Attacks targeting these supply chains have opened a new perimeter of risk in information systems. Breaches can lead to intellectual property theft, tampering with source code, service disruption, and privilege escalation into more critical parts of the IT landscape. 

What are the new attack vectors in CI/CD pipelines, and how can they be contained? This article reviews real-world compromise scenarios and provides recommendations to defend against them. 

What risks for CI/CD pipelines? 

The 2020 SolarWinds breach is very often cited as CI/CD compromise, as it revealed the true scale of that such an attack can cause. After supposedly stealing FTP credentials left in plaintext in an old GitHub repository, attackers poisoned SolarWinds’ supply chain by inserting a C2 beacon into Orion, its network management software, before the signing process. 

This backdoor gave adversaries months of undetected access to the internal networks of U.S. government agencies and private companies. 

Incidents like this, along with more recent ones such as Log4Shell, Codecov, and XZ Utils, highlight not only the need for stronger CI/CD security but also for a more adaptive incident response. OWASP published a dedicated overview for CI/CD Security in their Top 10, mapping out the most common areas of risk. 

Figure 1 – Top 10 OWASP CICD-Sec 

Field insights @ Wavestone

Audits and penetration tests help identify vulnerabilities proactively before attackers can exploit them. By simulating real-world attacks, these assessments provide concrete visibility into how systems can be compromised. 

Our recent client engagements have led to clear findings: 

• In nearly all Cloud and CI/CD audits, vulnerabilities are always discovered in pipelines, often enabling full control of the pipeline, its artifacts, or even underlying infrastructure. 
• In CERT and Red Team interventions, CI/CD pipelines frequently act as accelerators in attack paths. 

Here are two examples observed in the field. 

Example 1: Full AWS compromise through CI/CD abuse 

In this first grey-box example, we compromised an entire AWS Cloud environment (600+ accounts) starting from standard DevOps accounts. 

Figure 2: Full AWS compromise through CI/CD abuse 

Attack path: 

• An attacker pushed malicious code into a GitLab repository, triggering a GitLab CI pipeline that deployed the code into a generic Kubernetes pod. 
• The code opened a reverse shell, giving the attacker remote access to the Kubernetes environment. 
• From there, the attacker exploited excessive privileges granted to the node’s service account (ability to patch tokens in the cluster) and replaced the admin node’s token. 
• On redeployment, the malicious pod lands on the former admin node, still holding admin rights. 
• The attacker escalated privileges and pivoted into AWS, compromising the entire Elastic Kubernetes Service (EKS) cluster and its resources. 

Example 2: Chained attacks across pipeline components 

Figure 3 -Summary of real chained attacks across pipeline components 

In another case (presented at DefCon & BSides 2022), we demonstrated how multiple components of a CI/CD pipeline can be chained together in compromise scenarios. [Video]. 

Recommendations to secure a CI/CD 

CI/CD pipelines have now become systemic components of information systems and can be leveraged to compromise an organization’s most critical resources. 

Our recommendations for securing the CI/CD chain can be grouped into three main themes: identity and access management (IAM), better pipeline design, and continuous monitoring. These align with the ANSSI DevSecOps guidance. 

Figure 4 – Three main recommendations to secure a CI/CD 

Identity and Access Management (IAM) 

Figure 5 – IAM recommendations 

Identity management 

Beyond the traditional rules for managing identity lifecycles, it is strongly recommended to systematically use Single Sign-On (SSO) combined with Multi-Factor Authentication (MFA). This significantly reduces the risk of intrusion into the CI/CD chain, by ensuring that any user accessing code repositories, signing commits, or performing other privileged actions is properly authenticated. 

Access control 

User and service account permissions must be strictly limited to what is necessary for their role within the CI/CD chain, always applying the principle of least privilege. This should be enforced through Role-Based Access Control (RBAC). For example, a developer working on a specific project generally should not have write access to the overall pipeline configuration. 

It is also advisable to segment projects using separate code repositories, and to ensure that the orchestrator account of one project does not hold excessive rights over the deployments of projects it is not associated with. 

Secrets management 

In CI/CD, “secrets” refer to sensitive data such as passwords, API keys, certificates, or access tokens. Since these secrets often enable privileged actions within pipelines, they must be retrieved in an automated and controlled manner. 

Vendors such as HashiCorp provide dedicated secret management solutions that make it possible to store sensitive data centrally, while ensuring encryption in transit and at rest. 

CI/CD pipeline design 

Figure 6 – Design recommendations 

Environment segmentation 

Segregation between users, applications, and infrastructure is essential to minimize the impact of a compromise. In line with ANSSI’s guidance, actions performed by the production CI/CD chain should be treated as administrative actions, and the number of users authorized to access it should be kept to an absolute minimum. Furthermore, communication between environments must be protected with end-to-end encryption. 

Integration of third-party tools 

As the SolarWinds attack demonstrated, many supply-chain compromises originate from a third-party component integrated into a CI/CD pipeline. These tools are indispensable for supply-chain operation: they may be as small as a development add-on, or as central as a version control system or orchestrator. 

Because these tools are often granted high privileges—access to sensitive resources or the ability to perform critical actions within the pipeline—a vulnerability that is left unpatched can be catastrophic. In many cases, the ability to remediate will depend on the vendor, limiting the organization’s own control. A strict governance framework and a Third-Party Cyber Risk Management (TCPCRM) process for third-party tools is therefore necessary. 

Artifact management 

To avoid the risk of distributing malicious artifacts, it is recommended to sign artifacts as early as possible in the pipeline, and to verify those signatures at deployment time to guarantee their integrity. Similarly, regular Software Composition Analysis (SCA) should be performed to prevent the introduction of malicious libraries. 

Monitoring and supervision 

Figure 7 – Monitoring recommendations 

Logging and detection 

Maintaining a high level of visibility and control over all pipeline components is critical for easier maintenance and faster response to attacks. 

A tailored logging strategy should be implemented: logs must contain only the data needed to ensure traceability and accountability in the event of an incident, should be stored securely, and must not contain secrets in plaintext. Logs should be shared effectively with the organization’s Security Information and Event Management (SIEM) system. 

Regular audits and penetration tests are also required to reassess the security posture and identify potential new compromise paths within the CI/CD pipeline. 

Incident response 

Finally, CI/CD pipelines must be included in incident response plans just like any other perimeter of the information system. This means ensuring that source code and configurations are backed up, and that business continuity plans exist in case of a tool failure. 

In conclusion 

CI/CD pipelines have become a genuine cornerstone of modern information systems. They are now systemic components, indispensable for developing and deploying applications. Yet their critical role within IT also makes it necessary to implement appropriate security measures so that they do not themselves become attack vectors. 

Figure 8 – Some systemic CI/CD components 

Beyond the recommendations detailed in this article, further preventive measures can be implemented in the form of hardening guides tailored to specific tools within the pipeline. In addition, adopting a robust training strategy for users, together with structured change management, is essential to ensure the success of these transformations. 

Thanks to Jeanne GRENIER for her valuable contribution to the writing of this article.

Cet article CI/CD: the new cornerstone of the Information system?  est apparu en premier sur RiskInsight.

To this end, there are many existing rights models: MAC, DAC, GBAC, ABAC, etc.

How do you understand these many different rights models in practical terms and apply them to your business?

The models differ in their degree of complexity and in the response they provide to the specific needs and constraints of an organisation or system. The most recent models incorporate issues of security, scalability and compliance in an increasingly complex technological environment.

In this article, we will follow a chronological logic, identifying how authorisation has evolved over the decades to meet the challenges faced by organisations. We will see that, like information systems, rights model approaches have become increasingly complex and now include more and more parameters for deciding whether to grant or deny access.

Models can be grouped into 3 approaches reflecting their progressive sophistication:

– Classic approach: admin-time

– Modern approach: run-time

– Forward-looking approaches: event-time

We will illustrate each of these approaches with emblematic models, highlighting:

1) The response to an initial need

2) The limitations of the model

We conclude with a chronological summary of the approaches and their models.

Classic authorisation approaches: Admin-time

In the 60s and 70s the development of computer systems, marked by the development of the first multi-user systems (Multics, HP-3000), gave rise to the need to rethink user rights.

Innovative security principles, which are still used today, were defined for these systems such as rings of protection, which aim to protect the integrity of the operating system against deliberate and accidental modifications and initiate a rethink of user access policies to resources.

In the first access rights models to emerge, the management of rights remained summary, defined in hard terms by ‘administrators’: this was admin-time, of which the DAC and MAC (60s-70s) and RBAC (90s) models are particularly noteworthy.

Discretionary Access Control (DAC) and Access Control Lists (ACLs)

As its name suggests, the DAC model – for ‘discretionary access control’ – leaves it up to each resource owner to assign permissions to users. This is the basic rights model found on Unix systems, which can be supplemented by the ACL mechanism, or ‘access control lists’. Often associated with DAC, ACLs specify, for a given resource, the users and their rights over the resource, as illustrated below using the Unix example.

Beyond Unix, file-sharing systems such as OneDrive and social networks, where the user can choose who can view or comment on each publication, are other examples of the use of DACs and ACLs.

In fact, the flexibility and granularity of this model are an advantage for local implementations centred on individuals. On the other hand, they become problematic for ensuring a correct level of resource protection on a large scale in more complex systems.

Mandatory Access Control (MAC)

The MAC model, which stands for Mandatory Access Control, is the opposite of DAC. Rather than leaving the assignment of rights to the ‘discretion’ of individual users, resource by resource, limiting system-wide visibility and encouraging errors and vulnerabilities, rules are predefined by administrators according to different security classifications and strictly enforced by a central authority, generally represented by the operating system itself.

It is particularly prevalent in government, military and industrial environments, because it allows tight control over access to sensitive data. It uses labels that characterise the sensitivity of objects and users, according to the rules of the organisation concerned:

– A resource classification level, for example: ‘Unclassified’, ‘Restricted’, ‘Confidential’, etc.

– A level of user authorisation, linked to the existing resource classification levels.

Below we describe Multics and SELinux, two fundamental examples of MAC implementation.

MAC example 1: Multics and protection rings

Already mentioned above as a precursor of multi-user systems (also known as ‘time-sharing’ systems), the Multics project, released in 1969, was the source of many innovative features, particularly in its memory management and security. It prefigured MAC even before the formulation of models such as Bell-LaPadula (1973) and its first formal definition set out in the Department of Defense’s Orange Book (1983), which established US computer security standards.

It is based on the concept of rings of protection, which Multics created, as shown by its logo (image above), and which form the basis of MLS – Multi-Level Security – systems, widely used in highly confidential contexts. It consists of a set of concentric rings representing levels of sensitivity that increase the closer you get to the centre (ring 0) – and therefore the privileges required for access. Mechanisms known as guards or gatekeepers, located at the interface between two rings, closely control the legitimacy of access in both directions, which they grant or deny.

