Trust, but Verify: The Missing Link in IAM

Identity and Access Management (IAM) is well-entrenched in enterprise and government infrastructures.

However, in our API-driven world, merely establishing a “trusted user” – e.g., a device or a person – and granting them access to information provides an incomplete security profile. Lacking the ability to inspect the bidirectional flow of data traversing our modern computing architectures, IAM technologies cannot answer the two most critical questions about trusted users:

What information are they bringing into the network?

What information are they removing from the network?

Data & Behavior Validation – Where Are You?

Imagine you’re a TSA officer. You’re not solely going to scan a passenger’s passport and look at their boarding pass. You’re also going to require them to walk through the metal detector and examine their luggage because you’re looking to create an entire picture of who this individual is and what their intentions are.

The same policy should apply when looking to keep your network secure.

While the identity tier identifies and authorizes who is able to access your network, it fails to incorporate multi-context authentication for insight into the user’s behavior – i.e., the information being requested or retrieved. Identity technologies were just never designed to achieve this task.

Conversely, the cyber tier looks at data heuristics and behavior patterns but is not tied to identity. Underscoring the chasm between the two disciplines, while identity capabilities live deeper within the infrastructure, cyber remains at the perimeter and both are managed by different teams.

Many IT professionals attempt to marry identity and security functions through the manual deployment of agents. Unfortunately, they quickly learn that the complexity, time and overhead associated with this integration leads to an unachievable end.

Bridging the Gaps

So how do you go about unifying policies around identity?

Utilize tools and technologies that promote data security alongside data identification and access control – a unified approach for IAM with data inspection and security. With APIs becoming increasingly more interconnected, there’s now a greater necessity for an all-encompassing approach to identity. Fortunately, the capabilities associated with brokering and parsing information between the two distinct technology disciplines are inherent in API Security Gateway technology.

Forum Sentry’s multi-context authentication represents the next generation of multi-factor authentication. By combining authentication information in correlation with information within the request and/or response, Forum Sentry provides the essential context critical to validating user behavior with exchanged information. Completing the trust model with multi-context analysis of the user and the data, Forum Sentry offers a more principled approach to identity and the key ingredients for establishing SSO and federation.

To learn more we invite you to download our whitepaper Secure Federated Identity