Beyond the Password: Business Enablement Through Identity ...

  • 494 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
494
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
30
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • CA offers a unique advantage to IT professionals through its Enterprise IT Management vision built on 30 years of systems management expertise and a comprehensive portfolio of modular integrated solutions. CA unifies and simplifies complex IT environments and enables IT managers to manage risk, reduce cost and improve service.
  • 32 34
  • CA’s Point of View on an IT process best practice CA’s IP for customers and partners and the market A customer’s strategic IT plan A direction to take customers A way to begin the solution dialogue A collaboration point for Partner solutions
  • This model is based on the MOD model. Organizational Characteristics describe the business process and capabilities of a client’s IT environment. Active - Implies manual intervention for most activities Efficient – Collection of data for analysis (No Remediation) Responsive – Remediation in manual, bud includes LOB impact as part of making policies Business-Driven implies full automation
  • Notes: If an attack is happening and your systems are working appropriately, you will get a lot of alerts. But how do those alerts impact your business? In your environment? With your assets? How do you prioritize based on your business goals? And initiate remediation to rectify the situation?
  • Notes: Security needs to help you understand what is happening in your environment, what it means to your business… and what to do about it. And if security is managed well, it can help you fix the situation. That is complete Security information management. It is no different that what you all probably do today in the network side of the business with products like Unicenter. Now imagine if the two systems could work together (next slide Noc and Soc)
  • 9.1 Business Requirement for Access Control 9.1.1 Access control policy 9.2 User Access Management 9.2.1 User registration 9.2.2 Privilege management 9.2.3 User password management 9.2.4 Review of user access rights 9.3 Users Responsibilities 9.3.1 Password use 9.3.2 Unattended user equipment 9.4 Network Access Control 9.4.1 Policy on use of network resources 9.4.2 Enforced path 9.4.3 User authentication for external connections 9.4.4 Node authentication 9.4.5 Remote diagnostic port protection 9.4.6 Segregation in networks 9.4.7 Network connection control 9.4.8 Network routing control 9.4.9 Security of network services 9.5 Operating System Access Control 9.5.1 Automatic terminal identification 9.5.2 Terminal log-on procedures 9.5.3 User identification and authentication 9.5.4 Password management system 9.5.5 User of system utilities 9.5.6 Duress alarm to safeguard users 9.5.7 Terminal time-out 9.5.8 Limitation of connection time 9.6 Application Access Control 9.6.1 Information access restriction 9.6.2 Sensitive system isolation 9.7 Monitoring System Access and Use 9.7.1 Event logging 9.7.2 Monitoring system use 9.7.3 Clock synchronization 9.8 Mobile Computing and Teleworking 9.8.1 Dial Up 9.8.2 DSL, CableModem
  • This model is based on the MOD model. Organizational Characteristics describe the business process and capabilities of a client’s IT environment. Active - Implies manual intervention for most activities Efficient – Collection of data for analysis (No Remediation) Responsive – Remediation in manual, bud includes LOB impact as part of making policies Business-Driven implies full automation
  • CA’s Integrated IT Flows (IIFs) are best practices-based IT processes that outline activities and technology that organizations’ need in order to achieve their desired business outcome. Combines EIM software, services and processes that together provide a specific IT solution and advances customer’s IT maturity Addresses real business issues and transcends the capabilities of traditional point-solution technologies.

Transcript

  • 1. Beyond the Password: Business Enablement Through IAM Ken Williams, CISSP, CFE Vice President, Technology Services CA, Inc.
  • 2.
    • 25 years in risk management domain:
      • Ken is Vice President for CA, Inc. in Canada with over 25 years of experience in the enterprise risk services specializing in enterprise security architectures, information security operations, and regulatory compliance solutions globally within the banking, healthcare, government and telecommunications sector.