In reality, these rings are of two types:

– Kernel protection rings are physical rings built into processors and used by the operating system to guarantee its integrity against faults (which cause the machine to crash) or modifications, whether intentional or not.

– User space rings are logical rings implemented by the operating system. This is where MAC comes in. By means of labels, each user and each resource is attached to a ring level. From there, rules define the actions that can or cannot be taken, following the example of the Bell-LaPadula model, which emphasises data confidentiality: ‘No read up’ (a user cannot read access to layers higher than his own), ‘No write down’ (he cannot write to layers lower than his own, to avoid leaks).

The image below summarises the principle of protection rings.

 MAC example 2: SELinux, the Linux kernel security module

Initially developed by the NSA in 2001, SELinux was proposed and added to the Linux kernel security modules (LSM, Linux Security Modules) in 2003, and is natively integrated into RedHat distributions such as Fedora.

This is another well-known example of MAC implementation: it allows administrators to assign a security context label to each resource in order to classify them and define the security policies to be applied by the operating system. Even with privileged rights, an application will see its rights restricted to the domain it needs to function (for example, the folders specified), with SELinux detecting and preventing any non-compliant action.

SELinux therefore provides an additional layer of protection in the event that a user or process manages to bypass traditional access controls.

In practice, MAC policies are rarely sufficient on their own, but are superimposed on existing DAC rules, whose flexibility they compensate for.

Two models based above all on the identity of the user or process, on the basis of which they authorise or deny access: this is known as Identity-Based Access Control (IBAC). These models are still limited to local contexts and have little resistance to scaling up.

Role-based Access Control (RBAC)

Formulated in 1992 by David FERRAIOLO and Richard KUHN, two engineers from the American NIST, the RBAC model – role-based access model – was designed to simplify the management of permissions throughout an organisation while reflecting its structure as closely as possible (hierarchy, responsibilities, departments, etc.).

Instead of granting rights directly to an identity, as with IBAC, a method that can quickly become difficult to maintain, we design business roles and the associated privileges. Users then inherit the rights associated with their role within the company, enabling them to access the various applications and enterprise sharing systems considered necessary for their internal activities.

This initial conceptual framework was completed and standardised in 2004 with the ANSI INCITS 359-2004 standard, which takes into account practical business cases and scenarios. For example, it addresses the need to separate responsibilities (SoD, Segregation of Duty), which is fundamental in financial and banking institutions, as well as the principle of least privilege and the inheritance of permissions.

Progressive and increasingly centralised adoption of RBAC

From the 80s and 90s onwards, databases, which were widely adopted by large companies and likely to contain sensitive information to which access was naturally controlled, were pioneers in the implementation of the RBAC model. They illustrate its implementation at the level of isolated applications, with no repercussions for external applications or systems.

The 2000s saw the launch of Microsoft’s Active Directory, starting with Windows 2000 Server. This centralised directory is designed to manage all the organisation’s resources (people, physical resources, applications). Although it is not strictly speaking an RBAC tool, a comparison can be made. The allocation of access rights is based on security groups – which can be perceived as roles – with permission inheritance mechanisms and the concepts of domains, trees and forests designed to represent the logical structures of the company.

Modern IAM solutions, such as Okta, SailPoint IIQ and Microsoft AzureAD, now support RBAC for heterogeneous environments, including cloud services. They illustrate the gradual centralisation of access rights management, which was initially managed locally within applications, and is now increasingly delegated to IAM solutions covering the widest possible spectrum.

RBAC assigns rights based on a business role, whereas IBAC is linked to an identity. The layer of abstraction created between the subject’s identity and an individual’s role means that it can be extracted from restricted contexts (file systems for DAC, operating systems for MAC) and adapted (at last!) to the access control needs of organisations. However, they all share the characteristic of a rigid definition of rights, based on an identity or a role.

In entities where exchanges are increasingly dynamic and fluctuating, this abstraction through roles alone may prove insufficient. New models have emerged to represent more complex organisations, taking into account additional, evolving attributes to assess access rights to a higher accuracy at a given time: we are moving from admin-time to run-time.

New approaches to authorisation: Run-time

The increasing complexity of information systems, and therefore of access, has led to the run-time approach. This approach meets organisations’ needs for dynamic flexibility and security. Unlike the ‘admin-time’ era, characterised by static permissions, the ‘run-time’ era offers real-time management at the time of the access request, based on various contextual elements. This transition to more flexible and precise authorisation models enables organisations for adapting to change and better protect their resources against today’s threats.

Graph-Based Access Control (GBAC)

The GBAC (Graph-Based Access Control) or GraphBAC model is based on the use of graphs to represent the relationships between users, roles and resources within an organisation. These 3 types of entities (users, roles, resources) and the relationships between them form the core of this model: entities can be represented by the nodes of the graph, and the relationships between them by the edges.

Access authorisations to a resource are determined in real time by queries to this graph database, enabling access decisions to be made based on the connections between entities at the time of the request. Users can thus obtain access to a resource according to their role and their relationships with other users or resources in the organisation.

The GBAC model is suited to the dynamic environments of large organisations, where relationships between entities are constantly evolving. On the other hand, it can be complex to implement, and the projects involved are relatively long, with significant costs. In addition, the gradual addition of new relationships can make the graph increasingly difficult to manage, complicating internal audit or recertification activities, for example.

Attribute-Based Access Control (ABAC)

In the ABAC (Attribute-Based Access Control) access model, the management of access to a resource is based on the dynamic combination of attributes. These attributes relate to the user requesting access (role, group), the resource requested (type of resource) and the context in which the request is made (time of day, type of network). This approach makes it possible to authorise or deny access flexibly and in real time.

The model was formalised in 2014 in the publication by NIST (SP 800-162) which provides detailed information for its implementation.

4 components are essential to the operation of this model: Policy Enforcement Points (PEPs), Policy Decision Points (PDPs), Policy Administration Points (PAPs) and Policy Information Points (PIPs).

After interception by the PEP, the access request is transmitted to the PDP, which is responsible for making decisions by analysing the access policies managed by the PAP and often accessible from an access policy database. The PIP provides the PDP with additional information on the user or resource from different sources, enabling it to make decisions in line with access rules. For contextual information, the information system can be connected to other tools or sources (IDS, logs, sensors) that enable this information to be collected at the time of an access request.

ABAC is a particularly interesting model in environments where access needs are varied and evolving, as it enables fine, granular management of authorisations, particularly in the context of PAM (Privileged Access Management), concerning access and critical resources.

However, this level of detail and flexibility comes with challenges such as the ongoing review of attributes and the maintenance of policies, which require constant attention to ensure they meet the needs of the business. Over time, the increasing number of attributes and conditions can make it difficult to maintain a clear and functional ABAC architecture, especially in environments undergoing constant transformation.

In current ABAC architectures, PEPs are generally designed to work only with PDPs from the same vendor, using proprietary protocols, with no support for compatibility between different vendors.

Standardizing the way these different PEPs and PDPs interact, in order to improve system interoperability and reduce dependence on a single supplier, is the aim of the OpenID AuthZEN working group.

OpenID AuthZEN: towards improved interoperability

AuthZen is a working group initiative launched in 2023 by the OpenID Foundation to standardize the interactions between PEPs and PDPs, in order to improve interoperability between systems from different suppliers.

This initiative responds to current problems where authorization services (PEPs and PDPs) are often designed to work only with solutions from the same vendor, limiting their interoperability.

AuthZen was launched to develop a standardised protocol that would facilitate integration and communication between PEPs and PDPs, reducing dependency on single vendor solutions and improving overall authorisation security.

To make these interactions more flexible and universal, AuthZen relies on existing architectures and technologies (OPA/Rego, XACML, etc.) to improve deployment, scalability and interoperability. The first two stages of this standardisation with Open ID AuthZen are the implementation of a simple ‘Request/Response’ and ‘Permit/Deny’ type protocols and a multiple decision approach in order to group several authorisation requests into a single request and receive several decisions in return.

The AuthZen think tank includes security players such as 3Edges, Axiomatic and others. It is also open to players who want to develop authorisation systems and make architectures more secure and interoperable.

Prospects for the evolution of authorisation: Event-time

A new approach to the evolution of access systems is event-time. It is defined as an implementation of dynamic authorisation where access rights are adjusted in real time in response to immediate events or changes that occur. Unlike static or attribute-based approaches, event-time is characterised by a continuous evaluation of access rights, to ensure that all access remains compliant with the policies in place within the organisation.

For example, when a user’s status changes (promotion, departure, mobility, etc.), the system automatically adjusts or revokes their access rights. This proactive, event-based adjustment approach is common in information systems monitoring and security incident management.

Event-time is based on the following key concepts:

– Listeners: system components that monitor events in time and analyse important changes (mobility, promotions, departures, etc.) from various sources, in particular HR systems.

– Triggers: actions in response to an event identified by a listener, such as the revocation of access rights on the actual day a user leaves.

– Shared Signals: enabling different systems to share information about events in real time.

– Continuous evaluation: constant checking of access rights to ensure that each action or access remains in compliance with policies.

Frameworks and standards play a key role in implementing event-time by providing a structure for implementing the concepts in systems:

The Shared Signals Framework (SSF) is directly linked to the concept of shared signals, which enables systems via an API to share information about events in real time to ensure consistent access management. The continuous evaluation of this information is supported by CAEP (Continuous Access Evaluation Protocol), a protocol for standardising the writing of status changes. RISC (Risk and Incident Sharing and Coordination) is a generic protocol for standardising the transmission and reception of security incidents between these different systems, thereby enhancing the overall responsiveness of an information system.

Event-time is not based on a specific model such as RBAC or ABAC, but can function as a complementary access management layer to these traditional access systems, making them more dynamic and aligned with real-time situations.

The evolution of authorisation models, from traditional approaches to modern, dynamic methods, reflects the ongoing adaptation of IAM and access systems to the growing and changing needs of organisations.

Admin-time approaches laid the foundations for resource security with models such as DAC and MAC. RBAC introduced structured rights management, which is widely adopted in organisations today due to its relatively simple application.

With the advent of the runtime, access decisions became more refined, based on attributes specific to users, resources and context, as with the ABAC and GBAC models. However, these increasingly sophisticated models have led to the emergence of numerous proprietary solutions, limiting the interoperability of authorisation components and creating a dependency on specific technologies. This has led to the emergence of initiatives such as the AuthZen working group, which is working to develop standards.

The event-time approach provides real-time responsiveness, enabling systems to automatically adjust access in response to specific events. CAEP and the Shared Signals Framework facilitate this dynamic by standardising the exchange of information between systems, thereby strengthening security and compliance.

An overview of these different approaches and their associated models is presented in the timeline below, together with a summary table of the different models discussed.

