Identity & Access Management by K. K. Mookhey

3,398 views
3,125 views

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,398
On SlideShare
0
From Embeds
0
Number of Embeds
423
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Identity & Access Management by K. K. Mookhey

  1. 1. Identity & Access Management K. K. Mookhey CISA, CISSP, CISM Principal Consultant www.niiconsulting.com
  2. 2. Agenda  Introduction  Ground Reality  Cases  Real-world impacts  Vulnerabilities  Building the Business Case  What is IAM?  Demystifying IAM  Implementation Challenges www.niiconsulting.com
  3. 3. Speaker Introduction  Founder & Principal Consultant, Network Intelligence  Certified as CISA, CISSP and CISM  Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009  Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA)  Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA)  Conducted numerous pen-tests, application security assessments, forensics, etc. www.niiconsulting.com
  4. 4. Ground Reality www.niiconsulting.com
  5. 5. Strong passwords  Written down www.niiconsulting.com
  6. 6. Shoulder surfing www.niiconsulting.com
  7. 7. Phishing www.niiconsulting.com
  8. 8. www.niiconsulting.com
  9. 9. Password reset mechanism  Vote for Cyber Security! www.niiconsulting.com
  10. 10. www.niiconsulting.com
  11. 11. www.niiconsulting.com
  12. 12. Problem Description www.niiconsulting.com
  13. 13. User Provisioning / De-provisioning  Unique user IDs  Providing access to applications  Removing access across all applications & systems  Ghost IDs  Vendor/System IDs  Logging & Auditing  Reviewing User Access Rights  Default Credentials www.niiconsulting.com
  14. 14. Password Management  Password policies  Complexity  Aging  Length  History  Account lockout  Resetting passwords – 70% helpdesk calls  Universal implementation  System & Network Administrator Passwords  User Passwords  Application / Functional ID Passwords www.niiconsulting.com
  15. 15. Access Management  Cumbersome for users to remember multiple IDs  Multiple access control matrices increase complexity  Heterogeneous environments  Deperimeterization www.niiconsulting.com
  16. 16. Demystifying IAM Solutions www.niiconsulting.com
  17. 17. What does it stand for?  Identity & Access Management “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group  But then what are Solutions for:  User Provisioning  Single Sign On  Web Access Management  Multi-Factor Authentication  Identity Lifecycle Management www.niiconsulting.com
  18. 18. Basic Layout www.niiconsulting.com
  19. 19. www.niiconsulting.com
  20. 20. IAM Solutions  User Provisioning  Enterprise Single Sign On  Web Access Management www.niiconsulting.com
  21. 21. Features to look out for Critical Decision Criteria www.niiconsulting.com
  22. 22. Top 5 Critical Success Factors 1. Identify Business Unit Champions  Foundation of IAM Project  Enterprise Applications or BU’s most likely to improve (SAP, Core Banking, etc.) through IAM  Business owner who has fully bought into the project 2. Perform Vendor Analysis  Vendor’s Financial Stability  Usability without Vendor Presence  Revenue Growth  Customer Base – Similar Size/Industry  Strategic Partners  Product Vision & Roadmap www.niiconsulting.com
  23. 23. Top 5 Critical Success Factors 3. Define project  Non-Functional Requirements requirements  Non-Functional Requirements  Functional Requirements  Scalability & Performance (#  User administration of users per server)  Delegation of user  Fault Tolerance administration  Disaster Recovery –  Role-based access control Geographically Diversified  User self-service  Solution configuration  Customization of user  Training – Administrator & interface End-User  Workflow  Auditing & reporting  Extensibility  Applications interface with  Security of the product itself www.niiconsulting.com
  24. 24. Top 5 Critical Success Factors 4. Thorough Knowledge of Technical Features  Architecture –  Does it fit with your architecture  Is it cohesive or put together  Ability to adapt and improve your business processes  Integration with your technology – AS400, SAP, Core Banking Solution, Windows, Unix, etc.  Password Management capabilities  Policy Management – Canned policies, policy wizards  TCO –money, FTEs to administer the product  Tiered, delegated, self-serviced administration  Deployability  Reporting & Auditing – Regulatory/Privacy  New Features – Virtual Directory Support, Web Access Management www.niiconsulting.com
  25. 25. Top 5 Critical Success Factors 5. Bring business into the picture centrally  Did it meet the business requirements  Can you quantify the benefits from the solution  Constantly communicate project expectations and benefits to business units  Not just another vendor/solution www.niiconsulting.com
  26. 26. Multi-factor authentication www.niiconsulting.com
  27. 27. User Provisioning www.niiconsulting.com
  28. 28. Integration with Physical Security www.niiconsulting.com
  29. 29. Extensive Reporting Capability www.niiconsulting.com
  30. 30. Key Benefits www.niiconsulting.com
  31. 31. 5 Key Benefits  Improved user experience  Help users control their online identities  Enables simplified sign-on  Create a "circle of trust" in which participating organizations can verify the authenticity of users in a federated model.  Enhanced integration  Enable organizations to manage digital identities across their diverse and expanding infrastructure.  A standards-based approach ensures investment protection and dramatically reducing the risk of custom integration.  Multipurpose platform  Manage multiple authentication options from a single platform, providing choice in any environment.  Varying levels of authorization functionality www.niiconsulting.com
  32. 32. 5 Key Benefits  Centralized administration  Simplify the management of digital identities and security policies with one administrative model.  Delegated administration of users and user self-service across different identity and access management applications (i.e., authentication and authorization).  Lower administrative costs and a reduced resource burden.  Enhanced security  Ensure greater levels of security to match the growing risk of exposure and high stakes involved in e-business.  Shift fluidly with an organization's perimeter, protecting the business at the application level.  Be the cornerstone to security enforcement, providing a basis for consistent enforcement, audit and reporting of policies across the e-business environment.  Ensure regulatory and legal compliance www.niiconsulting.com
  33. 33. Conclusion  Benefits  Improved user experience  Enhanced integration  Multipurpose platform  Centralized administration  Enhanced security  Critical Success Factors  Identify Business Unit Champions  Thorough Vendor Analysis  Well-defined Project Requirements  Thorough Product Feature Understanding  Taking Business On the Journey www.niiconsulting.com
  34. 34. Questions? Thank you! kkmookhey@niiconsulting.com Information Security Information Security Consulting Services Training Services www.niiconsulting.com

×