      • Ken manages CA’s Technology Services within the below sectors:
        • Healthcare
        • Banking & Finance
        • Gas & Oil
        • Electricity & Power
        • Transportation
        • Telecommunications
        • Local, State, Federal
        • Emergency Services
      • Ken has authored technical security standards for State and Federal Government Agencies, Regional Banks, Regional Telecommunications carriers and authored technology white papers in the area of information security and regulatory compliance.
      • Prior to CA, Ken was a manager in the KPMG LLP Information Risk Management practice, Chief Security Officer of a international telecommunications provider, and founder of META Security Group .
    • Extensive past / present credentials:
        • Certified Fraud Examiner (CFE)
        • Certified Homeland Security Consultant (CHS)
        • Certified Information Systems Security Professional (CISSP)
        • Certified Protection Professional (CPP)
        • Certified IT Infrastructure Library (ITIL)
        • Defense Security Services – Active T/S Clearance
    About Ken Williams
  • 3. Abstract
    • Enterprise security is a quality that must be embedded into all corporate functions.
    • We are experiencing a convergence of the need for reliability, privacy and accountability.
    • Commerce and IT are interconnected in ways that could not have been envisioned a generation ago.
    • Data security and privacy concerns are pervasive, while threats include situations that are simultaneously intentional and difficult to quantify and anticipate.
    • The only logical response to the requirement to maintain financial integrity, investor confidence and sustainable operations, is a program with a comprehensive approach to corporate governance as it relates to information management, security and availability.
  • 4. What CSOs and CIOs are Telling Us
    • Costly to manage user accounts
    • Vulnerabilities are expensive
    • Security data overload is real
    • Must reduce corporate liability
    • Need to demonstrate regulatory compliance
      • (PIPEDA, HIPAA, Sarbanes-Oxley)
  • 5. On-Demand Security Challenges…
    • Provision users automatically
    • Assess and fix vulnerabilities
    • Deliver instant security for regulatory compliance
    • Securely manage events and take action
  • 6. Today’s Business Challenges Lack of transparency into business processes, business data and IT operations leads to lack of required corporate oversight Unavailable business-critical applications and processes Inefficient and labor-intensive operations; insufficient information on for budgeting and planning Security breaches; loss of critical business data; inconsistent processes Uninformed procurement; unnecessary hardware and software Governance Compliance Operating Costs Capital Costs Losses/Risk Downtime Agility and Time to Market Slow and costly change, inflexible business processes Fines and/or sanctions for non-compliance These issues have been top-of-mind for the last several years, and remain so today
  • 7. Today’s IT Challenges
    • IT organizations are still grappling with solving
    • Increasing complexity
    • Labor-intensive
    • Underutilized assets
    • Security incidents
    • Lack of transparency
    • Extended enterprise
    • Compliance and IT governance
    The result is a lack of alignment between IT and business needs
  • 8. To Meet These Challenges, IT Must Evolve “ 95% of IT organizations still create IT strategic plans without fully understanding the business benefits … It is these plans that fall by the wayside … CIOs must create more focused, business-friendly, and actionable plans.” --Meta (March 2005)
    • To date, CIOs have not had the tools available to:
    • Create a business-driven IT organization
    • Solve business challenges, and
    • Manage IT operations like a business
    This is the mandate for the next phase of IT evolution
  • 9. Business Benefits of IAM Functionality
    • Reducing calls to help desk
    • Enabling easy access with one account and one password
    • Reducing account management time
    • Improving help-desk services
    • Delivering a better client web experience
    • Increasing user satisfaction
    • Reducing account management time
    • Streamlining business processes
    • Delivering better web services
    • Increasing productivity of help-desk and IT services
    • Increasing satisfaction of both internal and external users
    • Securing the company’s reputation
    • Attracting prospective customers to do business online
    • Securing important corporate data such as branding info