By combining these different approaches, you can implement more secure, flexible and proactive access management, capable of responding to current and future identity-related challenges. These developments also highlight the importance of adopting adaptive and interoperable authorisation solutions to ensure effective protection of resources while meeting the operational requirements of teams.

These developments raise an essential question about the ability of organisations to anticipate these changes and integrate these new access management dynamics.

Whether you are still using admin-time models, exploring runtime options, or considering moving to event-time management, it is crucial to choose a model that meets your specific needs. It is also very important to anticipate the consequences for the management of this model over time (review of rights, measurement of data quality, review of policies, definition of expected reactions, etc.).  

What type of model do you use? 

Don’t hesitate to contact us to find out more and understand how to apply these authorisation models to your organisation’s context!

Cet article Access management: how is authorisation evolving to meet the challenges and needs of organisations? est apparu en premier sur RiskInsight.

In order to manage this evolution, the European Union has adopted the Payment Services Directive. In its second version (PSD2), published in 2015, this directive was set to create and regulate the Open Banking sector. The goal was to enable users to provide an access to their banking and accounts data to innovative new actors such as aggregators and payment initiation providers, while ensuring security and competition at a sufficient level in the payment services ecosystem.

Unfortunately, PSD2 limits have started to show, including:

• Unharmonized legislations leading to « Forum shopping » which is a legally grey practice consisting, for a payment services provider, to choose their incorporation country based on the local legislation that would be most favourable to them.
• A gap that was not sufficiently closed between banks, which are in a privileged position to provide payment services to consumers, and third-party providers that depend on them.
• Fraud, with methods changing along with the payment markets, and for which PSD2 provision are now considered as insufficient.

Therefore, the European Union has introduced a draft for a 3rd version of the directive, the so-called PSD3, on June 28th, 2023. A final version is expected for late 2024 or early 2025. The text will be enforceable 18 months after publication, which would be somewhere around Q3 2026.

How will PSD3 be introduced?

Upon reading the draft, it is clear that where PSD2 has introduced completely new and structuring concepts like the notion of Open Banking or Strong Customer Authentication, PSD3 is aiming at updating existing concepts. As indicated on the European commission website, it is

« an evolution, not a revolution ».

The format changes: PSD3 is introduced with a regulation called PSR (Payment Services Regulation). Its content is using a lot of elements already present in either PSD2 or its RTS (Regulatory Technical Standards). The novelty here is in the type of legislation: it is a regulation, which is directly applicable in member states, contrary to directives, which need to be translated into local law. This is one of the solutions the EU has adopted to tackle the previously mentioned harmonization issue.

The regulatory framework for e-money also finds itself simplified. The practical issues caused by the existing differentiation between online payments, regulated by PSD2, and the use of e-money, regulated by the 2009 Electronic Money Directive (EMD) will disappear since PSD3 now covers both types of services.

Additionally, PSD3 brings a few clarifications in its definitions. Though these are not technically new changes, here are some of them:

• Deposit accounts, such as savings accounts, are now explicitly excluded from the definition of payment accounts.
• Aggregators are now defined by their capacity to collect and consolidate banking information on payment accounts and the like, regardless of whom the aggregated information is destined to.
• Multifactor authentication relies on multiple factors in classically defined categories (knowledge, inherence, possession), but it is now clarified that to count as an MFA, authentication factors need not belong to different categories, they only need to be independent (defined as: compromission of one does not affect security of the other).

What will the various payment service providers have to do to comply to PSD3?

Key PSD3 evolutions are technical changes with the aim to protect consumers against fraud.

Therefore, payment services providers will have to develop and provide new services for their users. A first example is an access permissions dashboard enabling them to monitor in real time who is allowed to access their banking and payment account information. Another example is the payee’s name verification service, wherein the name of a payment recipient is compared to the receiving account holder name, and the result of that comparison is made available to the payer to try and prevent identity theft.

Likewise, PSD3 has some provisions planned for strong customer authentication accessibility. All banks will have to be able to provide an adequate strong authentication means for all their users, including people with disabilities, the elderly, people with poor technological skills or without smartphone etc.

The addition of a new actor will shift the repartition of compliance responsibilities: this actor is the Technical Services Provider. They will inherit part of the compliance and audit responsibilities, especially in the case where strong customer authentication is delegated by the bank to their third-party solution.

What will be the impact of those changes?

Through the aforementioned PSD3 changes, banks and other payment services providers are incited to share and exchange information to fight against fraud: some dispositions are already taken to be able to do so while complying with GDPR.

Especially for the payee’s name verification service, Open Banking APIs will have to be updated to allow this verification by the payer’s bank. Since this operation is quite complex, and even more so when the transfer is supposed to be instant, the associated article will enter in force 2 years after the rest of the regulation (not before Q3 2028).

Users will also see new features appear, meaning some time will be needed for them to adapt and get familiar with those features. Some level of support will have to be set up for all involved parties, including users but also customer support teams, to foster a correct understanding and adoption of these features by users.

If the final text is published before early 2025, companies from the payment sector will have until Q3 2026 to achieve compliance with PSD3 and PSR.

It is essential to start considering these changes starting today and ensure a certain level of regulatory watch to stay informed of the various texts (including RTS, guidelines) that will be published by both the European Commission and the European Banking Authority.

[1] 2023 annual report, French Observatory for the security of payment means

Cet article Shift towards the 3rd Payment Services Directive: what will the impacts be? est apparu en premier sur RiskInsight.

This trend can be explained by a desire to digitalize factories and develop connected industry that has rarely been accompanied by the modernization of the associated industrial systems: attacks are made simpler, their consequences stronger. And in the case of ransomware, a lack of authentication is often the starting point of the kill-chain: too weak or based on shared authentication factors between operators, accounts become susceptible to phishing attacks.

This observation can also be found by analyzing the “Industrial Cyber IS incident files”^[2] shared by Clusif. These include the takeover of the production system of a German steel mill, which could have been avoided if a second authentication factor had been required when carrying out critical actions on the industrial site.

The need to secure and modernize authentication methods for blue-collar workers is therefore crucial, in order to limit the risk of theft of these often poorly protected accounts, without adversely affecting the overall productivity of on-site operators.

The aim of this article is therefore, after going into more detail on the current context and the constraints linked to these populations, to compare the different solutions available today for these uses, to analyze the obstacles to the democratization of the methods deemed the most promising, and to share our vision and recommendations for catching up as best we can.

What is authentication?

Authentication means certifying your identity to a computer system before you can access secure resources. Throughout this article, we’ll be talking about multi-factor authentication when at least two of the four authentication factors below are combined:

• What I know (password, PIN, scheme, etc.)
• What I have (personal device, USB key, smart card, badge, etc.)
• What I am (facial recognition, fingerprint, vein network, etc.)
• What I do (eye movement, signature, typing dynamics, etc.)

Note: the level of security depends on the robustness of the factors and their independence when combined^[3].

Blue-collar workers: a diverse range of uses…

When we talk about the blue-collar population, we mean all manual workers who don’t have their own professional workstation (e.g. mechanical, industrial and personal care professions). These populations have different authentication requirements to the so-called white-collar populations, as they mostly use an office information system with multiple devices shared between different employees:

• Mobile workstations and tablets (access to production management software (MES), etc.)
• Fixed control workstations (machine tool control, management, etc.)
• Shared office workstations (time and attendance, training, etc.)

Operators must therefore be able to authenticate themselves on control stations, for example directly connected to the machine tools using a network card, but also independently of their location within the site on mobile stations.

… with multiple constraints

In order to make the best possible assessment of the various authentication solutions available to blue-collar workers, it is important to bear in mind their specific professional constraints.

These can be broken down into three main areas:

• Pace constraints: working under automatic cadence and complying with production standards precludes the use of long or untimely processes.
• Constraints linked to the wearing of PPE (personal protective equipment) such as gloves or masks: these can prevent the use of certain biometric factors (facial recognition, fingerprint, etc.) or make the use of passwords less ergonomic (use of gloves on touch screens or keyboards).
• Constraints linked to regular changes of workstation: regularly changing workstation means having to authenticate several times a day on different workstations. What’s more, if this authentication is local, prior enrolment will have to be carried out for each of them.

Beyond blue-collar constraints, there are other factors to consider from an employer’s point of view.

There are also three main themes:

• An important issue of uniformity: all employees should be able to authenticate in the same way on all machines and software, in order to have a common user experience, a single process, support and documentation.
• Significant investment: an authentication solution is costly to acquire (e.g. badges, wristbands, sensors) but also to maintain (e.g. support & servers). These costs may be difficult to justify if employees don’t need to access sensitive resources.
• Physical security already in place: adding a second factor or hardening the first may seem pointless to companies that already physically secure their sites, and therefore assume that an individual with physical access to the device will be trustworthy.

What authentication methods are available on the market?

Two main categories stand out:

– “Mature” players, offering multi-factor authentication with a badge coupled with a password or a locally stored PIN code. This choice enables physical and logical access to be merged, for example, by authorizing access to devices controlling production lines via access badges integrating the FIDO2 standard.

– Less mature players, who maintain weak authentication using passwords only. They remain in the majority, and the accounts they use are often generic, to maximize authentication speed and thus productivity.

What authentication methods are needed to meet these challenges?

Several criteria to consider…

In order to compare the various possible methods, six criteria were considered, with particular emphasis on two main issues: user experience and security.

… to identify the most relevant authentication methods

Based on these criteria, the authentication methods considered relevant and viable for blue-collar workers can be distributed as follows:

In addition to biometric solutions, which are heavily regulated in France by the CNIL, RFID/NFC cards (badges) are emerging as offering the best ergonomics for a satisfactory level of security. This is in line with what has been observed among “mature” players in this field.

Coupled with a PIN code or password, it enables multi-factor authentication and, for most industrial players, represents an easy-to-use solution for increasing operator access security.

However, it may not be sufficient in particularly sensitive industries, where some innovative solutions may stand out:

The FIDO2 biometric key:

• Many machines have a USB port, and the FIDO2 standard ensures compatibility with a wide range of applications.
• The fingerprint replaces the PIN code, ensuring security even if the key is lost or stolen.
• No biometric images are saved, and no templates are stored anywhere other than in the key.

The biometric wristband is also based on the FIDO2 protocol (example of the “Nymi” wristband, not affiliated with Wavestone):

• Each employee receives a wristband and enrolls using his or her fingerprint.
• At the start of the day, each employee puts on their wristband and unlocks it with their fingerprint.
• As long as employees do not remove their wristbands, they simply pass them by equipment equipped with NFC sensors to authenticate themselves with the FIDO2 standard.
• The wristband is able to detect “life” and locks as soon as it is removed.
• No biometric image is saved, and no template is stored anywhere other than in the employee’s wristband.

