Knowing where the safe zone is ovum october 22 2013

460 views
345 views

Published on

2nd Annual Identity and Access Management Conference - Ovum Forum 22 October 2013 , London. Dissuccing concepts and examples of Identity management perimeterization.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
460
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Knowing where the safe zone is ovum october 22 2013

  1. 1. Mark Skilton, Professor of Practice in Information Systems Management, Warwick Business School, UK Warwick Business School
  2. 2. Knowing where the safe zone is - Defining perimeter access strategies for an enterprise The modern enterprise today has many connections, relationships and services. Information technology has enabled communication, social communities and transactions to create opportunities for new types of value. But this has also changed the types of risks and security issues as bring your own device (BYOD) and the many types of cloud services have shifted responsibilities. Do you know where the access perimeter of your company security is? How do you define risk and value of new technology? What are the opportunities and challenges of new technologies and on legacy operations? This presentation will look at ways to define the new business – technology boundaries and the risk and challenges of managing new technology across these boundaries. Warwick Business School
  3. 3. Overview Knowing the safe zone – perimeter strategies What is your business ecosystem? Describing your security risk and opportunity Managing opportunities – API management Managing access - connectivity The future ? Overview
  4. 4. Overview Knowing the safe zone – perimeter strategies What is your business ecosystem ? Describing your security risk and opportunity Managing opportunities – API management Managing access - connectivity The future ? Overview
  5. 5. Business Ecosystem the challenges we face Old model Business and IT use of software and hardware assets Project based development lifecycle Platforms and networks Transformational advisory and governance Security controls and audit service monitoring Why business ecosystems ? New model: Data plethora of data types and sources Multi-channel Service marketplaces Devices and “things” Focus on intelligent processes and monetization Compliance and pervasive automated monitoring of security
  6. 6. Objects in the Internet of Things There are potentially billions of objects that could connect through IP addresses and network protocols to identify , exchange and collaborate services. Devices Tags, Sensors and platforms Products Content Services Money Places and Machines
  7. 7. Era of Internetworking - Where is the perimeter ? Internet Switches Tier 1 Networks NSPs Network Peering and Interconnections Tier 2 ISP Tier 2 Network IP Backbone IXP Examples of ISP services include email, FTP, webhosting ISPs Internetworking Satellite Public Switched Telephone Networks PTSN Tier 3 networks (ISP) Cable Operators DSL, T1, T3 Leased Lines Wide Area Network WAN 4G (3G LTE/SAE) Gateways Gateways 3G / 3.5G Femtocell Wifi Gateways InfraRed Local Area Network LAN GPS Bluetooth Mobile Devices RFID Sensors Proximity, Smart Card
  8. 8. + 2.5 Billion Internet Users 2013 Representing 35% World Population Why business ecosystems ?
  9. 9. 1.7 billion mobile devices sold in 2012, and 6.8 billion subscriptions equivalent to 96 percent of the world population Why business ecosystems ?
  10. 10. Internet video accounting for 61 % of total internet data (cisco) Social Media Is driving massive online Video growth Why business ecosystems ?
  11. 11. 1 in 4 people around world use at least one form social networking = 1.7 Billion in 2013 1 in 3 people = 2.55 billion global audience by 2017 all the geo-tagged locations of uploaded Flickr photos by concentration. Why business ecosystems ?
  12. 12. Where is the perimeter ? No. People in Organization Ave No. of social network connections No. Hours Online Formal Yourself No. of Devices per person Why business ecosystems ? Near to you Your Network No. of networks informal/formal Your Extended Network No. applications and web sites Visited, used
  13. 13. What is your Organization estimated perimeter node score ? Formal X Average No. of Devices per person X 3 Average No. People in Organization 500 X No. of system networks X informal/formal Ave No. of social network connections X X 3 X 300 X No. applications / Web sites Visited, used 10 13,500,000 Illustrative only Why business ecosystems ? X Average No. Hours Online X 5 67,500,000