    • Complying with regulations such HIPAA, Gramm -Leach-Bliley act, 21 CFR part 11 and the Sarbanes-Oxley act
    • Scaling organizational security
    • Enabling a comprehensive picture of the entire organizational data
    • Facilitating an easy implementation of future applications
    • Managing resources more effectively
    • Scaling security
    • Increasing control
    • Eliminating redundancy in data management
    SINGLE SIGN-ON REGISTRATION & ENROLLMENT AUTHENTICATION & AUTHORIZATION INFORMATION CONSOLIDATION
  • 10. Business Benefits of IAM Functionality
    • Maintaining security through de-provisioning on termination, user clean-up and robust auditing capabilities
    • Managing access rights through centralized user management and delegated administration
    • Providing automated workflow
    • Addressing e-business initiatives promptly and efficiently to gain and maintain market share
    • Leveraging the system across the value chain and strengthening commitment
    • Complying with regulations
    • Increasing control and management of information flow
    • Increasing user satisfaction
    • Reducing account management time
    • Increasing IT & help desk productivity
    • Decentralizing organizational control
    • Increasing organizational security
    • Eliminating calls to help-desk regarding password reset
    • Closing security gaps
    • Reducing account management time
    PROVISIONING & FEDERATED IDENTITY AUDIT DELEGATED ADMINISTRATION & SELF-SERVICES PASSWORD MANAGEMENT
  • 11. Business Impact of IAM Functionality Provisioning & Federated Identity USER SATISFACTION Audit Delegated Administration & Self-Service Password Management Single Sign-On Registration & Enrollment Authentication and Authorization Information Consolidation REGULATORY COMPLIANCE RISK MANAGMENT OPERATIONAL EFFICIENCY COST CONTAINMENT BUSINESS FACILITATION
  • 12. Where Do Savings Come From?
    • Increasing revenue
      • IAM facilitates repeat business by improving online business.
      • IAM attracts new business by improving the organizational image.
      • IAM facilitates new business by enabling federated identity and convenient web access.
    • Cutting costs
      • IAM streamlines business processes.
      • IAM reduces future costs by spending less on new capabilities.
      • IAM scales organizational security.
      • IAM is doing more with less.
      • IAM increases organizational productivity.
  • 13. Where Do Savings Come From?
    • Complying with regulation
      • IAM helps avoid fines related to non-compliance with regulation.
      • IAM supports business opportunities by enabling the organization to work with existing or prospective customers and suppliers who have already achieved a certain security level.
      • IAM makes the organization competitive by matching your competitor’s existing regulation compliance.
  • 14. Where Do Savings Come From? (p2)
    • Reducing risk
      • IAM prevents loss resulting from damage to the supply chain.
      • IAM prevents monetary loss resulting from an accounting system breach.
      • IAM keeps intellectual property and competitive information safe.
      • IAM provides legal protection the organization.
  • 15. Key Questions Every Organization Must Consider
    • What is the maximum capacity of your current system?
    • What is the average growth in application development?
    • What is the average impact of a reorganization?
    • How often does a reorganization occur?
    • What is the average turnover?
    • What menial tasks you would like to eliminate?
    • How long does it take to set up a new user in the current system?
  • 16. Key Questions Every Organization Must Consider (p2)
    • What is the cost associated with this process?
    • How many users (customers, partners) will be given access?
    • What is your annual application management cost?
    • What is the cost of new user management?
    • What is the annual cost of existing user management?
    • What is the cost by security feature, per application?
    • What is the financial impact of faster access to applications?
  • 17. Aligning To Needs
  • 18. Enterprise IT Management Vision To Manage & Secure It All Application Environments Assets Users Business Processes IT Services IT Processes & Best Practices Security Management Enterprise Systems Management Business Service Optimization Storage Management
  • 19. Enterprise IT Management
    • Enterprise IT Management (EITM) is CA’s vision and strategy for integrated IT management across traditionally distinct IT disciplines
      • Optimizes and automates the performance, reliability, high-availability and efficiency of enterprise IT environments.