These solutions are costly, but offer state-of-the-art security and ergonomics.

Democratization held back by several factors

Although solutions are available, blue-collar authentication is still lagging behind, due to a number of factors:

• Logical access sensitivity: this is not always sufficient to justify the cost of modernizing and strengthening authentication.
• Attackers’ priorities: management and office information systems are still the main targets of attackers, prompting companies to concentrate their security efforts on these areas.
• Software and infrastructure obsolescence: the machines and programs used on production lines may be obsolete. Companies are therefore reluctant to replace these functional resources, at the risk of running into compatibility problems.
• Imposed regulations: the CNIL does not encourage the development of biometric authentication systems in France^[4].

However, modernization is set to accelerate thanks to new security requirements linked to the development of the IoT. The FIDO2 standard is also becoming increasingly popular, and innovative solutions are beginning to gain market momentum. Finally, it’s worth noting that some online operators use the same resources as the office population, so passwordless solutions such as Windows Hello for Business are both feasible and easy to implement, thanks to the sensors integrated into devices.

Is the convergence of logical and physical access the solution to trigger large-scale democratization?

Physical access for blue-collar workers is often already secure, since they work on sensitive sites. In most cases, a badge system is already in place for access to buildings and restricted areas, with biometric readers or other surveillance tools (video surveillance, etc.) installed on the most critical sites. This raises the question of capitalizing on and centralizing access control, and offering the same means of authentication for logical access as those already in place for physical access would offer clear advantages, while also raising new challenges:

• Improved user experience, with the same process for all accesses.
• Simplified and reinforced authorization management.
• Physical security teams need to be coordinated with the IT department, and strong governance issues need to be anticipated.
• A common infrastructure is required, with all networks controlling the accesses to be connected.

[1] Authentication Security Best Practices in the Manufacturing Industry, published by Chris Collier on the blog HYPR

[2] Industrial Cyber IS incident files, published by the Clusif

[3] Recommendations for multi-factor authentication and passwords, published by the ANSSI

[4] Biometric access control in the workplace , published by the CNIL

Cet article Authenticating blue-collar workers: a challenge too often neglected? est apparu en premier sur RiskInsight.

So, despite some success stories and the cardinal role of identity in business transformation, IAM remains a disparaged theme in organizations, synonymous with a “necessary evil” rather than a “key issue” for the company.  

How can we restore IAM’s reputation? How can we explain it better, and give it its rightful place in the enterprise? 

The paradox of identity 

An essential driver of transformation programs… 

This situation is paradoxical as identity plays a fundamental role in current transformation programs, presenting three major assets. 

• It is first of all a pillar of cybersecurity by allowing: 
  • Have a homogeneous knowledge of all users, centralizing essential information such as name, manager, title and many other characteristics specific to each; 
  • Guarantee the uniqueness of individuals through the publication of a single repository; 
  • Control and adapt user access throughout their lifecycle; 
  • Be part of a Zero Trust approach by ensuring that only the right people, with the right level of rights and the right level of authentication access to the appropriate resources. 
• It is also an essential business facilitator, particularly for: 
  • Accelerate cloud service adoption and deployment of new applications through automatic account creation and simplified entitlement (often through an IGA – Identity Governance & Administration tool); 
  • Facilitate the controlled opening of the IS to and towards third parties: partners, suppliers or in case of creation of Joint Ventures; 
  • Improve, thanks to CIAM (Customer Identity and Access Management), the customer relationship and regulatory compliance by simplifying the progressive creation of accounts and compliance with privacy regulations such as the GDPR in France. 
• Finally, efficient identity management is a prerequisite for a state-of-the-art user experience, combining comfort and security requirements: 
  • Seamless and seamless access to all its applications and data, regardless of its access context; 
  • Access rights granted automatically and available on the day of arrival; 
  • A single portal to make and follow up your ad-hoc requests. 
  • Pertinent dashboards and targeted review campaigns to meet regulatory requirements without over-soliciting managers and process owners. 

… but a theme unfairly considered 

Despite the significant advantages it represents, the theme of identity is rarely at the centre of companies’ concerns. It is rather perceived as a necessary evil, or even occupies a place of «ugly duckling». Thus, it is common to note the pitfalls when Identity is insufficiently well managed, and even more common to consider as normal and acquired the benefits it produces. 

Beyond the simple constant, it is necessary to understand the reasons that led to this situation of lack of investment, sponsorship, even recognition. 

First explanation of the paradox: the dispersion of expected gains towards different beneficiaries. Indeed, the IAM is, by nature, very transversal in the company. To succeed, it must embrace a wide range of topics and therefore mobilize many stakeholders. If each of them will see gains; none will stand out enough to bear primary responsibility. For example: 

• The identity makes it possible to simplify the customer relationship, subject of major interest for a marketing/ digital manager, but not the compliance manager. 
• The latter will see identity as a significant advantage in meeting the CAC’s access review requirements. 
• The IT department will expect consistent and automatic management of the allocation of accounts and rights, synonymous with financial gains, particularly in terms of licenses, support, etc.  
• As for the CISO, its priority will be to remove access in the event of departure and the application of the principle of “less rights granted or the early detection of “suspicious” behaviour. 

Second explanation: like any transformation, which is transversal, the launch and success of an identity project is conditioned by essential prerequisites. 

The difficulty and effort required to achieve these prerequisites depend on the context of each company; but the prerequisites themselves are relatively constant and can be articulated around 4 axes: 

• Data quality: both for data consumed by IAM (organizations, structures, identity data from HR…) and for data that IAM must make available (application account identifiers, attributes in applications…).
• In-depth knowledge of end-to-end processes: this is essential to anticipate the impact of future changes on users, but above all to be able to change and harmonize ways of doing things, and not to continue with what already exists “because that’s the way it’s always been done”.
• Mastery of the applications to be connected: it is necessary to mobilize both technical knowledge (technologies used, APIs available…) and functional knowledge (user populations, data model, authorization model…).
• Last but not least, the ability to impose a “normative” IAM framework, to find a compromise and to arbitrate both on the target (operational model, functional framework, attributes and management rules, arrival/mobility/departure processes, standardized connection framework for applications…) and on the trajectory and success indicators (priorities, subdivision…). To put it in a nutshell: “It’s not IAM’s job to heal what has been poorly thought out or what has become inadequate over time“. 

Third and last explanation: a complete identity management is based on several complementary technological bricks. With varied origins and somewhat ambiguous names, it is not always easy for a non-expert in the field to understand precisely the contribution of each of these bricks: 

• IGA – Identity Governance & Administration: Identity Governance 
• IAI – Identity Analytics & Intelligence: Data analysis and control 
• PAM – Privileged Access Management: Privileged Account Management 
• AM – Access Management: Authentication and Access Control 
• CIAM – Customer Identity & Access Management: Client identity management 

What’s more, these names have evolved over time, sometimes legitimately to reflect major developments, sometimes more as a result of publishers wishing to differentiate their value proposition. The emergence of new functionalities (real-time detection, consent management, etc.) and the innovations proposed by software publishers are also changing the lexical field of IAM. 

How to give identity its rightful place in the company? 

To overcome this paradox, the usual avenues (high-level sponsors, more resources, evangelization, etc.) are necessary but often insufficient. More structural transformations are needed. 

Unify the strengths of identity under one banner 

IAM topics have emerged in scattered order in companies, and have matured at very different rates. The result is that, all too often, teams remain isolated. 

It is therefore imperative to bring together all identity-related teams and budgets under a single umbrella. And if, as the saying goes, there’s strength in numbers, the aim is not just to be visible, legitimate and have a say in the organization. 

Synergies abound: 

• Make identity a perennial and recurring topic, at the very least at the level of the CIO CoDIR, and in all company evolutions.
• Define a global value proposition, proposing a unified offering that is more legible for business lines and application managers, who will be able to rely on a single point of contact.
• Be part of a long-term strategy to take advantage of software publishers’ roadmaps, create a continuous improvement approach and prepare for future corporate changes: reorganizations, mergers & acquisitions, new ERP…
• Improve the consistency of IAM services and manage with end-to-end service indicators.
• Guarantee a high level of expertise by enhancing team know-how, building loyalty and offering richer development perceptives. 

This far-reaching transformation can appear delicate and a source of risk for companies with less mature IAM systems. This is why it is possible to initiate it gradually, starting from one of the following axes: 

• Bringing together under a single organization the teams working on the various IAM themes: IGA, IAI, AM, PAM and even CIAM.
• Unify the teams in charge of projects and those in charge of “RUN” in order to offer a “product” approach to each identity service, and to be part of a continuous improvement logic.
• Extend IAM teams’ responsibility for data control, so that they can commit to indicators and, ultimately, to the quality of service provided and perceived. 

On this last point, however, IAM teams cannot assume responsibility for the quality of the company’s data and repositories. They must, however, guarantee the quality of the service rendered, by ensuring both the proper operation of IAM services (the “container”) and the quality of the data manipulated (the “content”). IAM teams must therefore be equipped and organized to supervise, control and alert the quality of data received, as well as the use made of it. 

An advantageous unification but which obligates 

This ambition for unification, which puts IAM in the spotlight, de facto obliges the Identity manager to be exemplary in his role and responsibilities: 

• With regard to customers: have a clear service offering, take into account feedback and realities in the field, define and respect a roadmap of evolutions, provide “meaningful” service quality indicators, i.e. those that make sense in the day-to-day life of the business, promote gains and benefits…
• Regarding other stakeholders in the company (HR, Purchasing, Cybersecurity, Regulatory Compliance, Audit and Control…): communicate, materialize and help to appropriate the Identity value proposition on a day-to-day basis and during structural transformations (reorganizations, acquisitions…), find ways to compromise, show the “win-win” character of process and operational model evolutions, share everyone’s roles and responsibilities, illustrate the impacts in the event of breaches… 
• For its teams: have a robust operating model, balance responsibilities between internal employees and external service providers, build a genuine HR ambition for the medium and long term (validation of expertise, talent management, building career paths, enhancing the value of the IAM channel…). 

Conclusion 

The unification of IAM services is a fundamental trend, and within 3 years a large majority of large companies will have converged towards this model, at least partially. 

This movement is not always the result of a desire to reposition identity within the organization on a long-term basis. It is sometimes imposed by teams to compensate for a lack of resources or expertise, or in the hope of keeping costs down; in such cases, it reinforces the feeling of lack of consideration. 

And yet, there are many opportunities to demonstrate the need for an in-depth rethink of IAM ambition, and to give it its rightful place: technical obsolescence of IAM tools, corporate strategy to switch to Cloud solutions, difficulties in accompanying structuring transformations in the organization, new regulatory requirements, or the results of a simple satisfaction survey among users or application managers…  

Do you dare to seize them? 

