Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Identity Access Management the Past, Present and Future

The Historical Past

When we meet our friends, family or colleagues, we recognize them by how they look, talk or move. We immediately know who they are and need no further authentication. But suppose that individual goes outside the circle of those who recognize the person. How would others learn who he or she is?

Personal identification documents can be traced all the way back to the biblical ages where ruler’s protection of lands required a safe passage document for individuals who trespassed through it. What is described as the earliest reference to a government-issued document of safe passage is in the Book of Nehemiah: “I also said to him, 'If it pleases the king, may I have letters to the governors of Trans-Euphrates, so that they will provide me safe-conduct until I arrive in Judah?' (2:7). Historians depict this as the earliest form of a passport where formal identification of an individual authorizing trespass was documented.

Another early form of personal identification enacted formally by law in the world was in England during the reign of Henry V, in the act of Parliament dated 1414. This was also an early form of a passport, and at that time, documents like these could be issued by the king to anyone, whether they were English nationals or not. Foreign nationals even got theirs free of charge, while English subjects had to pay.

1906 Washington DC Operators (Drivers) License

1959 Illinois Operators (Drivers) License

As we progressed through time personal identity documents evolved, with the invention of photography brought the photograph an early form of biometrics along with fingerprints to secret identity documents. Both are used in today’s tamper-proof federal documents including embedded microchips. However, before the First World War, the majority of individuals did not have or need identity documents. I can recall my parents, immigrants from Greece did not have birth certificates or other forms of identification in the remote mountainous regions and villages where they grew up and lived. The only way to obtain formal documents such as passports and other transit papers was for someone to vouch for them, usually a village official, physician or a priest.

With other technological advancements such as the advent of the automobile the need to test and license operators of these vehicles became apparent. Apparently, it was the results of severe injuries and death that precipitated the need to permit operators of their cars on a periodic basis. In the United States, each state was tasked with testing and licensing their constituents of motorized vehicles. They were also required to register their cars by adequately displaying license plates that identified the car to its owner. The operator’s license, (now the modern day Driver’s License) evolved into the personal identification document that was widely used when drivers crossed state boundaries. Today it serves as one of the primary identification document but is deficient in establishing national identity unlike the passport, and even the passport is insufficient for authorizing the operation of a motor vehicle.

We have many types of identification documents today, a state driver’s license to operate motor vehicles, a state ID that identifies a person who is a resident of the state but does not have the authorization to operate a motorized vehicle. A passport issued by the federal government that authenticates and authorizes an individual to cross national boundaries and in some cases an additional document such as a Visa is required that approves said individual to travel and stay in the foreign land for a period of time. Other identity documents are the federal pilot’s license that also authenticates and authorizes individuals to operate aircraft, the list of these identity documents is staggering.

As I look into my wallet, I find my Illinois Driver’s License and the federal passport card that provides national identity authorizing travel to Canada or Mexico via ground transportation or by ship. I need the regular passport to travel by air to those and other foreign destinations around the world. Credit cards and a library card are also present so as the infamous Capital One commercial states, “What’s In Your Wallet?” Or the American Express expression “Never Leave Home Without It!” You lose that wallet or purse there goes your identity right with it, and more, it makes everyone nervous.

Consider the modern day digital world with all those User IDs and passwords to remember. It is no wonder we have such rampant identity thief where the average person or company can never manage all of these identity objects. Wouldn’t it be nice if it was possible to have a secure universal credential that consolidates all of the documents to access what we need in our everyday life? Farfetched pie in the sky idea many would imagine but it is not, and I will touch upon the visionary concepts that lie in our future. With the advancements in technology and biometrics, identification and access management are rapidly becoming a science than an advanced art.

The Present Modern Day Identification and Access Management System (IAM)

Welcome to the Cyberworld, our present state of Identity and access management best practices. This section I will touch upon the critical information, access controls and auditing that are essential even for the most privileged users. For example, consider Edward Snowden or any system administrator that is apparently abusing privileges to access material that they shouldn’t. We need to discover what the heck is going on and immediately terminate all access privileges in addition to employment. It is also critical to ensure that all of his access accounts and rights are quickly removed as well.
Before going into too much in depth on how a modern day IAM solution is designed and implemented, most follow a similar approach and offer similar features. But what is more important is an understanding of how identification techniques evolved through time to where we are today. In the following diagram, I put together is a fundamental view of identification from the very basic to the technologically advanced methods in use and being perfected such as tokens and biometrics.