      • Enables our customers to deliver IT seamlessly as a service and reduces TCO
      • Leverages common services and a central management database that provides a unified view of all aspects of the enterprise
    • EITM is supported by CA and partners and is based on industry best practices
  • 20. Step 1: Define Your Business Operations and Needs
      • Business Enablement and protection
      • Protect the entity’s IT assets in open global network environment
      • Secure current infrastructure
      • Include security in ongoing development
      • Include security in ongoing implementation
      • Effective deployment of security technology to increase effectiveness and efficiency of security processes
      • Enable privacy
      • Protect intellectual property
    The strategic business objectives should be mapped to the strategic vision, mission and service objectives for the security organization. Impact on Security Objectives Business Objectives
      • Increase sales and expand to new markets
      • Extend the enterprise
      • Technology enable the organization
      • Reduce cost
      • Increase Customer satisfaction
      • Enhance business processes
  • 21. Step 2: Determine Overall Maturity Level 2 Information Delivery Maturity Level Centralized Access to Data content & applications Level 1 DATA INFORMATION Refine, analyze & sort data delivering security information Value (Cost too!) SECURITY MONITORING Level 4 Level 3 Apply business relevance to information to determine business priorities! KNOWLEDGE ACTION Act on real business knowledge in a single place according to business need SECURITY MANAGEMENT Providing Situational Awareness Security Command Center
  • 22. Step 3: Align Business and IT Strategy
    • Focus on producing a baseline blueprint, developing a high level target state, and IS strategy alignment.
    Migration Plan Architecture Documentation Resource Plan How should we get there? Organization and Core Competencies Where are we today? Technology Environment Information and Process Support Applications Communications Networks Process State Information State What should we look like? Organization State IT Technology State Information Technology Architecture & Processes Business Operations & Needs Security Vision & Mission Alignment IS Strategy Existing Baseline Target State Alignment Project Planning and Management IS BU
  • 23. Step 4: Define IT Processes
    • An IIF consists of a set of IT processes
    • An IIF represents people, technology, and processes required to achieve a desired outcome
    • The desired outcome should be measurable and auditable
  • 24. Step 5: Align Process & Roles Internal/External Identity Mgt Processes Request Request Approval Approval Enterprise Identity Management Develop/Acquire Review Manage
    • Develop/acquire new application
    • Validate with security standards
    • Integrate with common security
    Implement Change Request IAM SDK - Directory New Application Request Verify Deliver And Support Workflow Provisioning System Incident/ Service Metrics Central Logging
    • Security review
    • Check compliance to security standards
    • Acceptance tests
    • Manage users via Provisioning system
    • Reduce application identity management costs
    • Reduce application cycle times
    • Enhance application security
    Compliance Management and Reporting Audit Resources Generate Reports Support Audit
    • How many incidents have occurred?
    • How many requests were self service?
    • Who approved access?
    • Monitor usage against security policies
    • Application Usage
    • Identify invalid accounts
    • Recertify Users
    • Who has access to what resources?