Cet article ​​How to give identity its rightful place in the company​  est apparu en premier sur RiskInsight.

Depuis l’arrivée de Facebook en 2004, Internet a été témoin d’une explosion du nombre de réseaux sociaux, des plus généralistes aux plus spécialisés. Leur adoption et utilisation massive les positionnent comme des véritables mines d’or pour les entreprises, en leur offrant une porte d’accès à des données jusqu’alors inaccessibles (préférences de leurs clients, envies, intérêts…).

À l’heure où l’expérience utilisateur et la connaissance des clients deviennent des problématiques incontournables pour les entreprises, le social login semble être la solution rêvée… mais est-ce vraiment le cas ?

Chapitre 1 : la promesse

En 2018, nous comptons plus de 70 réseaux sociaux, dont les plus connus et utilisés restent Facebook, Google+, Twitter ou encore LinkedIn. Certains réseaux peuvent être même rattachés à des plaques géographiques ou pays particuliers, comme l’Asie avec WeChat, Weibo, Mixi ou et la Russie avec Vkontakte.

À titre indicatif, l’utilisation de réseaux sociaux est passée de 153 millions d’utilisateurs en 2011 à 837 millions en 2013, pour passer largement au-delà du milliard en 2017.

Les réseaux sociaux sont donc devenus de véritables référentiels d’identités, dont certains promettent de détenir l’Identité de référence sur Internet, les motivant à se positionner naturellement comme fournisseur d’identités pour les entreprises. C’est dans ce cadre et sur la base de cette promesse que le social login est né.

L’objectif premier du social login est de permettre à un utilisateur d’accéder aux services d’une marque ou boutique virtuelle le plus simplement possible, à l’aide d’un compte d’un réseau social.

Il s’affiche comme une réponse aux attentes des clients en simplifiant les processus d’enregistrement et d’accès aux services, mais également à celles des entreprises en donnant des moyens d’authentification rapides à déployer afin d’améliorer le taux de conversion des prospects.

Une solution pratique et simple à utiliser

Lorsque nous parlons de social login, nous distinguons deux cas d’usage :

• Social registration: utilisation d’un compte d’un réseau social (ex : Facebook, Google, Twitter, LinkedIn…) pour créer un compte sur une application
• Social login: utilisation d’un compte d’un réseau social pour s’authentifier sur une application pour laquelle le compte applicatif a été déjà créé via social registration

La cinématique décrite ci-après présente les étapes du social registration. La cinématique du social login est similaire et repose uniquement sur les étapes 1, 2 et 3.

Étape 1 – Accès initial au service

L’utilisateur accède à l’application (mobile ou web) d’une entreprise qui lui fournit des services et choisit de créer un compte depuis le réseau social de son choix.

Étape 2 – Authentification

L’utilisateur est alors redirigé vers le réseau social sélectionné pour s’authentifier selon le mécanisme en vigueur (ex : identifiant / mot de passe, code (OTP) envoyé par SMS…).

Dans l’éventualité où l’utilisateur a déjà une session active sur ce réseau social, il sera automatiquement authentifié (SSO – Single Sign On) et passera directement à l’étape suivante.

Étape 3a – Recueil du consentement

Le réseau social informe l’utilisateur que l’application souhaite accéder à des informations de son compte (ex : nom, prénom, date de naissance, liste des amis, préférences…) afin de lui créer un compte applicatif. L’utilisateur doit alors donner son consentement explicite pour que la cinématique se poursuive.

À noter que certains réseaux sociaux comme Facebook offrent la possibilité à l’utilisateur de visualiser en détail les informations que l’application souhaite recueillir afin de pouvoir gérer plus finement son consentement (étape 3b).

Étape 3b – Gestion fine du consentement

L’utilisateur visualise l’ensemble des informations que l’application souhaite recueillir. Il peut alors décocher celles qu’il ne souhaite pas partager. Toutefois, des informations peuvent être obligatoires pour que l’application puisse lui créer un compte applicatif et ne pourront être décochées par l’utilisateur (généralement l’adresse e-mail car souvent utilisée comme identifiant).

Étape 3 / Étape 3c – Redirection vers le service souhaité

L’utilisateur est alors redirigé vers le service souhaité. Éventuellement, l’affichage pourra être personnalisé pour montrer l’intérêt de partager les informations de son compte social (affichage de la photo de profil, contenus personnalisés sur la base des préférences de l’utilisateur…).

Un avantage concurrentiel pour les entreprises

Simplifier le processus de création

La conversion des prospects en clients est l’objectif principal des entreprises. L’un des premiers freins à cette conversion est le processus de création de compte. Selon une étude de WebHostingBuzz, plus de 86% de prospects abandonnent dès cette étape, souvent jugée trop longue et complexe.

Le social registration est une alternative de plus en plus adoptée par les entreprises : abandonner le formulaire de création de compte traditionnel pour mettre en avant l’utilisation d’un compte d’un réseau social. En d’autres termes, passer de plusieurs minutes à quelques clics.

Faciliter l’accès aux services

Simplifier le processus de création de compte n’est pas une fin en soi. Il faut également donner envie aux clients de revenir et consommer les services de l’entreprise, notamment en :

• Offrant une expérience utilisateur omnicanale: ne pas perdre le client en lui imposant des parcours différents en fonction du moyen d’accès utilisé
• Réduisant le nombre de mots de passe à retenir: favoriser l’usage d’un compte (i.e. : couple identifiant / mot de passe) déjà connu de l’utilisateur pour éviter de récréer un nouveau mot de passe

Le social login se positionne comme une solution permettant de répondre à ces problématiques : que ce soit depuis un ordinateur, un smartphone, une tablette, le client bénéficiera de la même expérience utilisateur (même cinématique d’accès), basée sur l’usage d’un compte social pour accéder aux services de l’entreprise, et ses partenaires.

Personnaliser l’expérience utilisateur

L’utilisation du social login permet d’accéder à un nombre important de données qualitatives sur les clients : données d’identité (nom, prénom, date de naissance), données de contact (adresse e-mail, numéro de téléphone…), données de préférences (intérêts, partages, likes) …

Des données jusqu’alors inaccessibles dans une gestion des identités clients classique le deviennent, qui offrent la possibilité aux entreprises de personnaliser davantage leur relation avec leurs clients :

• Affichage et communication personnalisés
• Proposition de contenu personnalisé
• Anticipation ou adaptation de services en ligne avec les intérêts des clients

La personnalisation de l’expérience utilisateur permettra aux entreprises d’instaurer un climat de confiance, proposer des services sur-mesure et fidéliser ses clients dans la durée.

Ils l’ont adopté… ou pas encore

L’adoption du social login est très disparate en fonction du secteur d’activité de l’entreprise et de la nature de ses relations avec ses clients. Nous distinguons deux typologies de clients :

• Les consommateurs: bénéficient des services d’une entreprise sans pour autant avoir de relation directe et/ou de contrat les liant (ex : j’achète une bouteille de soda dans mon magasin préféré, mais l’entreprise qui conçoit ce soda ne me connait pas forcément)
• Les clients directs: bénéficient des services d’une entreprise sur la base d’un lien direct (contrat, comptes bancaires…), nécessitant une relation de proximité entre l’entreprise et le client

Selon une étude Wavestone réalisée en mars 2018 sur un échantillon de 172 marques majeures réparties dans tous les secteurs d’activité, 32% d’entre elles ont adopté le social login.

Ce constat met en lumière une adoption forte par les entreprises ayant des clients de type « consommateurs », dont l’objectif est de vendre rapidement des services de consommation (VOD, matériels, presse…).

À contrario, peu, voire pas du tout, d’entreprises ayant des clients directs adoptent le social login, leur relation débutant par l’établissement d’un contrat (et donc la création d’un compte avec des données vérifiées par l’entreprise (carte d’identité, justificatif de domicile…)). Toutefois, certaines de ces entreprises ont déjà commencé à instruire le social login dans leur feuille de route de services numériques, et il commence à s’imposer comme une norme au regard de l’arrivée d’un nouveau type de clients : la génération Z.

Parmi les entreprises ayant adopté le social login, Facebook et Google+ sortent du lot avec un taux d’adoption respectivement de 100% et 55,4%. Suivent LinkedIn (15,4%), Twitter (12,3%) et Yahoo (9,2%).

Du rêve à la réalité

La transformation numérique et l’évolution de la relation client repositionne l’expérience utilisateur au cœur des réflexions stratégiques des entreprises.

Simplicité, efficacité, fidélité sont les maîtres-mots de la nouvelle relation client, trois enjeux pour lesquels le social login semble être un accélérateur à considérer.

Toutefois, son déploiement n’est pas une évidence, ni même opportun pour toutes les entreprises (en fonction du secteur d’activité, des populations cibles, de la typologie de clients…) et requiert le respect de certaines bonnes pratiques de sécurité et de protection des données personnelles.

Pour plus de détails, rendez-vous au prochain article : « Chapitre 2 : La réalité ».

Cet article Social Login : faire d’un rêve une réalité (1/2) est apparu en premier sur RiskInsight.

In recent years, companies have faced an expansion in the scope of Identity and Access Management (IAM) activities. They no longer concentrate solely on user provisioning and authentication; focus has shifted toward both account review and certification and the use of identity federation mechanisms (for example, SAML). The changes affect both SaaS and those that remain in-house. These two developments mean that ISs have an ever-broader scope—and it’s vital that they are implemented properly to minimize security vulnerabilities.

These developments in IAM are running in parallel with more widespread use of cloud services, which are continually being used in new ways to increase the scope and flexibility of IS access and use. Internal users accessing an IS are increasingly doing so from outside the corporate network—and from an increasingly diverse range of devices.

In addition, new Agile and DevOps technologies are forcing ISs to evolve in a different direction: integrating new technologies (IoT, etc.) and new uses, much more rapidly.

Today, all these developments make an IS one “bubble” among others, interacting with its environment and remotely controlling interactions between decentralized components.

…MAKING APIs ESSENTIAL

This new, decentralized IS model raises the problem of the interconnection of services and applications: How can you ensure a controlled access to data at all times—and in all places?

Today, APIs are already a predominant and essential communication mechanism for any company embracing digital transformation. They are used to process not only public data (branch addresses, transport timetables, etc.) but also personal data (for example, fitness tracker, health insurance, and government benefits apps) and sensitive data (online payments, e-commerce, mobile industrial information, etc.).

And, given their importance to ISs, the challenge of securing APIs becomes more important than ever.

WHAT’S THE RIGHT RECIPE TO SECURE YOUR APIs?

Securing APIs requires a recipe based on four ingredients, all of which must be carefully measured out.

THE SECURITY AS USUAL BASELINE

In a Wavestone benchmarking exercise on web application security, of the 128 applications we audited, serious flaws were observed in 60%. In this respect, and since APIs are just a kind of web applications, the standard web-security recommendations – for example those for OWASP – Open Web Application Security Project, must be taken into account in just the same way.

