We’re all familiar with the headlines about data breaches
Deloitte survey results highlight the need to manage access rights across the enterprise Enforce policy Track user activity Ensure controls are in place
What is Access Risk Management? By ensuring that the right people have the right access to the right resources and are doing the right things based on policy, organizations can manage access risk By managing access risk, companies can increase security, demonstrate compliance, improve efficiency and minimize risk to the business Access risk management encompasses traditional IAM (password mgmt, user provisioning) and access governance (role management, compliance mgmt, access certification.)
The challenge organizations face is the volume of identities and access requirements that need to be managed An organization with thousands of employees is going to have tens of thousands of identities (aka multiple identities for each individual) These identities are going to have access to hundreds or thousands of apps in the enterprise (and in the cloud) Organizations will have tens of thousands of file shares that present access challenges All of these identity and access requirements equate to millions of relationships that need to be managed – none of which are static and will change constantly.
And when the door is open the bad guys are much faster in exploiting it than we tend to be recognizing it.2012 Data Breach Investigations ReportIt’s a busy slide but it shows the direct and inverse correlation betweenThe rapid speed in which the bad guys can compromise our layered defenses and exfiltrate valuable information or compromise key processes ANDThis is measured in minutes and hrsThe glacial speed in which we realize what’s happening and do something about it.This is measure in weeks and months to never.
There are other ways to get access to information. Case of the stolen information based on breaching the physical building with a tie.But the cloud opens up more assets being managed and accessed by more people in multiple locations. Which opens up more opportunities for information to be compromised either on purpose or accidently.
How much performance?Deloitte’s Kelly Bissell said nothing will support their custom applications with 47M relationships.We are managing 800M in real time.
Rethink cloud security to get ahead of the risk curve by kurt johnson, vice president of strategy and corporate development courion corporation
Rethink Managing Access Security Risk in the Cloud Dave Fowler Chief Operating Officer Courion Corporation CONFIDENTIAL
Top Internal/External Audit FindingsSource: 2010 Deloitte Global Security Survey, Financial Services CONFIDENTIAL
Identity and Access Management Model Have the Right Ensure the To the Right AccessRight People Resources Data Policy-Driven Access Information Systems Resources Assets and are doing the Right Things. CONFIDENTIAL
IAM Technologies Provisioning (Granting Access) Federation (Consolidating 174 million breaches* Identities) Single Sign On (SSO) Authentication/Authorization Privilege Access Management (PAM) Governance (Compliance with policy/regulations) 2009 2010 2011 CONFIDENTIAL
The Complexity of Securing Information 10s of Thousands of Identities 1000’s of people 1000’s of applications 100’s of millions+ of relationships & resources 100’s of policies & Millions of regulations actions CONFIDENTIAL
Bad Guys -> Fast… Good Guys -> Slow.Source: Verizon 2012 Data Breach Investigations Report CONFIDENTIAL
Is the Cloud the Issue? We are often asked whether “the Cloud” factors into many of the breaches we investigate. The easy answer is “No—not really.” It’s more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the Cloud.Source: Verizon 2012 Data Breach Investigations Report CONFIDENTIAL
Risk Driven Model Risk = Impact X Likelihood What are the most important assets? • Key Applications? • File Shares? • Identity/Security Information? Who has access to them? What kind of access do they have? How do I know if it is at risk? • Real Time Analysis • Policy • Behavior CONFIDENTIAL