    • Review evidence
    • Of controls
    • Document exceptions
    Central Audit Collector and Report Generator
    • Sustained Compliance
    • Improved Automation
    • Reduced Costs
    Get Request
    • Identity and Access Managed
    • LAN, Email, Corporate Directory, Authentication Technology, Security Web Services, Security Infrastructure, Federated Services
    Create Modify Delete Policy Verification Add Access Rights Change Access Rights Remove Access Rights Provisioning Business Rules Engine – Roles Engine Standards and policies
    • Define self-registration policy
    • Define delegated managers
    • Define federated trust
    Identity Management Internal Identity Mgt Processes Standards and policies
    • Define authoritative sources
    • Map attributes
    Role Management Open Service Request Workflow Open Service Request Workflow
    • Delegated request
    • Password reset
    Delegated Service
    • Service request approved (if required)
    • Workflow Process Followed
    • Separation of Duties Checked
    • Function/Project approved
    • Workflow Process Followed
    Multiple Approvers (0 or many) Multiple Approvers (1 or many) HR Feed Delegated mgt Self management SPML Request New Hire Transfer Termination
    • Attributes Received from Authoritative Source
    • Unique Identifier Established or Checked
    Roles Legend Applications Developer End User Internal Audit Manager Security Manager Application Manager HR IT Operations Manager Business Manager Close Request Log Events
  • 25. Step 6: Develop a Blueprint ROI Component Level Technical Capabilities IT Organizational Characteristics Virtual Identity Directory
    • Focused on Traditional Services
    • Slow to Handle Change
    • Silo-ed Administration
    • Informal and Reactive Processes
    Active Enterprise Identity Inventory Password Policy Enforcement Centralized Password Management Self-serve Password Reset Password Management System System/App Level Mgt of Users Consistent Cross-platform Web Interface Manual User Export from HR System Efficient
    • Change in Business Priorities
    • IT Change Driven by Cost / Regulatory Pressure
    • Commitment to Centralization and Automation
    • Adopts ITIL Svc Mgt to Formalize Processes
    Automated Identity Provisioning Workflow Process Automation Correlation with Authoritative Source (i.e. HR) Entitlement & Change Report Generation Web/Desktop Password Reset Identity Management System Workflow Engine Web forms, Rules Identity Reporting System Delegated User Administration Feeds from HR Authoritative Source Integration With Key Identity Systems
    • IT Now Involved in Business Change Planning
    • Manages to SLA and Controls
    • Integrated Enterprise-wide IT Management
    • Tracks Performance of Processes
    Responsive Automated Identity & Role Processing Entitlements Exception Reporting Syncs Multiple Authoritative Srcs (e.g. Contractors) Self-serve Registration Process Role Management System Feeds from All Authoritative Sources Business Application Provisioning Workflow for Application Security Review Role-based Entitlements Management Application Directory Integration Integration With Business Apps & Infrastructure Entitlement Synchronization System Business-Driven
    • Ready for Business-Driven Change
    • Rapidly Support New Services and Customers
    • Enables Support for Growing Partner Ecosystem
    • Automated Process Improvement
    Web Services Security Interoperability w/SPML & Enabling SAML Automated Resource Provisioning Federated Trust Management Provisioning Authentication Technologies Web Services Business Integration Integration With Building Access Systems Partner Identity Management Integrated Business Processes CMDB Integration Reduced cost in partner access and change management Reduced cost in business application and compliance due to automation of role and entitlement management Administrative cost savings due to automation of processes for identity management Reduced helpdesk costs with automated password management
  • 26. Step 7: Initiate Transition To Next Level Of Maturity
  • 27. Step 8: Integrate Within The Enterprise
  • 28. Building Sustainability
  • 29. Sustaining the Program…
    • Once you have built the security program you must maintain it at an appropriate level while continuing to evolve it for the next business generation.
    • A security communication process and regular plan
    • “ Ease of Use” and practical solutions and approaches
    • Process based capabilities focus versus technology/project/initiative focus
    • Architectural models with reusable, scalable components
    • Foundation built on principles
    • Business Units actively involved in self assessment, risk assessment and awareness
    • Funding and resource levels appropriate with business risk profile, with differentiation between maintaining current capabilities (IS budget) and new capabilities for new changes in BU operations (BU or IT budget)
    • Connection to the business units and alignment of strategies and priorities
    • Monitoring and feedback loop with enforcement
    • Measurement system focused on performance management not statistics
    • Executive focus, sponsorship and reinforcement
    • BU ownership of security and requirements with IT delivering the services
    • BU leadership evaluated on security performance through individual and BU results (charge units for failure to comply)
    • Interfaces and formalized communications among the related parties (audit, legal, compliance, technology)
  • 30. With Best Practices Across The Enterprise
  • 31. Focusing Across Key Areas of IT Security … Privacy Identity and Access Management Threat Management Intelligent Security Management
  • 32. Provides Sustainable Security Management Alerts Correlate Align to Business Attack New Attack IDS Sensors AV Alerts FW Messages Host Logs Check Assets & Vulnerabilities Prioritize to Business Level Initiate Remediation Actions Resolution Remediate Netsky Bagel Mydoom Data Discovery
  • 33. Provides Sustainable Security Management Alerts Correlate Align to Business Attack New Attack IDS Sensors AV Alerts FW Messages Host Logs Check Assets & Vulnerabilities Prioritize to Business Level Initiate Remediation Actions Discovery Resolution Remediate Netsky Bagel Mydoom Data Security needs to help organizations understand what is happening and how it relates to the business
  • 34. Case Study
  • 35. Need: Identity and Access Management Analysis
    • Organization requires an analysis of external audit results.
