Looking back at the Heise IT Security Day in Mainz

If you don’t know your assets, you can’t protect them

Supply chain security does not end with software. Why Identity and Access Management belongs at the Heise IT Security Day in Mainz.

Inhaltsverzeichnis

On 6 May, around one hundred IT security managers met on the campus of Mainz University of Applied Sciences to discuss a question that sounds simple, but in practice still overwhelms most organizations. How do you secure a value chain that you only control half of?

The theme of this year’s Heise IT Security Day was “Supply Chain Security”. One day, nine presentations, speakers from banks, research, pentesting, product security and identity management. Anyone expecting an event full of tool demos and product pitches was disappointed, in the best sense of the word. The common thread of the day was not a technical one, but an organizational one. Anyone who touches a tool must first know what they actually want to protect.

Nine lectures, one common thread

The range of topics made the day special. In the morning, the focus was on cybersecurity in the financial sector, viewed from the perspective of both attacker and defender, on auditable system hardening in the supply chain and on the question of what cyber resilience can learn from the error culture of aviation. This was followed in the afternoon by research findings on external collaborations during cyber crises, an in-depth look at FIDO authentication as protection against software supply chain attacks and the role of CERT@VDE in the Cyber Resilience Act. The final highlight was an incident responder with perhaps the most honest presentation title of the day: “hope is not a strategy”. Relentless, entertaining, with a clear appeal: Clean up. Now.

As different as the perspectives were, the pattern repeated itself. If you don’t know your infrastructure, you can’t protect it. If you haven’t defined processes, even the best tool won’t help you.

Why IAM at a supply chain event?

ISB of IAM Factory AG gave a presentation at the Heise IT Security Day in Mainz

Between these contributions was a presentation that at first glance did not fit into the scheme. Our colleague Sarah Ringelspacher, Information Security Officer at IAM Factory AG, spoke about Identity and Access Management, from the person to the authorization.

However, a university’s IT infrastructure is often very complex: students, teachers, administrative staff and external partners need access to a variety of systems – from campus management and learning platforms to email services and cloud services. Managing these accesses and authorizations is a logistical and security challenge that can hardly be mastered without professional identity and access management. This is especially true under the conditions under which German universities are trying to recruit and retain experienced staff.

IAM not only belongs in the Group

Sarah showed where Identity and Access Management is actually used today and where it is not. Banks and corporations have been using IAM for years, driven by regulatory requirements and sheer complexity. Universities, administrations and non-profit organizations, on the other hand, fall through the cracks, even though the challenges there are no smaller. Three things come together: lean personnel structures with few dedicated IT staff, tight budgets with long approval processes and, for a long time, no regulatory pressure that would have forced them to act.

This is changing faster than many of these organizations can react.

From recruitment to exmatriculation

Sarah used the university example to illustrate just how complex an identity lifecycle really is. The basic principle sounds simple: joiners, movers, leavers. Someone joins the organization, gets access. Someone changes roles, the authorizations have to grow with them. Someone leaves, access is blocked. Three situations that sound manageable as three separate processes.

But a university doesn’t just have employees. Students go through enrolment, semester changes, course changes and, at some point, exmatriculation, with each of these steps changing access rights. There are also external service providers with their own onboarding and offboarding, special representatives such as senate members with temporary special roles and research partners from other institutions who are connected via federation. If you manage this manually, you lose the overview. If you lose the overview, you have forgotten accesses, which is one of the most common attack vectors for attackers.

Sarah described the standard IAM process in three building blocks: source systems such as personnel administration or campus management provide the data. A process engine controls approvals, rules and authorizations. The final step is automated provisioning to the target systems, i.e. directory services, specialist applications and cloud services. What runs through the entire process: clearly defined statuses, traceable transitions, auditable logs.

Or, as one slide put it: IAM is the “logistics backbone”, it regulates who gets what access and when.

When things get serious: IAM in a security incident

Perhaps the most exciting part of the presentation was the security incident use case. Sarah is currently supporting the reconstruction of a university IT after a security incident, and you can see that in the slides. What happens when the directory service is corrupted and thousands of accounts have to be reinstalled? When external incident responders need short-term access, but this needs to be controlled and time-limited? When compromised applications are replaced by new ones and the existing authorization concepts still need to remain transferable?

Without IAM, this means Excel lists, unclear responsibilities and the constant question of whether all legacy issues have really been resolved. With IAM, re-provisioning can be largely automated. Role models can be adapted to new target systems instead of having to be rebuilt from scratch. There are regulated workflows with a clear expiry date for external helpers.

Anyone who only thinks about the software supply chain when it comes to supply chain security is overlooking this point. In an emergency, it is the identity infrastructure that determines how quickly an organization can get back to work.

Digital sovereignty starts with identity

Finally, Sarah tackled the topic of digital sovereignty. Her thesis: sovereignty means remaining capable of acting independently. If processes are clearly defined and documented, the organization is no longer dependent on the implicit know-how of individuals. Open interfaces and standardization make it easier to change providers because the organization does not have to lock itself into a proprietary system. The operating location remains freely selectable, whether on-premises, in the cloud or hybrid. And there are now mature European open source alternatives that can be used productively.

The last point in particular strikes a nerve with public sector organizations. We regularly experience in projects that the question “What dependencies can we afford?” is only asked when the change would already be painfully expensive.

The real conclusion of the day

If nine presentations from completely different perspectives allow one common conclusion, then it is this: Only those who know their infrastructure, their supply chains and their assets can protect them. This applies to the software supply chain as well as to identities and authorizations, for banks as well as for universities and KRITIS operators.

The technology exists and the regulatory requirements have been formulated. What is missing in many organizations is the step beforehand. Take a look, tidy up, define processes. Only then automate.

If you have any questions after the presentation or would like to know what an IAM project could look like in your own organization, please contact us via the contact form or call us directly on +49 6131 4811 100.