5 reasons your iam solution will fail
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

5 reasons your iam solution will fail

  • 601 views
Uploaded on

Recent security breaches by trusted insiders have propelled Identity and Access Management (IAM) to the top security priority of many organizations. After all, it’s clear security is only as strong......

Recent security breaches by trusted insiders have propelled Identity and Access Management (IAM) to the top security priority of many organizations. After all, it’s clear security is only as strong as its weakest link – people – and the press is full of articles documenting the damage people can do. So it’s natural for security managers to want to shore up their IAM infrastructure to avoid similar embarrassment. But IAM needs to be approached with an eye towards the full extended environment and by taking associated risks into account. In other words, whether you are starting from scratch or taking on new IAM challenges such as cloud security, there are certain IAM tenets you should follow to build a successful, effective IAM solution.

Don’t join the Hall of Shame by having a security breach at your organization. Attend this webcast to learn five ways a typical IAM solution can fail, so you don’t make the same mistakes.

View the full on-demand webcast: https://www2.gotomeeting.com/register/410951466

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
601
On Slideshare
599
From Embeds
2
Number of Embeds
1

Actions

Shares
Downloads
21
Comments
0
Likes
4

Embeds 2

http://www.slideee.com 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1 © 2013 IBM Corporation IBM Security Systems Chris Poulin IBM Security Systems July, 2014 5 Reasons your IAM Solution Will Fail
  • 2. © 2014 IBM Corporation IBM Security Systems 2 In this era of Mobile, Cloud, & Social, security is a major concern IBM Confidential Mobile Cloud Social 50% of the employers will require BYOD for work by 2017 55% of CIOs to source all their critical applications in Cloud by 2020 54% of CIOs cited Social Media as one of the most disruptive technologies 90% of the top mobile apps have been hacked 72% of organizations saw unauthorized access to cloud in past 12 months 75% of enterprises cited social media as the top information security risk Source: 1. Gartner – May 2013
  • 3. © 2014 IBM Corporation IBM Security Systems 3 more than half a billion records of personally identifiable information (PII) were leaked in 2013
  • 4. © 2013 IBM Corporation IBM Security Systems 4 Enterprise Security is only as strong as its weakest link – Identity of scam and phishing incidents are campaigns enticing users to click on malicious links 55% Criminals are selling stolen or fabricated accounts Social media is fertile ground for pre-attack intelligence gathering Source: IBM X-Force® Research 2013 Trend and Risk Report Mobile and Cloud breaking down the traditional perimeter IAM becomes fist line of defense with Threat and Context awareness
  • 5. © 2014 IBM Corporation IBM Security Systems 5 Reason #1: Human Factors—User Behavior Users will try to get around strict policies  Invest minimum effort in creating passwords  Lack of strength and variety  Across multiple authentication domains  Not enable out-of-band / multi-factor auth  Use 3rd party cloud services over enterprise provided ones  Store passwords in Evernote ….plus strong passwords can sometimes jeopardize safety
  • 6. © 2014 IBM Corporation IBM Security Systems 6 Reason #2: Identity Sprawl Multiple internal authentication sources  Microsoft Active Directory  Legacy systems and directories  Custom applications …and external directories  Cloud services  Social media networks Directories, Databases, Files, SAP, Web Services, Applications
  • 7. © 2014 IBM Corporation IBM Security Systems 7 Reason #3: Losing Control Device ownership model is changing  Mobile devices (smart phones & tablets)  BYOD, including employee-owned laptops  Not all devices have the concept of identity: the holder is the owner
  • 8. © 2014 IBM Corporation IBM Security Systems 8 Reason #4: Rogue Privileged Insiders Those with administrative privileges can abuse that trust for  Profit  Revenge  Convenience “$348B a year in corporate losses can be tied directly to privileged user fraud.” – Raytheon, “Privileged Users” whitepaper, 2014
  • 9. © 2014 IBM Corporation IBM Security Systems 9 Reason #5: Lack of Visibility—If You Can’t See It... ...is it really a threat?  What are your users up to?  How do you know?  How do you prove it? When you turn on the lights the cockroaches skitter under the fridge => Visibility, monitoring, auditing