The function of an IAM system helps ensure that people have the granularity controlling the right access to the right resources, and only those resources at the right time. Delivering this access is essential for enabling employees to work productively, and a centralized IAM is vital for controlling individual user identities, governing user access rights and maintaining visibility into privileged-user actions.

So what are the best practices of IAM? The following are commonly used in the security industry:
  1. Define the stakeholders who need access - to company resources, including employees, contractors, consultants, and others.
  2. Implement a single, integrated system - that provides end-to-end management of identities throughout their lifecycle, with delegated rights, membership in groups such as Microsoft Active Directory and other LDAP attributes to authorize users.
  3. Proactively monitor activities - helps discover vulnerabilities, address security policy violations and prevent unauthorized access to systems and data.
  4. Provide knowledge and control – this identity provides permissions to business data owners and custodians. It is necessary they have the visibility and control to understand what is in the organization’s environment and who has access to it.
  5. Enforce a request-and-approval workflow – this is to manage and document change and establish a continuous process that helps ensure individual employees have the right access to do their job, but nothing more, the least privileged model. Also involved is the constant monitoring of permissions to avoid security risks.
  6. Automate user account provisioning – this reduces overhead, avoiding errors and improve consistency. Automation can help reduce the complexity of everyday administrative tasks, such as password management, and simplify the management of policies across complicated Windows, UNIX based operating system environments. This can also be extended to the mainframe environments as well.
  7. Creation of compliance rules – modern IAM systems have compliance integration to help comply with any industry or governmental regulations. It also minimizes the burden imposed on IT by compliance demands improving compliance through automation and reporting consolidation.
  8. Manage roles instead of individuals - For elevated positions such as administrators, modern IAM systems are capable on managing access in several ways, such as performing keystroke logging, conducting session audits and delegating granular privileges for execution of specific commands.
A properly designed IAM system must fit the organization’s business as well as the IT infrastructure and processes. Any organization’s business and IT processes will follow a life-cycle of provisioning, that involves procuring resources such as the hiring and firing of employees to commissioning and de-commissioning applications.

Identity management is one of the most essential components and is one of the cornerstones of an organization's security infrastructure. I will discuss what the parts and functions of a security infrastructure are, what it looks like from a network and application architecture stack perspective in a subsequent article and I’ve designed several. With the advent of compliance mandates such as Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), Health Information Portability and Accountability Act (HIPAA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the EU's Directive on Data Protection and numerous other federal, state, and industry regulations, its imperative to protect information assets. Securing this information, the data is directly related to an organization's reputation, legal responsibility, and financial well-being.

The Future of Identity and Access Management

Identifying the uniqueness of an individual is at the heart of it all, authentication is where it all begins, it lets us know without any reservation which a particular person he or she says they are.
Biometrics mark a fundamental shift in the way we are identified with computerized systems. Unlike traditional identification from the past which you must either remember or carry with you, biometrics are you. Fingerprints, voice analysis, iris patterns, vein matching, gait analysis, and so on. Such traits are unique to an individual and often, though not always, incredibly difficult to fake. The technology is even getting more precise and accurate with identification making it nearly if not impossible to compromise and that is using the human DNA. Is the human DNA unique? What about identical twins born with the same identical genetic footprint and how would biometrics differentiate the uniqueness between the twins? These are the many challenges facing advanced biometric technology.

The future of biometrics holds incredible promise that provides one unique credential doing away with passwords as we know them. It will serve as a national ID that cannot be lost or stolen and opens the door to provisioning possibilities, a universal system where companies may be able to tap into this system and procure access privileges from a massive government database. Interesting concept but that is nothing new for example, organizations once used the social security number to identify their employees many still do today, and healthcare insurance firms once used this before HIPAA was enacted into law. Since Edward Snowden disclosed what the NSA was doing covertly, privacy looms a big legal argument. Like it or not these advances are coming, and perceptions along with the legalities must also evolve with it.

