David Dore at the EIC conference.
Hi, thank you very much for having me here. Do you hear me?
Yes. We hear you, David. So I just welcomed you with our audience offline at online. So I'm very excited to hear about your rigorous concept and how we can improve IAM with that. So let's have a look at the next 20 minutes and find out how we can do that.
Great. Thank you very much. So let's get rolling because we only have 20 minutes. Good. So I would like to have everyone in the audience that you get a new job, you will start in a new organization and you will be the IM manager.
And so the first thing that you will do in this new organization, where you just start your IM manager job is of course, to make an assessment, to try to understand where you are. And then once you, once you've completed this assessment, then you will have a conversation with stop management. And as part of this conversation, you will, co-develop a vision for IM you will co-develop as well as strategy. This will be the organization's IM strategy. And let's imagine that now you've just completed that meeting with stop management.
You have this clear strategy, and what you know is that your performance will be measured as the degree to which you will execute that strategy. You will deliver this vision of IM for your organization. Good. So the question I ask is what will be the building blocks of your success in executive, in your strategy?
And obviously one of the first building blocks will be technology. Why? Because IM is full of technology.
We need systems all over the place to run IM to manage IM and we are lucky because we are working in an industry where we have plenty of vendors putting on the market, great products and services that provide technology exactly to help you execute your IM strategy with a lot of innovation. So this will be of course, a great lever for you to, to execute your strategy. But there is a more fundamental building block for you to successfully execute your IM strategy. And this is process or the complex processes of IM IM.
And we know that for more than 20 years now, this has been extremely well documented. IM is first of all, a process before, rather than a product or a technology. And this is, this are complex transversal process that goes through the overall organization.
So you need to get those processed, right? Because without those right processes, even technology in the world will get you nowhere. But there isn't even more fundamental building block than process. And these are people because of course, who will design, who will execute, manage, supervise your processes.
These are people, your stakeholders who will provide you sponsorship your top management. These are people. So you need people to implement those processes and run these technology and finally deliver your strategy. But there is an even more fundamental building block than people. And this is communication. Why is that? Because if you need support from these people, you need to communicate with them to transmit to them your IM strategy to let them know what division is.
And if you don't have that strong communication plan, well, we know for a fact that all people will go in different directions and you will not execute your strategy.
So your communication plan will, of course be one of the most fundamental building blocks of executing your strategy.
But then, and I will complete here this list, there is perhaps an even more fundamental building block that is the, the break and pieces of communication itself. And these are concepts and words, because if your communication is not accurate, people will not understand you. There will be misunderstandings, and you will think that you mean something, but they hear something else and they don't understand what you are saying. So it is extremely important for us as I am managers, to convey communication on IM with accurate concepts and terms.
And this fundamental ID was the original ID that initiated the open measure dictionary. This is an online dictionary of IM terms for IM professionals.
So the underlying ID here of course, is that if we have these, these accurate definitions for the terms that we use in our industry, then we will be in a better posture to have great communication plans without stakeholders get us understood and transmit our vision of what we're aiming to, to accomplish within the, the organization. Okay.
So what I'm going to do now in the next second part of this short presentation is just to show you a few definitions of key IM terms just picked a few samples from the dictionary, but please note that a dictionary is not complete. It is a crowd that develops a dictionary from the IM community. And in fact, there are literally thousands of terms that needs to be properly defined out of computer science references. So this is enormous work, and this is of course only of a small sample that I will present you here.
And because dictionary here often perceived as boring.
I will use here a tool to make those definitions more vivid and entertaining. And this tool is called a conceptual diagram. And this is just a way to visualize the key components of concept visually like on the map. And here we have an example with the concept of an account takeover, an account takeover as an IM manager is of course, something that you are fighting against.
This is, these are the things that you don't want to happen in your organization. What is an account takeover while it is a, it is part of a larger class that we call an identity theft. There are multiple varieties or flavors of identity thefts account takeover is one of those in most countries, account takeovers are illegal to have an account over takeover. What we need, we need a perpetrator and a victim.
The victim owns the digital identity and the perpetrator simply will take control of that identity without being authorized to do so.
His motivations may be financial to cause reputation harm or, or, or others. So this is a very simple concept that was depicted here, but now let's dig into a more complex IM concept let's consider for example, the, what an orphan account is well, and this is linked of course, to account takeover an orphan account.
Well, it is a digital identity. As we can see at the top here in a normal situation, we should have an account and an entity, a subject that would maybe be a person who has active and legitimate ownership of that identity. And as soon as this is no longer true, as soon as the entity do no longer has active and legitimate ownership of that digital identity, then we have an orphan account and this is an operational risk. More precisely. It is a security risk for organizations.
And then we will see now why in some organizations, this may also be a, a compliance risk orphan accounts are found in all domains of IM don't think of Orhan accounts for your workforce. IM only this goes far beyond this. Of course it touches your customer IM, but it, it will of course be present in technical access management or privilege access management as well.
There are many causes that will produce orphan accounts in your information system.
People often think of orphan accounts as those accounts that we forget to delete or deactivate when an employee leaves the company that's right, this is one possible case, but there are many others. For example, you may have orphan accounts that pop up during onboarding when people join the organization. For instance, when you have your joiner process, new employees that come into the organization sometimes, and this will not happen very often. This is a rare case, but sometimes the process will go wrong. And the person that you newly hired will just not, not show up.