    • Provide a gap analysis utilizing EDM - Maturity Model tools.
    • Develop a solution blueprint for Identity and Access Management based upon Integrated Information Technology Flows (IIF).
    • Develop Solution Architecture Overview (SAO).
    L H M M L H H Regulatory Non-Compliance Overall Current Risk Loss of Reputation Downtime Probability of Occurrence Impact Factor Current Maturity With Respect to Leading Practices Maturity Aggregate Impact and Probability Description: Control is not in place with no current plans to implement. 0 Control is not in place with approved plans to implement. 1 Control is partially in place with no current plans to implement. 2 Control is partially in place with approved plans to implement. 3 Control is in place with exceptions. 4 Control is in place without exceptions. 5
  • 36. Solution Blueprint… Enterprise Repository
    • Technology Orientated
    • Point Solution Focused
    • Centralized Security Reporting
    • Security View
    • Transaction Orientated
    • Enterprise Solution Focused
    • Centralized Process Controls
    • Operations View
    • Regulatory Orientated
    • Controls Solution Focused
    • Integrated Process Management
    • Risk Management View
    • Business Orientated
    • Value Solution Focused
    • Integrated Corporate Management
    • (Operations, Risk Management & Security)
    • Dynamic Entitlement Management View
    Component Level Technical Capabilities Organizational Characteristics Audit Aggregation Tools Platform Access Control Responsive Active Perimeter Access Control Application Access Control Centralized Audit Management Data & Storage Access Control Centralized Monitoring Component Provisioning Enterprise-wide Provisioning Transactional Access Control Integrated Compliance Management Self-Service Entitlements User Multi Factor Authentication Centralized Authoritative Sources Transactional Value Approval Control Integration with Asset Mgt Anti-Money Laundering Capabilities Interactive Privilege Management Platform & App Security Controls Provisioning Solutions Enterprise Reporting Systems Secure Common Services Correlation & Analysis Tools Self-Service Tools Workflow Engine Transactional Engine Integrated Provisioning Platforms Biometric, Token and/or PKI Solutions Privilege Management Tools Compliance Management Tools SAML Solution Platform Forensics Tools Process Monitoring Tools Secure Transactional Repository Reporting Systems Enterprise User IDs Operational Processing Engine Knowledge Based Engine Risk Management Engine Business Reporting Engine Personalization Integrated Workflow Management Federated Identity Management Automated Forensics Capabilities Behavioral Pattern Analysis Process Management On-Demand Resource Management Integrated Regulatory Management Productivity Management Knowledge Based Authentication Business Process Cost Value Reporting Integrated Business Risk Management Integrated Operations Center External User & 3 rd Party Value Reporting Resource Optimization Tools Operational Auditing & Compliance Phase Identity Management Access Entitlements Management Business Enhancement Phase Business-Driven Efficient
  • 37. To Summarize, Integrated IT Flows (IIFs) are Key
    • Process-centric approach to IT management
    • Both the means and a framework for advancing an organization’s IT maturity level
    • Implemented through:
      • Industry best-practices instantiated in automated workflows that invoke management and security functions
      • Comprehensive management and security solutions
      • Solutions integrated at the data, UI and process levels
      • Blueprints and assessment services to identify an organization’s starting points and next steps in the IT maturity model
  • 38. Questions Discussion &