Comparisons of Biometric Methods

Facial Recognition:

Where used: PCs, law enforcement, casinos with problem gamblers, hotels, dating services, attendance at colleges and universities.
  1. Nonintrusive
  2. Cheap technology
  1. 2D recognition is affected by changes in lighting, the person’s hair, the age, and if the person wears glasses.
  2. Requires camera equipment for user identification; thus, it is not likely to become popular until most PCs include cameras as standard equipment.

Voice Recognition:

Where used: PCs, widely used in other environments second only to the fingerprint.
  1. Nonintrusive. High social acceptability
  2. Verification time is about five seconds
  3. Cheap technology
  1. A person’s voice can be quickly recorded and used for unauthorized PC or network access.
  2. Low accuracy
  3. An illness such as a cold can change a person’s voice, making absolute identification difficult or impossible.

Signature Recognition:

Where used: Industrial systems and on some credit card POS terminals.
  1. Nonintrusive
  2. Little time of verification (about five seconds)
  3. Cheap technology
  1. Signature verification is designed to verify subjects based on the traits of their unique signature. As a result, individuals who do not consistently sign their names may have difficulty enrolling and verifying in signature verification.
  2. Error rate: 1 in 50


Where used: Under development
  1. Very high accuracy
  2. System errors are impossible
  3. It is standardized
  1. Extremely intrusive
  2. Very expensive

Retinal Scanning:

Where used: Nuclear and military installations, penitentiaries, hardened data centers, sensitive medical, biological and chemical laboratories.
  1. Very high accuracy
  2. There is no known way to replicate a retina
  3. The eye cadaver from a dead person would deteriorate too fast to be useful. No extra precautions would be necessary for ensuring the scan is from a living person.
  1. Very intrusive
  2. It has the stigma of consumer's thinking it is potentially harmful to the eye.
  3. Comparisons of template records can take upwards of 10 seconds, depending on the size of the database.
  4. Very expensive

Iris Recognition:

Where used: Nuclear and military installations, penitentiaries, hardened data centers, sensitive medical, biological and chemical laboratories.
  1. Very high accuracy
  2. Verification time is generally less than 5 seconds.
  3. The eye cadaver from a dead person would deteriorate too fast to be useful. No extra precautions would be necessary for ensuring the scan is from a living person.
  1. Intrusive
  2. High memory utilization is required for the data to be stored.
  3. Very expensive


Where used: PCs, law enforcement and is the most widely used.
  1. Very high accuracy
  2. Is the most economical biometric PC user authentication technique.
  3. it is one of the most developed biometrics
  4. Easy to use
  5. Small storage space required for the biometric template, reducing the size of the database memory needed
  6. It is standardized
  1. For some people, it is intrusive and still related to criminal identification.
  2. It can make mistakes with the dryness or dirty of the finger’s skin, as well as with age (is not appropriate for children, because the size of their fingerprint changes quickly).
  3. Image captured at 500 dots per inch (dpi). Resolution: 8 bits per pixel. A 500 dpi fingerprint image at 8 bits per pixel demands high memory utilization, 240 Kbytes approximately. Data compression is required (a factor of 10).

Hand Geometry:

Where used: Military, law enforcement, and hardened data center facilities.
  1. Though it requires specialized hardware to use, it can be easily integrated into other devices or systems.
  2. It has no public attitude problems as it is associated most commonly with authorized access.
  3. The amount of data required to uniquely identify a user in a system is the smallest by far, allowing it to be used with SmartCards easily.
  1. Very expensive
  2. Considerable size
  3. It is not valid for an arthritic person since they cannot put the hand on the scanner correctly.
Identity and access management long history date back to the biblical era in human history. We touched upon some historical examples of how the identification document evolved to its present state, how a typical IAM system is designed and deployed in an organization's environment along with the current best practices. We also touched upon what the future has in store with biometrics, the methods currently in use and under development.

Biometrics is said to be hacker proof or nearly so, but the technology is nothing more than a digitized biologic aspect of ourselves that is stored in a database. Consider adversaries breaching this data and what they can do with it. Therefore we can assume nothing is secure. Why is it that mankind has individuals within that want to take away something from another? What we are doing with IAM and other layered security components is telling them they can't have it. So the dangerous cat and mouse game with our adversaries continues unabated.