How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy The move towards cloud applications and remote working has shifted enterprise identities outside the traditional corporate infrastructure. Weak, stolen and re-used passwords are now the cause of two-thirds of all data breaches. My1Login CEO, Mike Newman, presents on how a robust IAM strategy can address key GDPR obligations, eliminate phishing for critical applications and eradicate shadow IT. Mike’s presentation includes a case study of the security challenges faced by a 2000-user, highly-regulated, enterprise organisation and how they “locked down” access management by putting the business back in control of passwords rather than the users, whilst ensuring a positive, seamless user experience.

1. How to Address GDPR, Phishing and
Shadow IT with a Robust IAM Strategy
Michael Newman
CEO, My1Login
Adrian Romano
Information Security Manager, Betsson Group
“Global Leader in
Identity Management”
IAM Award International Contribution
to Cyber Security
IAM Solution
of The Year
Best Identity
Management Solution
Best Cloud Computing
Security Solution
Identity & Access Management
for Web, Mobile & Thick-Client Apps

2. Eliminate GDPR fines, Phishing and Shadow IT – With One Move!
Agenda
1. Enterprise IAM Challenges
2. Case Study: Betsson Group - Key IAM Challenges
Adrian Romano, Info Security Manager, Betsson Group
3. Critical Considerations for your IAM
4. Case Study: Betsson Group - Business Benefits
Adrian Romano, Info Security Manager, Betsson Group
5. 6 Take-Away Actions

3. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
Nobody Wants a Data Breach on Their Watch
65% of Corporate Data Breaches
are Due to Passwords*
*Source : Verizon Corporate Data Breach Report
Most Identity & Access Management Solutions Don’t Work with All Apps
If a User Needs More than one Business Password then they don’t have Single Sign-On
Hacking & Phishing Breaches are
Growing Rapidly
GDPR & Invalidation of ”Safe
Harbour” compliance issues
Source : Identity Theft Resource Centre

4. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
Expenses
Active Directory Training
Appraisals
Unknown Apps
Unknown Apps
Thick Client Apps ie. RDP
ie. mainframe
Shadow IT
Unknown Apps
Unknown Apps
Identity Sprawl due to Disparate Application Types
Web Apps, Mobile Apps, Thick-client Apps, Flash Apps, Virtualised Apps, I-Frame, Bespoke In-House Apps

5. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
The Causes of Data Breaches
65% 40%
Weak Passwords &
Weak Practices
25%
Phishing
of data breaches are
caused by employee
passwords

6. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
Insecure User Password Practices
• Storing in spreadsheets
• On mobile phone
• Dropbox
• Using personal password managers
• Choosing weak passwords
• Using personal passwords for business apps
• Sharing passwords via email and live chat
Productivity Decrease
Security Risks:-
Insider Threat
Phishing Attacks
Shadow IT
Compliance Failure
PCI, ICO, FCA, ISO
GDPR – fines of up to 4% of T/O
Betsson Group’s Business Challenge
Business Impact
!
Adrian Romano,
Information Security Manager

7. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
Key Areas to Consider in Your IAM Strategy
•Minimising Implementation Effort
•Simplifying Set-up & On-boarding
•Integrating Non-Standard Applications (e.g. thick-client executables)
•Simplifying User Experience to Maximise Adoption
•Understanding the Importance of Encryption Architecture (Client vs
Server)
•Addressing GDPR

8. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
IAM Considerations
• Detects ”Shadow IT” and puts IT back in control of cloud apps
• Automatically links Identities for cloud apps to the corresponding AD User
• Make simple policy decisions to integrate or exclude these from the IAM i.e. for
included apps, User will benefit from SSO next time they access they app.
Use an IAM that can “Auto-Discover” the Apps Being Accessed by Users
and Automatically Integrate these with Single Sign-On

9. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
IAM Considerations
• Ensure your IAM covers all applications – even Mainframes, Terminal &
RDP etc.
• Uniform, seamless login for all apps linked to users AD profile
• Puts the organisation in control of all corporate identities
Don’t Forget the Legacy and Thick-Client Desktop
Executables

10. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
IAM Considerations
• Takes password management out of the hands of
users –places the business in control
• Pro-actively protects cloud apps with random, high-
entropy passwords
• Users no longer need to know their passwords –
they are linked to the IAM and their AD profile.
Ensure your IAM can ELIMINATE PHISHING risks – How?
By Enabling Policies to be set that Auto-update Passwords on Target Apps
(and hide these passwords from users)

11. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
User Experience Options
• Choose between seamless UX, portal UX or hybrid UX for IAM based on preferences
• Roll out IAM company-wide using AD Group Policies
Seamless User Experience
No Portal, User Launches Apps As Usual – IAM
Authenticates
Portal User Experience
Offer Users An App Portal for Web and Thick Client Apps

12. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
IAM Considerations
AES Encryption – The Maths
The Maths
THAT’S = 3.7 billion, billion, billion, billion, billion, billion YEARS
Data is impossible to access without the encryption key
Encryption Key is 32 Bytes Long
Each Byte could be one of 256 values
Try to Brute Force?
= 25632 = approximately 116 x 1075 tries to attempt all combinations
Use a Super-computer?
Super-computer (i.e. Tianhe-2 running at 33 petaflops) tries
approx 1015 guesses per second
= 116x1075 = 116 x 1060 seconds
1015

13. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
IAM Considerations
Encryption Architecture is Paramount – AES 256 is great but it MUST be Client-Side
IAM/IDaaS Vendor (Cloud) Enterprise Environment/ Active Directory
IAM Using Server-Side Encryption
(Most Vendor’s Approach)
On-Premise IAM & Encryption
(Customer Hosted Approach)
IAM Using Client-Side Encryption
(My1Login’s Approach)

14. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
Reference GDPR Requirement How My1Login Addresses
Chapter 2
Principles
Article 5
Clause 2
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1
(‘accountability’).
My1Login provides an audit trail of who has access to what and when, and
enables organisations to identify which users accessed which systems, providing
accountability for actions.
Chapter 2
Principles
Article 5
Clause 1 (f)
Personal data shall be:
processed in a manner that ensures appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental loss, destruction or damage,
using appropriate technical or organisational measures (‘integrity and confidentiality’).
My1Login ensures access to data is protected by strong authentication. Only
permitted employees have access.
Chapter 4
Controller &
Processor
Article 25
Clause 2
The controller shall implement appropriate technical and organisational measures for ensuring
that, by default, only personal data which are necessary for each specific purpose of the
processing are processed. That obligation applies to the amount of personal data collected, the
extent of their processing, the period of their storage and their accessibility. In particular, such
measures shall ensure that by default personal data are not made accessible without the
individual’s intervention to an indefinite number of natural persons.
My1Login ensures data is only accessible by permitted employees.
Chapter 4
Controller &
Processor
Article 32
Clause 1a
“the controller and the processor shall implement appropriate technical and organisational
measures to ensure”….
The pseudonymisation and encryption of personal data;
My1Login’s client-side encryption ensures that encryption keys are kept
separately from the pseudonymised (i.e. encrypted) data.
Chapter 4
Controller &
Processor
Article 32
Clause 1b
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing
systems and services;
Access to personal data must be restricted to a defined purpose and with IAM,
organisations can limit the access on to people who are serving this purpose.
Chapter 4
Controller &
Processor
Article 32
Clause 4
The controller and processor shall take steps to ensure that any natural person acting under the
authority of the controller or the processor who has access to personal data does not process
them except on instructions from the controller, unless he or she is required to do so by Union or
Member State law.
While My1Login can give only permitted users access to systems, it can’t judge
that users’ intention when executing their access right. However, the
implementation of My1Login can help address the challenges by restricting the
number of users entitled to access the personal data and provide an audit trail of
that access, enabling the controller and processer to much more capable of
ensuring that users are only processing the data on instruction.

15. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
Wholly-European Based Identity Provider
Integrates with Legacy Apps (i.e. Mainframes)
Auto-Detects and Integrates Any Web App
Seamless Integration with AD
CLIENT-SIDE 256-bit AES Encryption
Rapid Deployment (i.e. 10,000 Users in 1 Day)
How My1Login Solves the Problem
UK’s leading IAM Provider and Computing
Security’s IAM Solution of The Year
Identity as a Service
The Ideal SSO Solution

16. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
17
Some of Our Customers
Public Sector Utilities Financial Retail
Broadcasting Gaming Construction

17. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
18
Award Winning
Multi-award Winning Solution
Most Secure
Client-side Encryption
Most Widely-Compatible
Single Sign-on that integrates with Web Apps, Mobile Apps, Legacy Thick-client Apps, Virtualised Apps, Flash Apps
Best User Experience
Can be Deployed in Background – Seamless UX for Users
Why My1Login?
#1
#1
#1
#1

18. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
Business Benefits of My1Login’s IAM
• Saves up to 1hr Per Week Per User
• Significant reduction in admin effort
• Easy to use – no training required.
• Audit trail of user access to applications
• AES-256 encryption satisfies PCI
• Evidence role-based access control for
applications.
PRODUCTIVITY COMPLIANCE
• Eliminated weak passwords
• Eliminated insecure password sharing
• Context-based user access
• SSO without revealing credentials
• Instantly revoke application access
from one place.
SECURITY
Migrating Identity Architecture to the Cloud
Adrian Romano,
Information Security Manager

19. Eliminate GDPR fines, Phishing and Shadow IT – With One Move!
Take-away Actions
1. Data must be encrypted at rest – not good enough anymore!! MUST USE CLIENT-SIDE ENCRYPTION
2. Ensure your vendor can integrate ALL apps – legacy, thick-client, virtualised, web, mobile
3. ELIMINATE SHADOW-IT by Auto-Detecting Apps – puts the Business Back in Control of Cloud Apps
4. Use an IAM or IDaaS that can pro-actively update target app passwords and hide these from users to
ELIMINATE PHISHING RISKS
5. Consider IAM vendor sovereignty AS WELL AS data residency
If a User Needs More than one Business Password then they don’t have Single Sign-
On

20. How to Address GDPR, Phishing and Shadow IT with a Robust IAM Strategy
© My1Login Ltd 2007 - 2018
Visit us at Stand W742 or Stand N324
Looking for more advice?
Speak to our Identity Experts on W742
0800 0443091 IAMadvice@my1login.com
Thank You and Questions
“Global Leader in
Identity Management”
IAM Award International Contribution
to Cyber Security
IAM Solution
of The Year
Best Identity
Management Solution
Best Cloud Computing
Security Solution