  • 10. © 2014 IBM Corporation IBM Security Systems 10 Avoiding the 5 pitfalls of identity and access management UserBehavior IdentitySprawl Control/BYOD PrivilegedID Visibility Single Sign-on Context-based authentication Risk-based transaction context Directory integration Federated identity (inc SCIM) One-time registration Device fingerprinting Eliminate shared passwords Audit super users Record sessions Security intelligence Follow user activity Detect & report anomalous behavior
  • 11. How to enable security through IAM 11 simplify their experience through context- based authentication connect your directory stores, in-house, in the cloud, on the web trust the device, trust the application, trust the transaction Inventory, control, and track administrative users & credentials User behavior Identity sprawl Mobile & BYOD Privileged Users Lack of visibility Security Intelligence
  • 12. © 2014 IBM Corporation IBM Security Systems 12  Single Sign-On to web based applications on mobile devices Single sign-on & elimination of password entry using ESSO Results: Users don’t need to remember multiple passwords, improving access security
  • 13. © 2013 IBM Corporation IBM Security Systems 13 SSO Enterprise Applications/Data User accesses data from inside the corporate network1 User is only asked for User Id and Password to authenticate2 Corporate Network User accesses confidential data from outside the corporate network3 User is asked for User Id /Password and OTP based on risk score4 Outside the Corporate Network Audit Log Strong Authentication  Security gateway for user access based on risk-level (e.g. permit, deny, step-up authenticate)  Risk scoring using user attributes and real-time context (e.g. device registration, geolocation, IP reputation, etc)  Supports built-in One-Time Password (OTP) and ability to integrate with 3rd party strong authentication vendors  Software Development Kit (SDK) for 3rd integration and extensibility Context-based authentication & access, based on risk IBM Security Access Manager
  • 14. © 2013 IBM Corporation IBM Security Systems 14 Access Operations Grant/Deny An authorized user requests access to the portal and SSO Grant Password is stolen, session is hijacked and HTTP content is compromised Deny HTTP content contains common vulnerabilities such as SQL Injection, Cross site scripting, Cross-site request forgery Deny IP Address has a low IP Reputation score and Geo Location allowed Deny Enforce step-up authentication or context-based access to restore authorized user access Grant Portal, Web Applications (e.g. Java, .NET, more) B2B Partners, Citizens, Mobile users Supply Chain Secure access and protect content against targeted attacks IBM Security Access Manager
  • 15. © 2013 IBM Corporation IBM Security Systems 15 Identity-aware application access on mobile devices Before Name/Password for every app launch One-time registration code Identity-aware application launch After Application Server IBM Security Access Manager  Eliminate user id and password based login on mobile apps  Assurance through one time registration code to link device with application and user identity  Identity and Device “Fingerprinting” - silent and consent based device registration  Self-service user interface for device registration and access revocation
  • 16. © 2013 IBM Corporation IBM Security Systems 16 Risk-based access and stronger authentication for transactions User attempts high- value transaction Strong authentication challenge Transaction completes Reduce risk associated with mobile user and service transactions Example: transactions less than $100 are allowed with no additional authentication User attempts transfer of amount greater than $100 – requires an OTP for strong authentication
  • 17. © 2013 IBM Corporation IBM Security Systems 17 Migrate or co-exist Join multiple directories Enrich with data from other sources Federate authentication back to original source Selective “writes” of changes to the original source  Create a single source of truth for identity information using Federated Directory Services SCIM REST interface for LDAP server “Untangle” identity silos with directory integration and federation
  • 18. © 2013 IBM Corporation IBM Security Systems 18  Privileged User Activity Monitoring: • Recording and logging of user activity in sessions accessed through a shared ID • Discourage users with privilege from abusing their rights Find, control, and track privileged & shared identity activity
  • 19. © 2013 IBM Corporation IBM Security Systems 19 Full visibility and accountability with closed-loop IAM analytics IAM Analytics & Security Intelligence Accounts Updated Access Certification Access Policy Identity Change Detect and Correct Local Privilege Settings HR Systems/Identity Stores DataApplications On/Off-premise Resources Cloud Mobile Identity Management Real-time insider fraud detection with integrated IAM Analytics and Security Intelligence Risk Based Access
  • 20. © 2013 IBM Corporation IBM Security Systems 20 Detect threats, monitor user activity and detect anomalies • Identity and Access Manager event logs offers rich insights into actual users and their roles • IAM integration with QRadar SIEM provides detection of break-ins tied to actual users & roles
  • 21. IBM Security Systems © 2013 IBM Corporation21 IBM Security Systems Manage Enterprise Identity Context Across All Security Domains Compete Threat-aware Identity and Access Management
  • 22. © 2014 IBM Corporation IBM Security Systems 22 Identity is a key security control for a multi-perimeter world • Operational management • Compliance driven • Static, Trust-based • Security risk management • Business driven • Dynamic, context-based Today: Administration Tomorrow: Assurance IAM is centralized and internal Enterprise IAM Cloud IAM BYO-IDs SaaS Device-IDs App IDs IAM is decentralized and external Enterprise IAM IaaS, PaaS
  • 23. © 2014 IBM Corporation IBM Security Systems 23 Optimized Security Intelligence: User activity monitoring, Anomaly detection, Identity Analytics & Reporting IAM Integration with GRC Fine-grained entitlements Integrated Web & Mobile Access Gateway Risk / Context based Access Governance of SaaS applications IAM as a SaaS IAM integration with GRC Risk/ Context-based IAM Governance Risk / Context- based Privileged Identity Mgmt Proficient Closed-loop Identity & Access Mgmt Strong Authentication Strong Authentication (e.g. device based) Web Application Protection Bring your own ID Integrated IAM for IaaS, PaaS & SaaS (Enterprise) Closed-loop Identity and Access Mgmt Access Certification & fulfillment (Enterprise) Closed-loop Privileged Identity Mgmt Basic Request based Identity Mgmt Web Access Management Federated SSO Mobile User Access Management Federated access to SaaS (LoB) User Provisioning for Cloud/SaaS Access Certification (LoB) Request based Identity Mgmt. Shared Access and Password Management Compliance Mobile Security Cloud Security IAM Governance Privileged IdM Organizations use a maturity model for IAM to support security
  • 24. © 2014 IBM Corporation IBM Security Systems 24 Landscape of Identity & Access Management market is evolving By 2020, 70% of enterprises will use attribute-based access control as the dominant mechanism to protect critical assets ... ... and 80% of user access will be shaped by new mobile and non-PC architectures that service all identity types regardless of origin.1 With the growing adoption of mobile, adaptive authentication & fine-grained authorization, traditional Web Access Management is being replaced by a broader “access management.”1 A clear need exists in the market for a converged solution2 that is able to provide or integrate with MDM, authentication, federation, and fraud detection solutions.3 1 Gartner, Predicts 2014: Identity and Access Management, November 26, 2013 2 Gartner, MarketScope for Web Access Management, November 15, 2013 3 Forrester, Predictions 2014: Identity and Access Management, January 7, 2014
  • 25. © 2013 IBM Corporation IBM Security Systems 25 Deliver actionable identity intelligence Safeguard mobile, cloud and social access Simplify cloud integrations and identity silos Prevent advanced insider threats • Validate “who is who” especially when users connect from outside the enterprise • Proactively enforce access policies on web, social and mobile collaboration channels • Manage and audit privileged access across the enterprise • Defend applications and data against unauthorized access • Provide federated access to enable secure online business collaboration • Unify “Universe of Identities” for efficient directory management • Streamline identity management across all security domains • Manage and monitor user entitlements and activities with security intelligence Threat-aware Identity and Access Management becomes the first line of defense for securing multi perimeter world
  • 26. © 2014 IBM Corporation IBM Security Systems 26 Connect with IBM Security IBM Security Insights blog at www.SecurityIntelligence.com www.ibm.com/Identity- Access-Management Follow us at @ibmsecurity
  • 27. © 2013 IBM Corporation IBM Security Systems IBM Security Systems www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.