Identity and Access Management

My experience with this skill set covers design and implementation of identity and access management (IAM), as well as audit, and security testing of IAM controls and implementations. I have also written IAM standards addressing methods and specifications for use in multiple network, system, and application architectures.

In designing and implementing IAM systems, my work goes back to consulting on and deploying Microsoft Active Directory (AD) environments for numerous clients, large and small. I've worked with systems engineers on solutions to establish trust relationships and integrate access capabilities using MS AD and OpenLDAP, as well as integration of multiple AD forests. Most often these scenarios have arisen where business architectures have changed, where there is a need to establish relationships with external business partners, and when acquiring new technology systems.

I've worked with OAuth and SAML authentication methods, primarily in the roles of penetration tester and controls tester. Performing security threat modeling in my practice of security architecture, I've also ensured business process owners and developers have insight into risks inherent in authentication flows across trust boundaries. I have also built small applications for study purposes that use OAuth and SAML, but not for production use.

In auditing identity and access management implementations and practices, I have uncovered failures in process and architectures enabling me to recommend improvements addressing the root causes of gaps. It is very common that I find highly-privileged accounts in many organizations that were no longer in use, have weak or easily-guessed / default passwords, have excessive privileges, all of which have contributed to successful demonstration of risks and real-world security impacts in exploiting such flaws. In particular, I've identified flaws in AWS security group design and permissions assignments that contributed to risks of insider abuse of systems and successfully worked with engineers to ensure remediation, which has led to company ability to meet compliance mandates and validate attestations.

In performing penetration testing or other security testing of IAM implementations, I also often find systems not integrated into the prescribed security architecture, leaving them exposed to multiple types of attacks. Weaknesses in this category include, network infrastructure devices, IoT systems, and specialized computing systems. I've also helped numerous clients craft compensating controls to reduce these exposures in cases where they have to be left in place for business or technical support reasons.

As a result of this work I've done with clients and employers, these organizations have been able to improve automation of IAM management processes, improve ease of use for end users to reduce the number of required logins, and satisfy compliance mandates. All of this contributes to savings from costs of doing business and has helped open up new business opportunities.