Access Management: A Benign Name for a Critical Business Process

Good security is like good health: you don’t truly appreciate it till it’s gone.

In our day-to-day lives, passwords, account access and authentication aren’t remotely fun, glamorous or profitable; they’re a nuisance that we endure because it’s been drummed into us that the alternative is far worse.

The horror stories aren’t apocryphal either — sadly they’re all too real. The cost of a major systems breach can be astronomical, not only from a financial perspective, but also from a moral one. No one wants to be remembered as “that company that got hacked” or “that gobby corporation whose spools were picked apart in the gossip mags”. Don’t be like Equifax or Sony or any one of the countless other companies that are breached every year.

The trouble is, even if you do everything by the book — even if you use strong passwords and restrict access and follow all the other best practices that have been inculcated in us over the years — it still might not be enough. All it takes is for one hapless employee to open an email attachment they shouldn’t, or one infected thumb drive to be plugged into the network and — boom — years of diligent behaviour are erased in a trice.

Taking aim at IAM

But enough with the scare stories. We’re not here to paint doomsday scenarios (not today anyway). We actually want to discuss access management. It’s a benign name for a critical business process, incorporating username and password control for your entire organization. Every company, regardless of size, has some degree of hierarchy when it comes to system access. After all, you don’t give your intern the same level of access as your CEO. Access management isn’t just about decreeing who can see what — it’s also about implementing a robust framework that will deter unauthorized entities. Your access management system is only as strong as its weakest link however.

While some businesses view access management as little more than a distraction or an annoyance, here at REMME we have a different approach. That’s because developing access management solutions is what we do. Or to put it differently, securing your business is our business. Although we’re big fans of access management, it’s no secret that we’re not fond of the current paradigm. That’s why we went to the trouble of building a radically different solution using the security provided by the blockchain.

Certification without the centralization

Classical certificate management structures operate on a hierarchical basis, all overseen by a centralized certificate authority. This is how it’s always been done, and it’s probably how it would have continued to be done were it not for the rise of blockchain technology. We’re not the first company to stumble upon blockchain’s potential for enhancing security and granting systems access; other companies have already trialled identity-based solutions, with Civic and Uport notable examples.

These systems are great for resolving issues of identity, but they’re not designed to control issues of access. In other words, even if you are who you say you are, should you be accessing these files? Determining this calls for a new system of certificate management. We could achieve this by storing certificate data on the blockchain, but in our opinion this approach is less than ideal. Instead, we’ve created a means of saving and revoking certificates that utilizes a secret message that’s signed by a private key associated with that particular blockchain address.

This results in an elegant system that is blockchain agnostic. Pick a blockchain — Bitcoin; Emercoin; Ethereum — or even a sidechain such as Rootstock or Exonum and we’ll set up a certificate solution to suit. We allow for self-signed certificates, ones signed by our own certifying center or ones signed by an official third party. X.509 certificates have long been the defining standard for public key certificates. REMME takes that framework and builds a distributed Public Key Infrastructure on top of it, essentially repurposing SSL/TLS and preventing the entire channel from attack.

X.509 certificates is another topic for another time: we’ll spare you from the minutiae for now. For the purposes of this article, we just want to finish by touching upon how the certification revocation process works. This is achieved by publishing a secret revocation message that is signed using a private key. There’s no need to wait for blockchain confirmation as the certificate is valid immediately. To further bolster security, our clients can also activate two-factor authentication. That way, even if a private SSL certificate is somehow compromised, there’s an added layer of security to contend with.

‘Decentralization’ (like ‘blockchain’) is one of those words that gets touted about a lot, including cases where it’s not really needed. When it comes to access management however, we firmly believe that the distributed system we’ve created is one that is stronger, more transparent and more secure thanks to a destributed model which means there is no single point of failure. The name REMME is a truncation of “remember me”. If you value the security of your organization, it’s a name you’ll want to recall. As the second phase of our pilot program rolls out later this year, expect to be hearing a lot more about REMME and our innovative new IAM framework.

Access management doesn’t have to be exciting — it just has to be secure. Here at REMME, we’re pretty confident we’ve got that latter requisite locked down.