Essentially, this ensures that a web application’s main areas of risk are covered, and the appropriate security measures determined.

A pinch of OAuth

OAuth is an authorization delegation framework that allows an application to obtain permission to access a resource on behalf of a user.

OAuth2 is designed to cover a wide range of use cases (web applications, mobile, access [or not] via a browser, server-to-server access, etc.), and, to this end, it offers four main process flows to obtain a token (RFC 6749). Together combined with a specification detailing the use of this token (RFC 6750), a document detailing the threat model (RFC 6819), and a dedicated authentication overlay (OpenID Connect), results in a body of documents that runs to some 250 pages, leaving room for a broad range of implementation options and choices.

What’s more, it’s this abundance of options—and lack of constraints—that lead to the security flaws regularly observed in the implementation of OAuth2.0: the misuse of an application, access to personal data of a third-party user, the theft of Facebook/Google cookies when logging in using social media, or the compromise of a user’s account.

The following six recommendations are essential in ensuring the framework is securely implemented:

• Local storage of secret information: The client application is provided with identifiers enabling it to authenticate itself with the OAuth server; so, don’t put this secret information (the service identifier) in the mobile application; and, if you do, consider it compromised
• Redirected URLs: Validate redirected URLs strictly with the application, without the use of wildcards
• Implicit: Avoid implicit grant as far as possible (and strictly reserve it to client-side javascript applications)
• Authorization codes: Validate authorization codes strictly, as well as the associated clients
• State and PKCE: Use these to ensure the integrity of the entire series of process steps
• Authorization ≠ Authentication: Use OpenID Connect to authenticate, but OAuth to delegate access

LIMIT THE ADDITIVES

As soon as this first pinch of OAuth has been swallowed, you need to start thinking about the security measures to meet the most frequent needs.

The Single Sign-On mobile… or, how to enable mobile employees or clients to easily access multiple applications without reauthenticating?

It might be a field agent in a customer-facing role, or making a series of interventions at different sites, all while using a good dozen of applications every day; or it might be a client who’s installed several applications on the public app store and needs to access them all, without having to reauthenticate on each… Today, these are all very common scenarios. Although, since 2008, the techniques that make it possible have varied depending on the possibilities offered by the mobile OS (iOS’s KeyChain, URL parameters, Mobile Device Management, etc.), Apple and Google converged toward a common solution in 2015: the use of the browser system as an anchor point for an SSO session. This is now officially good practice, formalized in “Best Current Practice – OAuth2 for native applications.”

Contextual authentication… or, how to match the access level to the data, according to its criticality

One of the many issues concerning authentication is to simplify, as much as possible, user access to data, while still guaranteeing satisfactory levels of security. Contextual authentication provides an answer to this issue, adapting the level of access to the nature of the transaction: its characteristics, user habits, context, and so on. This is termed LOA (Level of Assurance). A mobile banking application, for example, allows the user to access their bank account, and see account balances, without having to reauthenticate each time these are accessed. However, the application will require authentication when performing a sensitive operation (transferring money between their own accounts, for example), and strong authentication when performing a very sensitive operation (adding an external recipient for a transfer, for example).

The market now offers solutions designed according to a logic where the application client is responsible for initiating the LOA request that corresponds to the data or service it requires. But the real need is to define and apply these data access policies at a single point within the authorization server. This is essential when there’s a need to apply an authentication proportionate to the level of risk (geolocation, is it a known terminal or not, transaction habits, etc.).

Identity propagation… or, how to pass an access token between two (or more) applications.

It is increasingly common that a call to an API triggers a cascade of calls to other APIs, in particular within a micro-service-type architecture setting. The transmission of the identity of the user must then be assured while still maintaining security. And the first three solutions that come to mind have limitations:

• The transmission of the initial token is obviously to be avoided, in view of the very high risk of internal fraud involved.
• Caller authentication alone is not enough either, because a compromised link in the chain can result in the theft of any user’s identity, thus compromising the rest of the chain.
• The generation of a caller token, transmitted along with the initial user’s token, does not assure the integrity of the user/API combination, and does not validate the chain.

However, an advanced initial solution does currently exist, in the form of a new grant type: Token Exchange. This mechanism allows the caller to request an intermediate token, which includes the identity of the user, the caller, and the call chain already made. This new series of process steps makes it possible to centralize the calls policy between micro-services, as well as its application, thereby ensuring the traceability of calls.

Protecting against token theft… or, how to guard against the theft of a token base?

As a rule, the token contains a good deal of information about its holder, entailing significant risks if stolen. More striking still is the fact that, in some contexts (for example, new standards on electronic payments such as those in the modified European Payment Services Directive [PSD2]), a third party (aggregator) may be in possession of many tokens, and the owner of the API is then effectively at the mercy of this third party and its level of security. Because theft is very difficult to detect, there was a need to find other solutions such as Token Binding: a negotiation mechanism using two or three components to link a token to a pair of cryptographic keys, and where the client must prove that it owns the private key that makes up part of this pair by establishing a mutual TLS connection with the API.

WRITING THE RECIPE DOWN

What’s the last ingredient of the recipe? The need to set out a reference architecture for OAuth in order to adapt it to the context of the company’s IS. To do this, the API framework must be defined, by:

• Defining and sharing the security rules: The authorized process steps and the application framework, the security checklists, and the reference architecture must all be formalized.
• Training and equipping developers: There will be a need to organize training sessions, and presentations on the principles to adopt. Project teams can be made autonomous in terms of their integration with the rest of the IS.
• Integrating security resources into Agile sprints: The resources that act as a “security coach” must be identified in order to support the application design, provide ready-to-use solutions, and serve as an accelerator.

IN SUMMARY

In summary, rather like the recipe for a good soup, securing APIs requires a list of ingredients, ranging from the most basic to the most sophisticated, while keeping the needs and context firmly in mind.

Cet article What’s the right recipe to secure your APIs? est apparu en premier sur RiskInsight.

In the context of IAM, organisations have traditionally focused on managing identities and controlling who accesses what (and how).

In terms of identity management, organisations first focused on automation of provisioning tasks and other low value tasks. The focus then gradually turned to access rights request and approval processes. More recently, organisations have turned their attention to accounts and access rights review and recertification.

In terms of access control, organisations have migrated from centralised authentication (e.g. in a shared directory) to delegated authentication (e.g. to a Web Single Sign-On (SSO) solution). We are now at a stage where authentication is standardised with identity federation protocols (e.g. SAML) equally applicable to SaaS applications as internally hosted applications.

In recent years, information systems have opened up to the Internet while at the same time their authentication has become more standardised: organisations must now contend with SaaS, IaaS, external Information Systems (IS) access by partners and clients, a mobile workforce and mobile applications. And IAM professionals have devised solutions for these new use cases without necessarily challenging the fundamental principles of the existing paradigm. In effect, the market has witnessed a gradual evolution. And whilst we are currently experiencing a relatively calm state of affairs, major change is brewing.

Figure 1: 2005-2015 – an opening of the Information System under control

The evolving ‘IS’ landscape influencing IAM

The IS landscape is undergoing a new wave of transformation;

Driven by Cloud adoption, we are heading towards further adoption of SaaS, majority use of IaaS relative to historic datacentres, real adoption of PaaS (in the form of containerised applications and server-less apps), and ever increasing remote access by employees. There is also a surge in the number of end-points accessing information systems (more customers whose interactions are digitalised, Internet of Things, OpenData, etc.).

And driven by new agile methodologies and DevOps, information systems no longer evolve in the same way. Development and deployment cycles have been considerably shortened and interactions between business lines and IT are less confrontational than they used to be. These new methods are increasingly the norm and it is difficult to resist them.

Although IAM’s primary goal has not changed much, namely controlling who accesses what in the IS, there will be many more variants of “who” and “what” in the future. Core IS will be merely one “bubble” among others (refer to diagram below) interacting with its wider environment and remotely controlling interactions between decentralised components.

Figure 2: A decentralised Information System

7 factors shaping the future of IAM

IAM must find its sweet spot in a new environment where the requirements of business lines drive technology innovation. The business lines might even impose technology solutions onto IAM teams.

In predominantly cloud-based architecture, IAM must demonstrate control over this dynamic and bring added-value to this new world.

There are seven key factors that will shape the future of IAM; three of which relate to the needs of the business lines and four of which are new IAM challenges.

Agility

Business lines now expect to offer new products and services in ever-shorter timeframes. This poses two parallel challenges for IS:

1. Maintaining quality of service for existing business line products, and
2. Adapting to meet the need of new business line products.

This is an opportunity for IS to move away from a monolithic IAM framework that is often complex to implement and very difficult to handle by embracing a lighter architecture to support the new business demands (e.g. micro-services).

Client Identity Management (Customer IAM or CIAM)

Digital transformation is driving the business lines to interact with their customers in many new ways and through ever more channels.

A flawless user experience and the simplification of the customer journey are required. Optimisation of customer acquisition and churn rates become key indicators for CIAM to address.

Internet of Things (IoT)

Whether an organisation is building connected objects or offering services on top of them, a number of questions will become unavoidable:

• How to ensure that the object I am communicating with is the one it purports to be? Is it important to be absolutely certain?
• How to scale the IS to manage the growing volume of deployed objects?
• How to ensure end-to-end security?
• What object lifecycle should we anticipate?

These are fascinating questions which force us back to the drawing board to consider different hypothesis beyond the usual IAM framework.

Identity as a Service (IDaaS)

As we predicted a few years ago, the criteria for exporting IAM to the cloud is no longer restricted to security considerations. Equally important questions are: do I really need to do it? how will I benefit?

Although the IDaaS market is still in its infancy, with current offerings only partially covering the IAM spectrum, all indicators suggest the IAM offering of the near future will plug the gaps in the form of on-premises provisioning, rights requests and approval, identities governance, and more. What remains to be seen is whether identity management and access control will be packaged together or offered by separate providers and which provider(s) will be the most reliable.

Application Programming Interface (APIs)

APIs already represent a vitally important communication medium for any company committed to the digital transformation journey: exchange with partners, mobile applications, client-side applications, OpenData, etc.

Despite perceived gaps compared to web-service standards from previous years (in particular in the eyes of WS-* suite nostalgics), it is necessary to embrace the REST/JSON wave, to dive into Oauth2 and to bring up the API first topic in all your projects.

Standards

The fight between standards is eternal. Any standard used today is destined to be challenged and replaced later by another. However, this does not prevent good standards from emerging which, if adopted, can enable a correct response to IAM issues.

On the topic of access control, several standards and protocols for authentication, as well as propagation of authentication, are mature and already adopted by a large share of the market.