  14. 14. What is your personal estimated perimeter node score ? Formal Average No. of Devices per person 5 X No. of system networks Why business ecosystems ? Ave No. of social network connections X No. applications / Web sites Visited, used X 5 X 2000 X 10 Assume International Travel x5 per year Assume travel 3 times per week Assume WIFI, 3G/4G networks Illustrative only X informal/formal 300,000 X Average No. Hours Online X 10 3,000,000
  15. 15. What is a secure perimeter ? Controlled access No. People in Organization Compliant Why business ecosystems ? Secure Controlled system No. of Devices networks per person Controlled social network connections Configured/standards Continuous access and use state monitoring ? Managed
  16. 16. Overview Knowing the safe zone – perimeter strategies What is your business ecosystem ? Describing your security risk and opportunity Managing opportunities – API management Managing access - connectivity The future ? Overview
  17. 17. Data is getting more complex Structured data Semi-structured data Unstructured data Data | Increasingly Externalized And metadata Your edge profile data Your message payload data Your behavioral metadata - co-presence Your transient data – travel in physical and virtual space Embedded Data shelf life value (“productization of data”)
  18. 18. Connectivity is changing Example programmable web have collected a database of Open APIs. Many companies use APIs to establish connectivity services with their web sites Open APIs And Closed (Proprietary) APIs Managed APIs can be problematic if the API specification is changes by the Provider impacting on the users of that API. APIs are a common method for many Cloud system service connections.
  19. 19. Enterprise Technology is externalized “as a service” points Protection Points System Access ports Web access Corporate / Private Network Internet Network services Backend services External Firewall Devices Network Network Mobile applications Mobile Data Internal Firewall G A T W A Y APIs Applications Data Active Directory API Management gateway Identity ? Access provisioning Authentication and Data Privacy ? VPN Tunnel Usage Policy Governance, compliance, and controls “AS A SERVICE”
  20. 20. Perimeter definitions – heat mapping Market segments and entities Social Network Channels APIs Own data and IP Your Enterprise Networks 3rd party data and IP 3rd party Networks Staff, products, Services, assets, facilities SPAN Of CONTROL
  21. 21. Risk - Impact * USB Investment research Federated Devices Authorization Management Certification Processes and services “ ID Theft every 79 Seconds (*) DR and BC Management
  22. 22. Risk Scorecard Today Cloud Corporate Risk 5 4 Describing risk Risk Management 4 5 Corporate Reward 4 3 2 3 3 2 1 Risk Awareness 5 3 0 4 2 Risk Impact 4 Severity 2 2 4 Risk impact Probability Warwick Business School Degree of Collaboration Information 4Security Level Requirement
  23. 23. Overview Knowing the safe zone – perimeter strategies What is your business ecosystem ? Describing your security risk and opportunity Managing opportunities – API management Managing access - connectivity The future ? Overview
  24. 24. API Management Examples Mashery an Intel Company, provide a secure appliance and software system for managing API connectivity to multiple devices and services Web GUI to manage the API policies and use Appliance is used to Manage access to APIs
  25. 25. Cloud Aggregator Broker – Orchestrator Example : Mulesoft Cloud Hub – enabled integration of multi-cloud integration Apps Stores Where is the Perimeter? Contract Perimeter versus Technical Perimeter
  26. 26. Example Network Traffic Monitoring for Virtualized compute environments Example Net Optics Phantom Virtualization Tap Monitoring of Inter-VM traffic across all best-ofbreed hypervizors in virtual computing environments. The Phantom Monitor component installs in the hypervizor for total traffic visibility. Use with virtual or physical Intrusion Detection Systems (IDSs), protocol analyzers, layer2 and Later-3 probes, and other devices. Network Traffic Monitoring Appliance
  27. 27. Example Intrusion Prevention System (IPS) Example McAfee Network Security Platform User Identification Key Features Threat Prevention Botnet detection Behavior-based analysis Malware protection Forensic analysis integrated Scalable web-based management Application Identification Device identification IP de-fragmentation and TCP stream reassembly Anomaly detection Inspection of virtual environments DoS and DDoS prevention File reputation, IP reputation, Geolocation Protocol tunnelling support , IPv6, V4-. MPLS
