Monday, November 15, 2010

Gartner: Delivering IAM to Enterprise Customers and Partners

by Avivah Litan, Gartner – Live blogging from Gartner’s IAM conference in San Diego

What are some of the challenges and threats with managing external user identities? Well, the biggest problem is there is no high assurance information about external users in many countries. In the developed world we have passports and third-party data – like credit reports and history – but what about the lesser developed world? The fact of the matter is there are more and more effective threats against user security with new Web 2.0 attacks. As Avivah says, “just about everything can be broken”.

With respect to knowledge-based authentication (What school did you attend, what’s your mother’s name, who is your bank, etc etc) Avivah presented a case study of 100 of these sessions at a bank and only 49 passed. Of that, only 44 were legitimate – 5 were fraudsters! So despite all the efforts around knowledge-based authentication there was a 5% failure rate that let the fraudsters in. Scary stuff! “More fraudsters are more successfully answering those ‘secret’ questions!” Avivah also talked about the recent malware attacks on OTP credentials by using a man-in-the-browser attack. I blogged about this back in July here.

Medical fraudsters have bilked Medicare for hundreds of millions of dollars over the last year. All by faking doctors registrations, creating fake clinics and buying stolen healthcare ID numbers. With all of that they were able to pull of this fraud. Again, a great example of tying identity and access management into business intelligence.

The best identification method is “browser mining” according to Avivah. This is a new technology that requires a log-in and catalogs dozens of variables. However, a lot of tools that work with “fixed” machines like PCs doesn’t work in the mobile world – and we’re moving faster and faster to a mobile world aren’t we? Part of the way to solve this is to use location information but that means giving up some of our own privacy. As long as my bank is willing to refund any fraudulent activity I don’t really care enough to give up any privacy. It’ll be interesting to see how this all plays out.

Trust, but verify!

Technorati Tags: ,,,,,

No comments: