CyberSecureGov 2016: Practical Identity and Access Management

Earlier this year, I spoke at CyberSecureGov 2016, after my proposed talk based on the two years I spent working on large government projects was accepted. Identity & Access Management has always been an interest of mine, ever since my days supporting a security administration team, and I learned quite a bit by working on projects setting up single sign-on for the public.

From the Abstract:

Building Identity & Access Management solutions can be difficult. This presentation reviews lessons learned from designing and building IAM solutions in multiple states, focusing on the unique challenges of IAM in government, which must serve the needs of three separate groups: the public, government agencies, and NGOs. Lessons drawn from real-world experiences will demonstrate what works, what doesn’t, and how to fix things when they go wrong.

Following the flow of a typical user’s experience, the presentation will cover the successes, and failures of designing an IAM solution: getting a user ID, logging in to the system, matching “me” as a public user to “my data,” and getting access to the system. Along the way, we will explore lessons about how design choices for each step can impact that experience.

Also covered are designs that were not implemented, sharing the vision of how automated user-driven access requests, changes, and reviews can both improve user experience and lower costs.

The key lesson for me was to understand that there are three key aspects of enrolling users in a public website, that should be handled separately: provisioning a user ID, identity matching, and identity proofing. Making these separate processes solves many potential problems and provides a better user experience.

One interesting thing I noticed in both talks is that there were a small core of very interested attendees – most security professionals don’t have to deal with Identity & Access Management, but those who do tend to be very passionate about the topic, and could easily relate to the problems we faced while building out large SSO solutions.

You can download a copy of the slides from the presentation here. A video of my talk at OWASP MSP is available on Vimeo and YouTube.

Site Updates

Today I completed some long overdue maintenance for transvasive.com – a number of links were broken due to a prior migration, and general churning of the internet. All links have been fixed, except for links that have permanently broken, which were left as-is for posterity. All assets stored locally on the site are working, please contact me if you find issues.

AppSec USA 2012: Functional Security Requirements using Behavioral Security Modeling

I spoke today at OWASP AppSec USA on “Building Predictable Systems using Behavioral Security Modeling: Functional Security Requirements”. Although Karl Brophey was not able to join me, he was there in spirit. The talk was an updated version of our presentation at Secure360 earlier this year.

Here is a copy of the slides from the talk. OWASP will be posting a free video as well (thanks!) and I’ll add a link when that becomes available. Below is a the abstract and link to the white paper we wrote, which explains the ideas presented in the talk in greater detail.

Update: a video of the talk is available on YouTube.

Abstract:

Defining functional security requirements is a key component of Behavioral Security Modeling, a method to improve security through accurately modeling human/information interactions in social terms. The paper proposes a practical, SDLC agnostic method for gathering functional security requirements by establishing limits on interactions through a series of questions to identify, clarify, and uncover hidden constraints. Five categories of constraints are presented, along with advice and “requirement patterns” to facilitate discussions with stakeholders and translate business needs into unambiguous security requirements. General advice on improving constraints, implementation considerations, security actions, quality assurance, and documenting post conditions are also discussed.

Paper:

Behavioral Security Modeling: Functional Security Requirements