The person may just seized quickly, another opportunity or may have an accident or whatever. And then you end up with an account here that was half configured. The process goes wrong.
The, the process actors don't know how to manage a process that goes wrong. And then they leave an account there that is just not finalized, perhaps half configured, but it is an orphan account. And what are the potential consequences of these orphan accounts?
Well, of course they lead to account takeover. They are the lowing fruits of hackers and fraudster. And so for this, they are like a minefield hidden under the surface, if you don't manage them properly. And so this is here where you have your operational risk and there are of course, multiple ways to mitigate orphan account the information systems.
One of the approaches of course, to manage orphan accounts is to go for automation because orphan accounts are extremely difficult to manage manually. So you want to automate the, the discovery of orphan accounts.
Let's now look at another concept, password spraying attack. This is also the nightmare of the IM manager, a password spraying and attack. What is it? It is a attack technique of the subclass of brute force attacks. It is quite clever. The goal of a password spraying attack is to avoid those account lookout mechanism that you have set up in your, in your system to protect your identities. Typically you have these policies where after three, five attempts authentication with a password, then the account is logged or logged for LA of time.
And, and there are many flavors of this account look out to mechanism here. The idea is for the threat actor is to build a database of probable passwords.
They will use common passwords, 1, 2, 3, 4, 5, 6, and so on, but also build password from public information that will be captured is related to the user population that is being targeted by the attack. And here the whole ID is that to target a very large population of users, because among all these users, there will be a few passwords here and there that will be weak.
And you with the password spraying at AC, you don't care failing the first hundred thousand authentication attempts. The only thing that you're looking at is to have a few weak password within the, the, the overall system, and then to be able to penetrate the system. So they use a clever rotation team with all these passwords and they spray these passwords, trying to authenticate with them. Password paying attacks may be used at various stages of the attack. It may used for initial exploitation to enter into the organization or also for laal movement.
Once you are in the organization and you want to get hold to other assets within the organization. And of course there are very well known counter measures for password spraying attacks. One of which of course is multifactor authentication, obviously. And passwordless authentication.
Let's now have a look at a completely different concept in IM, which you often hear in the news when you read about the, the insider threat and to understand the insider threat. One of the first first things to ask ourselves is just what is an insider? And basically an insider is just a person or an entity.
And the particular of the insider is that it will poses a threat to the organization because it has the capability to damage the organization. Why is that? Because the insider has special knowledge of the organization has trust of the organization and perhaps have some special capabilities that he may use with the organization.
But here we need to, to proceed the organization as the extended organization, we don't need to, we, we, we must envision the organization as this larger organization that comprises contractors in addition to employees, but also business partners, vendors, suppliers, board members, auditors, whatever. And this larger organization is what is at stake here. Insiders are usually categorizing two different subcategories, unprivileged, insiders, and privileged insiders.
And of course, one of the nightmares of any C I O or I am manager is a bad privilege insider
That, that we understood what an insider is. We may understand a related concept, which is the concept of privilege abuse. And this is something that is absolutely fundamental to that identity and access management.
Of course, a privilege abuse is a kind of insider threat that is part of this larger class of cyber threats. It basically consists in an abusive usage of effective access permissions. So when we consider a privilege abuse, we are talking about someone who is using access permission that we're granted to him, or they don't not need to hack the system to gain these permissions because they just have these permissions. And what is funny in the, well, it is more sad than funny, but interesting or curious about privilege abuse. Is it very often?
It is used for fun and curiosity by insiders in a large number of events. But of course, another motivations for privilege abuse is financial gains.
And, and, and there may be other motivations as well. What characterizes a privilege abuse is that it is intentional. It is not an accident. And this distinguishes the privilege abuse from other kind of incidents security incidents that we may have based on accidents. We have two subclass of privilege abuse, excessive privilege abuse, and legitimate privilege abuse privilege abuse is when you, the user only has those privilege that were required for his job. So the need to know, or the least privileged principle was followed. And we have excessive privilege.
Abuse is when too much access permissions were granted to, to, to the insider. And this is a very important distinction because when you have excessive privilege abuse, it means that you failed by not implementing the, by not complying with the least privilege principle. So you have a responsibility is not only the insider who took these steps and, and crossed the red line, but it is also you as an IM manager or C I S O who failed to ensure that people have just the, the right privilege for their jobs.
And there, of course, multiple ways to counter multiple counter measures against privileged abuse, privileged abuse.
Here, we may consider another, oops, I see that time is going by very quickly and more faster than I anticipated. So I think you got the point here.
My main point was to say that we need a clean way to accurately transmit information about those key concepts that you, that we are working with within identity and access management and having accurate definitions for the terms we use may help us understand and better analyze the, the, the, our environment and transmit great com and develop great communication plans to transmit this information to our colleagues and stakeholders, please. Excuse me, is it, am I passed with time now or do we have still a little bit of a few minutes to go through a few more concepts?
So David, how many slides have you left over?
Okay. So I can wrap up.
So yeah, that, that would be my question, too. If you can making a short wrap up, what's like the main takeaway from your presentation for the audience.
Very good. So basically the main takeaway is that we are looking for contributors to help us build this great dictionary that we deserve as I am professionals. And I think that if we all put a little bit of forward in contributing to this, to this work, then we may build a great dictionary that will help us sustain our communication plan within IM and it will benefit the overall community of course available. If there are any questions.