FIDO (Fast ID Online), U2F (Universal 2^nd Factor) and OpenID Connect are amongst the most promising standards in terms of their adoption rate, the maturity of the underlying technologies and the players who have collectively created them.

Identity & Access Intelligence

This is probably the most exciting and fast moving IAM area. Machine learning algorithms, detection of weak signals, neural networks and other emerging technologies can lead to new use cases linked to user (or object) identity and behaviour. Examples include pre-emptive fraud detection and risk anticipation, even “closing the door” before someone attempts to enter. Whilst there is an element of science-fiction to some of the scenarios presented by vendors, this is nonetheless a vibrant and highly promising market.

Figure 3: 7 factors shaping the future of IAM

Conclusion

Identity and Access Management (IAM) is developing at a fast pace as a result of new technology developments, digital transformation and the evolving cyber threats. Large organisations need to review their IAM strategy to take into account the current and future requirements of a digitally enabled business. Instead of focusing on “point” solutions to address these challenges one at a time, organisations need to take a more considered and holistic view of developments. An effective strategy can transform your IAM platform into an asset that enables mobility and productivity whilst also helping to overcome security challenges and integrate future IAM demands.

Cet article 7 drivers transforming Identity & Access Management (IAM) est apparu en premier sur RiskInsight.

Dans ce contexte, la grande majorité des entreprises a mené des projets d’IAM : les accès aux applications sensibles sont étroitement contrôlés et les niveaux d’accès sont restreints selon les profils des utilisateurs et les actions à réaliser.

Or, trop souvent, ces démarches IAM « oublient » les populations IT qui ont pourtant des accès privilégiés sur l’infrastructure de l’entreprise. Et pour ces derniers, plusieurs spécificités sont à prendre en compte.

Les utilisateurs IT ont des besoins d’accès différents

Les utilisateurs « non-IT » représentent les utilisateurs « standards » du SI : utilisateurs des directions métier ou des fonctions support comme RH, paie, ou comptabilité… Ils accèdent classiquement :

• Aux applications en environnement de production,
• Et via les IHM standard de celles-ci.

Les populations « IT » (service informatique interne, télémaintenance, support…) ont quant à elles des accès très différents :

• Elles opèrent les infrastructures (serveurs, bases de données), et le code applicatif, sur lesquels reposent les applications ;
• Elles accèdent à tous les environnements et en particulier production et hors-production (ces derniers contenant souvent des données de production ou à caractère sensible ou personnel) ;
• Très souvent, elles opèrent avec des niveaux de droits (des « privilèges ») très élevés, présentant donc un niveau de risque non négligeable.

Ainsi, la terminologie « accès à privilèges » désigne tout accès technique, sur une infrastructure ou une brique logicielle, dans des environnements de production ou hors-production.

Ces accès sont parfois créés pour des individus, ou pour les applications elles-mêmes (une application a besoin de plusieurs comptes techniques, comme pour écrire dans une base de données).

On distingue différents niveaux d’accès « à privilèges ». Les plus critiques, de niveau « administrateur », offrent un contrôle total d’un ou plusieurs serveurs, et donc potentiellement plusieurs applications. Les accès IT de niveau « standard » sont moins sensibles mais restent à surveiller. Ces derniers pourraient permettre, par exemple, de consulter des informations sensibles dans une base de données.

Accès IT, risques métier

Par définition, la maitrise des accès privilégiés des populations IT doit être au cœur des préoccupations des entreprises.

Parmi les risques les plus importants, nous retrouvons :

• Les risques opérationnels, sans impact sur la production

Exemple : des traces d’exploitation sont supprimées par erreur ou un serveur non critique est éteint.

• Les risques sur l’activité de l’entreprise

Exemple : indisponibilité de la plateforme de flux des paiements / transaction suite à un redémarrage des serveurs par erreur.

• Les risques de non-conformité aux régulations

Exemple : mise en évidence d’un accès non-justifié sur un périmètre régulé suite à un audit interne.

• Des actions frauduleuses

Exemple : délit d’initié commis grâce à une information sensible consultée directement depuis une base de données.

Sans compter les risques plus larges autour du système d’information : vol de données, ransomwares et autres actions malveillantes. Parce qu’ils sont puissants (et permettent notamment de désactiver les mesures de sécurité), les accès à privilèges sont des cibles de choix en cas de cyber-attaque.

Aujourd’hui, la plupart des responsables d’application sensibles sont en mesure de rendre des comptes quant à l’usage des accès métier dans leur application. De la même manière, les responsables d’application et les responsables d’infrastructure doivent pouvoir répondre à des questions simples telles que :

• Qui utilise réellement des accès à privilèges sur mon périmètre ?
• Combien de comptes à privilèges existent sur mon périmètre ?
• Les mots de passe de ces comptes sont-ils changés régulièrement ?
• Quels sont les niveaux d’accès nécessaires pour mon application ou mes services, et qui ne peuvent pas être retirés sans conséquence pour la production ?

Plusieurs particularités à prendre en compte

Avant de se lancer dans un projet de mise sous contrôle des accès à privilèges, il est bon d’avoir conscience de certaines spécificités qui ne s’appliquent pas pour les accès métier.

À commencer par le cycle de vie de certains accès à privilèges. Dans le monde des accès métier, le cycle de vie est lié au statut RH de leur unique propriétaire. Mais dans le monde IT, il existe des accès partagés entre plusieurs personnes (pour des besoins opérationnels spécifiques), ou bien qui sont utilisés par l’application elle-même pour fonctionner. La durée de vie de ces accès-là est plutôt liée à la durée de vie de l’application concernée, ou bien parfois à la durée d’un projet.

Certaines contraintes opérationnelles sont aussi à prendre en compte. Notamment en ce qui concerne :

• La gestion de la production, qui ne souffre aucun délai. Dans le monde des accès métier, les niveaux d’accès sont généralement liés à la fiche de poste des utilisateurs, et c’est aussi le cas pour les populations IT. Mais dans certaines circonstances, les utilisateurs IT doivent pouvoir obtenir de nouveaux accès sans délai. Par exemple, en cas de panne d’une application critique, les équipes IT doivent pouvoir intervenir au plus vite avec toute la latitude nécessaire. Ce qui peut nécessiter des élévations de privilèges. Dans ce contexte, des processus de validation seraient trop longs (avec validation du responsable hiérarchique, puis éventuellement un autre niveau de validation…). Une autre approche peut consister à autoriser ce type de demande sans validation préalable, mais tracer et contrôler à posteriori l’usage qui a été fait de cet accès.

• Le grand nombre de ressources cibles. Certaines applications reposent sur un grand nombre de serveurs de production, et au moins autant de serveurs hors-production. Des applications peuvent aujourd’hui créer ou supprimer des serveurs virtuels à la volée, en fonction de la charge. Dans ce cas, il serait vite ingérable d’imposer aux utilisateurs des demandes d’accès pour chaque ressource cible. Une solution peut consister à gérer des demandes d’accès à des groupes de ressources (par exemple un groupe Active Directory qui représente tous les serveurs de production d’une application, lequel groupe pourrait même être déployé automatiquement sur les nouveaux serveurs par un orchestrateur).

Surtout, l’hétérogénéité de l’environnement peut rendre le modèle d’accès complexe. En effet, articuler la gestion des accès à privilèges autour d’un modèle cohérent, implique de composer avec :

• Des serveurs qui hébergent parfois plusieurs applications. Dans ce cas, un besoin d’accès à une seule application se traduit, en pratique, par des accès indus à plusieurs applications. Dans le cas d’applications critiques, il vaut donc mieux investir dans des serveurs dédiés (virtuels ou non, face aux risques portés par les administrateurs des plateformes de virtualisation).

• Des ressources hétérogènes avec leurs propres particularités. Serveur Windows, Unix, base de données Oracle, middleware Tomcat, des équipements réseau, voire des conteneurs comme Docker… La liste des technologies à prendre en compte est longue.

• Pour une même ressource, différents comptes à créer. Un utilisateur peut souvent intervenir sur une même ressource via différents moyens. Pour un même serveur, on pourra offrir la possibilité de s’y connecter directement (protocoles SSH, RDP…), via l’intermédiaire d’un serveur de rebond (et dans ce cas, c’est sur ce serveur qu’il faut créer un accès utilisateur), ou encore via une interface logicielle d’administration (c’est d’ailleurs la voie du DevOps).

• Des populations hétérogènes et des besoins qui évoluent rapidement. Le modèle d’accès est difficile à uniformiser, notamment parce que différents types de population, comme des administrateurs d’infrastructures ou des développeurs, ont des besoins différents. Par exemple, un administrateur Windows opère tous les serveurs Windows, quelle que soit l’application, alors qu’un développeur intervient sur plusieurs technologies dans la limite d’une application. Mais il est aussi difficile d’uniformiser le modèle d’accès pour une même population, car les développeurs de 2 applications différentes peuvent avoir des besoins différents.

Les accès à privilèges : un challenge pour la sécurité ?

Accès standards métier et accès à privilèges sont les 2 faces de la même pièce. Et les accès à privilèges en sont la face sombre, car ils sont à la fois plus sensibles et techniquement plus complexes à gérer.

Face à cet état des lieux, la prise de conscience des entreprises est inégale. Les mieux informées sont les équipes techniques IT qui utilisent les comptes à privilèges, et qui sont souvent favorables au statuquo.

Au-delà de la Direction des systèmes d’information, ce sont les Directions en charge des processus internes, de la qualité ou encore le contrôle interne, qui ont un rôle clé de sponsoring à jouer.

Le législateur, lui, commence aussi à s’y intéresser. Ainsi la Loi de programmation militaire, qui concerne les opérateurs d’importance vitale, impose une mise sous contrôle des accès à privilèges les plus critiques.

Mais alors comment s’y prendre, pour mettre les accès à privilèges sous contrôle ? Nous y reviendrons dans un prochain article.

Cet article Accès à privilèges : la face sombre de l’IAM est apparu en premier sur RiskInsight.

Historiquement la discipline de la gestion des identités et des accès (IAM ou identity and access management en anglais) s’est constituée autour du besoin de maîtriser qui accède (comment et) à quoi dans le système d’information de l’entreprise.

Du côté de la gestion des identités, les projets se sont initialement attelés à l’automatisation du provisioning et des tâches à faible valeur ajoutée. La discipline s’est ensuite peu à peu tournée vers les processus de demande et d’approbation de droits d’accès et plus récemment vers les problématiques de revue et recertification des comptes et habilitations.

Sur le sujet du contrôle d’accès, nous sommes passés par une première ère où l’authentification fut centralisée (sur un annuaire partagé par exemple), puis déléguée (à une solution de WebSSO) et enfin standardisée avec l’utilisation des mécanismes de fédération d’identités (eg. SAML) autant pour les applications SaaS que pour les applications restées en interne.

