experience in security product management and development, marketing, engineering, quality assurance, customer support and sales. Curry has also been a cryptographer and researcher and is a regular contributor to a number or journals and periodicals. Prior to his current role, he was CTO, Marketing and Vice President of Product Management where he led the strategic direction for all RSA solutions. Prior to joining RSA, Curry was Vice President of Product Management and Marketing for a broad information security management portfolio at CA.
TOM FIELD: You and I have had the opportunity to sit down a number of times over the past few years. But for those who don't know you, tell us a little bit about yourself and your role at RSA, please.
SAM CURRY: I'm chief technology officer, or CTO. My role is specifically around the identity and data protection products within RSA. We have a wide portfolio of products, but you can think of it as anything that helps to bring a great degree of trust or certainty to identities or to data, and to the connection between them.
Changes to ID, Access Management
FIELD: To start off, let's baseline a little bit and talk about the concept of identity and access management. How different is it today than it was even five years ago?
CURRY: That's a very good question. I think if you were to go back and look at this in the early days, it's all about connecting people with data. It's all about making sure the right people can do the right transactions at the right time. That availability is there as part of the mandate and it was a difficult task at the best of times. The number of systems that have to be connected, the types of infrastructure and the gradual anonymization of traffic made this a real challenge, but I think right around seven or eight years ago you saw a consolidation of the industry.
I think the biggest change in the last five years has been three-fold. First [is] an increase in complexity. There are more things to connect, more people to connect with more data than ever before. It's an end-to-end situation. The second is that the role of the CIO and therefore the technology folks under security has changed. They've gone from being the custodians of IT to being brokers of IT almost. On the one hand, you've got the all-things cloud. You've got the infrastructure moving out of the control.
Then the final thing is now the devices are moving out of their control as well. You went from owning both where your apps and data were stored and how people accessed it to owning nothing and having to at a distance apply IT policies and by default security policies as well. So three things - complexity, cloud, mobile.
Desirability of Data
FIELD: One of the things that strikes me is the desirability. It's not just the accessibility of data that's key today, but the desirability because we find so many organizations losing data that's of a competitive advantage.
CURRY: There are a few dimensions of that and it's an absolutely fascinating point. The first is that it's desirable for us to have data connected in as direct and quick a manner as possible. If you think of children learning to write, you see their little faces scrunched up and their hands going white as they grasp with pens and hopefully we can write without thinking about the pen at this point. You see people hunting and pecking for keys on keyboards. It's really hard at five words a minute to write a report, but if you are an adult and you've been typing your whole life you don't even think about the keyboard. You have to make the infrastructure and the tools at our disposable invisible so that you can satisfy that desire for the data.
We live in a richer world because our personal and corporate data can be connected in many, many more ways. Data is fluid many more ways than it ever could before. But it's also attractive in a desirability way to the bad guys. But there's an attractiveness and frankly there's far less risk and far greater ease to reach more victims in more ways then ever before by going and taking your criminal behavior online. It's easier to hack. You can get more victims. There's less risk and frankly you can make more money. It's incredibly attractive to them. Data in so many ways is the goal on the good side and the bad side. It's the sort of golden reward if you will. That desirability is what this is all about.
Role of IAM
FIELD: Given the stakes, what do you see as the role of IAM in today's extended enterprise as you've described it?
CURRY: I think the role of IAM is the same. The tools with which we do it are radically different. The skills that we bring to bear as practitioners are very different and the functionality of the tools that let us determine the policy around who can connect to what how and when is very different than it has ever been before. So it's sort of like the mission has stayed the same, I would imagine much like in the military. The mission used to be "defend the kingdom." The mission is still that way now in the 21st century, "Defend the country," for the military but the tools with which we do it and the places we do it are radically different. It's perhaps a poor analogy but it's the same thing online.
Frankly, the sorts of generations for technology are so much faster online. It's interesting, you said, "How has it changed in the last five years?" In the physical world we were talking about changes taking place over ten times that number of years, and frankly the generations are getting even shorter. So I would define the IAM practice for companies not by what tools they use today, but how that mission is kept current given the changing landscape as it goes forward.
Challenges for IAM Professionals
FIELD: In terms of careers, what do you see as the biggest identity and access management challenges for security professionals, whether they're in the field today or coming into the field?
CURRY: I think the biggest challenge is to figure out how you're going to do this to a heterogeneous number of computing stacks. It's quite simple to come in the old days; and I shouldn't trivialize it - it was never simple. It was always a complex problem, but it's fairly straight-forward to say I will come and we'll create a directory. We'll do some form of provisioning. We'll do some password management and then think about enforcement and access management. We might do some entitlement stuff. We'll think about how to federate other environments and when we finally wrap our arms around that, you'll be in a good state.
Well now you have to come in and say it's not just for your infrastructure. It's for your virtualized infrastructure and then it might be your partner's external virtualized infrastructure you have to somehow be able to extend to with adverse capacity. And by the way, some of your stuff is running up in the cloud with the likes of Amazon, Azure or Google Apps and you've got to find a way to bridge all of these with a consistent set of tools for doing governance, how you get your policy out there on how it all behaves, and then you've got to read it in and you better do it in a way that you can report on and do metrics on and show improvements. That's a big task and then you throw in the complexity of anybody from anywhere on any device coming in. That's really tough.
