Your SlideShare is downloading. ×
Veriphyr bright talk 20120523
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Veriphyr bright talk 20120523

80
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
80
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Chase Away Cloud Challenges:User Access Governance & Compliance Alan Norquist, CEO & Founder Veriphyr, Inc. VERIPHYR PROPRIETARY
  • 2. Goals of User Access Governance & Compliance User System Access = User’s Responsibilities  Bank – “Access to everything and nobody knows it” User Activity Access = User’s Responsibilities  Finance – “Can’t both approve PO and approve payment” User Data Access = User’s Responsibilities  Healthcare – Only view patients under one’s careMay 27, 2012 VERIPHYR PROPRIETARY 2
  • 3. Requirement Across Industries Healthcare “access … must be restricted to those who have been (HIPAA) granted access rights” Banking “employee’s levels of online access .. match (FFIEC) current job responsibilities” Brokerage “employee’s access … limited strictly to … (FINRA) employee’s function” Utilities “access permissions are consistent with … (NERC) work functions performed” Retail “Limit access to … only individuals whose (PCI) job requires such access” Public Companies “user access rights … in line with … (SOX - COBIT) business needs”May 27, 2012 VERIPHYR PROPRIETARY 3
  • 4. What is the Effect of the Cloud? Reduced Cost from Resource Pooling Rapid Implementation and Elasticity Ubiquitous Broad Network Access  Accessible from outside your organization perimeter  Accessible from variety of devices Shift in Ownership and Control  Resource layers controlled by multiple independent providers Multi-Tenancy (Resource Pooling)  Resources shared across multiple independent consumers Split in User Access Management  Data center vs. cloudMay 27, 2012 VERIPHYR PROPRIETARY 4
  • 5. Cloud Models – Build vs. Contract RFP or Contract Software It In “The lower down the stack the Cloud provider as a Stops, the more security the consumer is Service (SaaS) tactically responsible for implementing and managing” – CSA Guidance v3.0 Platform Build it in as a Infrastructure Service (PaaS) as a Service (IaaS)May 27, 2012 VERIPHYR PROPRIETARY 5 Source: Cloud Security Alliance 2011
  • 6. User Access Governance and ComplianceBuild or Contract What?1. Identity Stores2. Logging (Both Access and Activity)3. Key Data Entities (customers, patients, partners, etc) Critical Issues  Interfaces  Insufficient - User interface  Required – Standard-based APIs  Capabilities  Detailed logs showing access to sensitive transactions and date (patient, customer, etc.)  Ability to Extract Data  Insufficient - Reports showing single identity’s activity over 2 weeks  Required – Formatted file of all identities and all activity for all timeMay 27, 2012 VERIPHYR PROPRIETARY 6
  • 7. Cloud Providers’ Native Identity Mgmt? Manage Each Cloud Separately? Cloud ConsumerCloud Provider Cloud Provider Cloud Provider Cloud ProviderMay 27, 2012 VERIPHYR PROPRIETARY 7
  • 8. IAM as a Service Centralized federated identity across cloud vendors Build in or contract requirements for support of standards like SAML, OpenID and Oauth Cloud Consumer IAM as a ServiceCloud Provider Cloud Provider Cloud Provider Cloud ProviderMay 27, 2012 VERIPHYR PROPRIETARY 8
  • 9. Cloud Provider Compliance Reports? Cloud facilitates departments use of “best of breed” Need to integrate compliance reporting across many separate cloud vendors Cloud ConsumerCloud Provider Cloud Provider Cloud Provider Cloud ProviderMay 27, 2012 VERIPHYR PROPRIETARY 9
  • 10. Identity and Access Intelligence (IAI) "Joining together data in identity and access management (IAM) systems and security logs with other data could be massively valuable to both IT and the business." - James Richardson, Gartner Build or contract in the ability for bulk export of identity store info, logs (both access and activity), and key data (customers, patients, partners, etc). Identity and Access Cloud Consumer IntelligenceCloud Provider Cloud Provider Cloud Provider Cloud ProviderMay 27, 2012 VERIPHYR PROPRIETARY 10
  • 11. Identity and Access Intelligence (IAI) “Access reports of users and applications are requirements in information security and IT governance, risk and compliance management programs, and Identity and Access Intelligence is needed to address those requirements.” – Gartner Identifies policy violations - identity, rights, activity & data  Determines if policy violation have been exploited Different from SIEM  SIEM focused on packets and IP addresses  IAI focused on people and data Works across Cloud Providers  Audit (access and activity) log from all cloud applications  Identity stores from all IAM as a Service vendors  Patient, customer, partner data from applications such as HRMay 27, 2012 VERIPHYR PROPRIETARY 11
  • 12. Revealing - User Access ≠ User’s Responsibilities User Access Activity Across Resources ResourcesIdentity May 27, 2012 VERIPHYR PROPRIETARY 12
  • 13. Revealing - User Access ≠ User’s Responsibilities IAI Analytics Reveal Inappropriate Access ResourcesIdentity May 27, 2012 VERIPHYR PROPRIETARY 13
  • 14. Summary Goal of Access Governance and Compliance  User Access = User’s Responsibility Cloud Changes Underlying Architecture Need to “Build or Contract In”  Standards for IAM as a Service  Data Sources for Identity and Access Intelligence (IAI) For more information contact me  anorquist@veriphyr.com  # 650.384.0560May 27, 2012 VERIPHYR PROPRIETARY 14
  • 15. For more information Whitepaper on IAM as a Service https://cloudsecurityalliance.org/research/ Whitepaper on Identity and Access Intelligence http://bit.ly/IAI-whitepaperAlan NorquistCEO, Veriphyranorquist@veriphyr.comwww.Veriphyr.com# 650.384.0560May 27, 2012 VERIPHYR PROPRIETARY 15