  28. 28. Example Cloud Environment Application Performance management Example Compuware APM. Monitors applications across physical and virtual networks and environments. can be deployed easily into private, public or hybrid cloud applications via either BYOL (bring your own license) or elastic, consumption based models. Application response times User Experience Real time and synthetic load testing
  29. 29. Overview Knowing the safe zone – perimeter strategies What is your business ecosystem ? Describing your security risk and opportunity Managing opportunities – API management Managing access - connectivity The future ? Overview
  30. 30. Martini model: Any IP, any device, any time anywhere Jericho Forum, The Open Group
  31. 31. Cloud “as a services” Security Solutions Device Security Proxy Controls / Appliances Device Authentication Security Endpoint Device Management Strong Password Control Subscriber account security API Usage Port Network connect Device Connect Fillters Intrusion Prevention System (IPS) Chargebacks /Billing Controls Service Metering Controls Web Store Front Cloud Service security Status Anti virus Anti Spam Security Information Cloud Service Reporting management (SIM) Data Loss Prevention (DLP) Mobile Device Management (MDM) Single Signon Wipe data when Lost Remote Application Control Token PKI, SSH Keys Controls User Group, Directory Management Application Virtualization (Secure VDI) Network Monitoring Network Transport Encryption (VPN) Hypervizor / VM Monitoring Database Monitoring Cryptographic controls Data Encryption External Example http://wwwclouage.com Cloud Monitoring Identity and Access Management Virtualization Isolation services Cloud Storage Virtualization Internal Authentication / Authorization Application Usage Monitoring Service Level Outage Monitoring PaaS Development and XaaS Deployment Service Configuration management Code Version Encryption Code/VM Deployment Encryption
  32. 32. Overview What is your business ecosystem ? Describing your security risk and opportunity Managing opportunities – API management Managing access - connectivity The future ? Overview
  33. 33. Identity is going to get much more broader and personal The future?
  34. 34. Mental Health Physiology Dreaming Genetics Activity Drugs Drink Sleep Diet The future?
  35. 35. The future?
  36. 36. The future?
  37. 37. The surface underneath The security layer pervades everywhere Enterprise operating models will need underpinned of legal and security strategies to support and validate an increasingly externalized business model API Management Network management Intrusion Management Application Management Identity and access Management Encryption Management Compliance and IP Management
  38. 38. Holistic Governance , Risk & Compliance for ecosystems Security is critical in moving IT services that are potentially no longer under the enterprise control or on premise. The following diagram looks at On-premise and Off premise security controls . Risk Management Compliance Monitoring Management Audit Security Governance Personnel Security Management Security Policy Management Access Management Identity Management Firewall Management Validate Log, Analyze, Event management Test Regime Business Continuity Management Availability Management Backup Management Disaster Recovery Management Identify Translate Incident Management Security Operations Asset Digital Rights Management Management Administrationn Privilege, Deploy, Decommission, Dispose Encryption Management Security Controls Private Network Management Portability Management Secure Development/Operations Coding Standards Code review Unit Test Publish/ Versions
  39. 39. Conclusions Knowing where the safe zone is - Defining perimeter access strategies for an enterprise Scaling of business technology will drive changes in cultural and legal issues as data and usage shifts toward social network based economy Cloud enabled commodization and “on stop contract/less” but may alter risk profile complexity There will be a variant of technologies to manage externalized Identity and usage access – – – – API Management Social network usage in processes Data analytics for usage behaviors A combination of both Technologies will enable wider Identity profiles challenging legal boundaries of access and usage The future?

×