I think the challenges are staying current. And the further challenge for security folks in general is that the career is splitting in some ways. It's bifurcating. Part of it is going up the stack and becoming more about risk management and more business. The other half has to become much more technical in more fields. There's a convergence of what we call admin functions - network admins, security admins, virtual admins, storage admins. You sort of [need] to have two broad skills set in order for you to be able to do all of it. Really picking your path among that, where you want your career to go and how you add value doesn't mean just going up in the organization or aiming for the C-suite. There may be a really good and rewarding career, but pick your path carefully.
Unprepared to Face Today's Challenges
FIELD: What you just described to me, it sounds like what we need is a technologist, someone with good business skills and maybe some consulting skills as well, just to work with this diverse workplace. It strikes me that today's professionals might be ill-prepared to tackle some of these challenges. What's your take on that?
CURRY: Very much so. I think a lot of them can do some of this and a lot of them feel pressure to learn skill sets that they're not all that comfortable with. You don't have to be the best at all of it. You do however have to know how to identify who else is good and potentially complimentary not just from a skill perspective but also personality perspective to work with. I think it's much more about effective teams and how you move together and how you build an "A" team and how you plug into a team to be an "A" team that's critical. You can get the best people in the world for each function and still not work well as a team.
[It's] that ability to have both the career path through all these different options and to find others who will go with you and you can work with. It's strange. You tend to see the same people in your careers as you go around, either because we're limited in geography or in our verticals, but nevertheless it's important to know how to work very well with others. Your lateral relationships - if I can be so bold as to offer advice - will probably be the most important. Figure out what you're good at and ... identify somebody who's complimentary in a bigger picture if you're an individual contributor and if you have aspirations to management. Figure out how to hire better than yourself and how to build an "A" team rather than just a bunch of "A" players.
FIELD: Let's talk about some technologies. What do you see as some of the emerging technologies and solutions that really can enhance an enterprise's identity and access management?
CURRY: I'm seeing an awful lot around virtual directories as one, so the ability to federate a lot of different identity stores. I'm seeing an awful lot come up in standards that are very important for us to drive, and I think all things cloud. We have yet to see the emergence of the next generation of IAM technology. I'm certainly pushing for it within RSA, but as an industry we have yet to see the emergence of a new, truly ubiquitous identity and identity platform, and to be able to make those things work together regardless and work with the old as well as in this brave new world we're seeing. I call them the brave new stacks. I think a lot of that has to bridge the old and the new.
You'll often hear people talk about the cloud, and by the way the term itself doesn't mean much without an adjective, but I think the critical thing here is we're all going to live in hybrid environments. We're all going to live with legacy and these brave new stacks at the same time. We have to find a way to embrace it and we have to find a way to take in stride new changes in technology because I know Moore's Law and Metcalfe's Law and even Gilder's who was disproved, all these things are going to increase in complexity, increase in speed, and increase in capacity, and people will find new ways of connecting data. We have to make sure that data follows the right pathways regardless of where it heads.
FIELD: Let's talk about some of RSA's customers. What are they doing to improve their approach to identity and access management?
CURRY: A lot of them are questing for that next big leap, and [in] my function as CTO I'm often asked to sit down and say, "How do I get to the next generation of technology?" And where we are pushing is thinking about it in terms of intelligence-driven, and by intelligence I mean several different types of intelligence, both the literal context that you bring in features. Don't think of it as features, but think of it as feeds around how someone's trying to connect. What's around them? Where are they physically? What have they done before? What devices have they been on before? And to not think in terms of binary, "Do I trust you or not?" It's to what degree do I trust you to do the thing that you're doing. So moving away from things like episodic or periodic authentication to continual authentication, this notion of situational awareness, that's where we're driving a lot of our products.
But frankly, it's going to depend on us being able to work with a lot of third parties, everything from the handset providers to telcos to new platform providers, new applications, being able to instrument the right things in the right way with respect for privacy to give you the right how much do you trust someone in this instance to access a certain type of information, very contextual, and to be able to then revoke that when it needs to be revoked and secured for that person.
Responding to Today's Challenges
FIELD: We've talked about a lot today. If you were to boil it down, what advice would you give to organizations and how they can better understand and respond to today's identity and access management challenges?
CURRY: I think the best advice I can give is that you'll hear an awful lot about a lot of hype. There will be a lot of fashions that come and go. There's probably hype cycles galore out there. Really sit down and have a dialogue with the business. Improve the way that you talk to the business. Make sure that the C-suite understands what you're trying to do and how it can serve the business, and then evaluate all of those fashionable things and ask yourself, "Do we really need this?" If so, push for it. Make sure it's strategic and go for it. If not, it probably should be on the backburner. Focus on a few big things that are going to enable you to get the identity management out of the way, the access management out of the way. In fact, think about it as trying to create a platform that's completely transparent to the business, and yet its value is perceived by the business. [The] number one thing is get that dialogue going and focus on what matters. Ignore the noise.