Dans le même temps, ces dernières années, le système d’information de nos entreprises s’est énormément ouvert à Internet : SaaS, IaaS, utilisateurs internes en mobilité, partenaires & clients accédant au SI, applications mobiles, etc. Et l’IAM a pu à chaque fois proposer des solutions à ces nouveaux usages et nouvelles orientations sans forcément nécessiter de remettre en cause l’existant et ses principes fondamentaux. Le marché s’est d’ailleurs petit à petit consolidé et nous sommes dans une situation de relatif calme… avant la tempête.

Les évolutions du SI

Nous estimons en effet que nous n’en sommes qu’au début de ces transformations.

Sous l’impulsion du Cloud d’une part, nous allons vers encore plus de SaaS, une utilisation du IaaS majoritaire par rapport aux datacenters historiques, une réelle adoption du PaaS (sous la forme d’applications conteneurisées, et server-less apps), des utilisateurs internes accédant majoritairement depuis l’extérieur et une explosion du nombre de terminaux accédant au SI (toujours plus de clients dont le parcours est digitalisé, explosion à venir du nombre d’objets connectés, OpenData, etc.)

Et sous l’impulsion de nouvelles méthodologies agiles et DevOps, le SI n’évolue plus de la même manière. Les cycles de développement et déploiement se sont considérablement raccourcis, les interactions entre le métier et la DSI se heurtent de moins en moins à l’opposition historique, et traditionnellement française, entre MOA et MOE. Ces nouvelles méthodes se sont d’ores et déjà répandues dans l’entreprise et il est difficile d’y résister.

Si la mission de l’IAM n’a guère changé : maîtriser qui accède à quoi dans le SI, il y aura beaucoup plus de « qui », de « quoi » et le SI ne sera plus qu’une bulle parmi d’autres interagissant avec son environnement et devant maîtriser, à distance, des interactions entre des composants décentralisés.

L’IAM de demain

Dans ce nouvel environnement où les métiers pilotent l’innovation technologique et imposent leurs exigences, où il est même parfois prescripteur de solutions technologiques, l’IAM doit se faire une nouvelle place. Dans ces architectures majoritairement Cloud, l’IAM doit démontrer qu’elle permet de maîtriser cette orientation et même d’apporter des plus-values par rapport à la situation précédentes.

Notre vision de l’IAM de demain s’articule autour de sept thèmes. Trois besoins exprimés par le métier et quatre nouvelles disciplines au sein de l’IAM.

L’agilité

Le métier attend de pouvoir proposer de nouveaux produits en un temps toujours plus court et ce qu’il a obtenu sur les applications métier est aujourd’hui attendu de tout le SI, y compris les services d’infrastructure et de sécurité et donc de l’IAM.

C’est l’occasion de passer d’un IAM monolithique, complexe à sortir de terre et très difficile à manœuvrer pour embrasser une architecture plus légère basée, par exemple, sur des micro-services.

La gestion des identités clients (Customer IAM ou CIAM)

La transformation numérique engagée par de nombreuses entreprises aujourd’hui a poussé le métier à interagir avec ses clients de plein de manières différentes et via toujours plus de canaux différents.

Une expérience utilisateur parfaite et la simplification du parcours client sont requis. L’optimisation des conversions clients et les taux de retours deviennent des indicateurs clés sur lesquels le métier insiste pour obtenir de l’IAM plus d’efforts.

Les objets connectés (Internet of Things ou IoT)

Que votre entreprise se lance dans la fabrication d’objets connectés ou qu’elle ne fasse que fournir des services consommés par ces objets, un certain nombre de questions vont devenir incontournables :

• Comment s’assurer que l’objet avec lequel je communique et celui qu’il prétend être ? Dans mon cas d’usage, est-ce finalement si important de le savoir ?
• Comment m’assurer de tenir la charge face au volume d’objets déployés ?
• Comment assurer la sécurité de bout en bout ?
• Quel cycle de vie doit-on anticiper ?

Ce sont des questions passionnantes qui imposent de savoir revenir à la planche à dessin et prendre en compte des hypothèses extrêmement différentes de celles de l’IAM classique.

IDentity as a Service

Comme nous l’avions prédit il y a quelques années, les entreprises n’hésitent plus à exporter leur IAM dans le cloud pour des questions de sécurité mais reviennent à la bonne question : en ai-je besoin ? Que vais-je gagner ?

Si le marché de l’IDaaS est encore jeune, les offres actuelles ne couvrant que très partiellement le spectre de l’IAM, tous les indicateurs montrent que cela ne va pas durer et que toute la gamme de fonctionnalités de gestion des identités aujourd’hui manquantes (provisioning on-premises, demande et approbation de droits, gouvernance des identités, etc.) sera bientôt couverte. Il reste à savoir si gestion des identités et contrôle d’accès seront packagés ou proposés par des acteurs différents et à choisir le(s) bon(s) acteur(s)…

APIs

Les APIs représentent déjà un format de communication prépondérant et incontournable pour toute entreprise lancée dans sa transformation numérique : échange avec les partenaires, applications mobiles, applications IHM client-side, OpenData, etc. Si vous ne vous êtes pas encore lancés, il va falloir sérieusement songer à plonger dans ce sujet !

Malgré des manques perçus par rapports aux standards des web-services des années précédentes (spécifiquement aux nostalgiques de la suite WS-*), il faut se résoudre à embrasser la vague REST/JSON, il faut se lancer dans Oauth2 et vous poser la question du API first pour tous vos projets.

Standards

La guerre des standards est éternelle. Et tout standard qui s’impose aujourd’hui a vocation à être challengé et remplacé plus tard par un autre. Cela n’empêche pas de bons standards de voir le jour, d’être adoptés et de permettre de correctement répondre aux problématiques de l’IAM.

Sur le sujet du contrôle d’accès en particulier, tant sur le volet de l’authentification proprement dite que de la propagation de cette authentification au travers du SI, plusieurs standards et protocoles sont matures et d’ores et déjà adoptés par une bonne part du marché. FIDO, U2F, OpenID Connect pour ne citer que ceux-là sont parmi les plus prometteurs de par leur ouverture, la maturité des technologies sous-jacentes ou encore les acteurs qui les ont conçus collectivement.

Identity & Access Intelligence

C’est sans doute le domaine de l’IAM qui offre les perspectives les plus excitantes. L’application des algorithmes du machine learning, la détection de signaux faibles, des réseaux neuronaux et bien d’autres encore pour faire émerger de nouveaux usages, de nouvelles possibilités en lien avec les identités de nos utilisateurs (ou objets) et leur comportement.

Détecter les scénarios de fraude avant même qu’ils ne se concrétisent, anticiper les risques et fermer la porte avant même que quelqu’un ne l’emprunte réellement. Il y a sans doute encore un peu de science-fiction dans les scénarios présentés par les éditeurs mais ce marché en pleine ébullition regorge de pépites et de bonnes surprises.

En synthèse

Ces sept thèmes, incontournables selon nous, requièrent d’ores et déjà une expertise à la fois pointue et très spécifique. Dans les prochaines semaines, nous éclairerons progressivement ces différents sujets pour donner les clés d’analyse et d’action sur l’IAM de demain, que ce soit en phase de cadrage, d’expérimentation ou de premières mises en œuvre.

Cet article Quel IAM pour demain ? est apparu en premier sur RiskInsight.

Mettre en œuvre la carte CPS au travers d’un projet de gestion des identités et des accès

Le SI, tout en connaissant de profondes transformations, devient un enjeu majeur dans les hôpitaux : informatisation continue des services de soins, ouverture du SIH, dématérialisation des échanges et interopérabilité, renforcement des exigences réglementaires, etc. Ces évolutions facilitent le partage de l’information médicale mais rendent sa protection plus difficile.

La mise en œuvre d’un espace de confiance numérique pour le partage des données de santé devient alors une nécessité. Cette nécessité devient un prérequis dans le cadre du programme Hôpital Numérique et de la certification HAS (Haute Autorité de Santé).

La mise en place d’une gestion des identités et des accès, qui associe l’utilisation d’un dispositif d’authentification forte comme la Carte de Professionnel de Santé, permet de créer un espace de confiance numérique qui répond aux problématiques suivantes :

• Respecter les nouvelles règlementations ;
• Simplifier et sécuriser l’accès au SIH ;
• Accélérer les processus de gestion des droits ;
• Diminuer la charge d’administration et réduire les coûts de support.

Mener un projet de gestion des identités et des accès adapté au monde hospitalier

La gestion des identités et des accès associe des processus, des technologies et une stratégie de gestion des identités numériques et de spécification de leur usage pour accéder aux ressources informatiques de l’entreprise.

Mener un tel projet s’avère généralement plus complexe que la plupart des autres projets informatiques en raison du nombre et de la diversité des référentiels d’identités numériques, des solutions techniques mises en œuvre et des besoins des entités gouvernantes amenées à collaborer.

Notamment, les acteurs concernés par un tel projet dans le monde hospitalier sont nombreux : la Direction Générale, la Commission Médicale d’Établissement (CME), le Département d’Information Médicale (DIM), les directions gérant le personnel salarié et non salarié de l’établissement (Direction des Affaires Médicales, Direction des Ressources Humaines), le corps médical et soignant, la Direction des systèmes d’information (ou le service informatique), etc.

Par ailleurs, certains thèmes à aborder sont spécifiques aux établissements de santé :

• Comment instruire ce projet dans le cadre d’une mise en réseau de l’établissement au sein d’une ou plusieurs communautés hospitalières ?
• Faut-il limiter l’utilisation de la carte à l’accès aux postes de travail ou bien ai-je intérêt à étendre son usage comme pour l’accès aux locaux ?
• À qui dois-je la fournir ?
• Comment m’assurer que la carte CPS facilitera l’accès aux postes de travail ?
• Quelles applications dois-je prendre en compte dans mon projet ?

Un projet d’établissement nécessitant un engagement de moyens ainsi qu’une implication de tous les acteurs pour le rendre maîtrisable

Mettre en œuvre la carte CPS au travers d’un projet de gestion des identités et des accès se révèle être un projet stratégique d’établissement, porteur d’enjeux à la fois techniques, organisationnels et de conduite du changement, et à ce titre requiert une phase préalable de cadrage qui permettra :

• De définir le périmètre et évaluer la dimension du projet : état des lieux, besoins et les attentes, axes d’amélioration, périmètre fonctionnel cible, macro-évaluation charges, coûts, délais ;
• D’inscrire le projet dans une démarche globale : acteurs à mobiliser, instances de pilotage, possibilités de mutualisation.

Et vous, où en êtes-vous de la mise en œuvre de la carte de Professionnel de Santé au sein de votre établissement ?

Cet article La carte CPS : un projet d’établissement ou un projet informatique ? est apparu en premier sur RiskInsight.