Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk Aware IAM for an Insecure World


Published on

Public cloud Identity-as-a-Service (IDaaS) providers are not immune to data breaches. IDaaS companies will live and die by their appetite for innovation and speed to market.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Risk Aware IAM for an Insecure World

  1. 1. Try Purchase Use Engage Customer Journey - The effects of IAM transformation Acting Doing Thinking Feeling Overall Downloading trial software Register contact profile Activate account with 2-Step registration Online checkout Contact Sales Click to chat Buy more licenses Activate a new service subscription Become a enterprise customer Install & register software Manage On-prem to cloud Migrate AD to cloud/SaaS portal Delegate administration Promote user to Admin role Register for Support Forums Contact Support Register for Conference Become a partner Do I have to register to download this? Does my login ID from 2 years ago still work? Does my cloud login work for this? Is this a global ID? Do I login in order to obtain a license or activate my subscription? Will tenant cloud know who I am or do I have to register again? How will I sync or migrate my users to tenant cloud? Do I use my local account or my enterprise credentials to login to cloud? How will I login to tenant cloud? How can I assign access to others within my organization? Can I audit who has access to my tenant? Does my enterprise login ID work for support? Do I have to register a new account for conference attendance? How do I access my Partner content? Consistent messaging & UI and central Login builds confidence and trust Enterprise respected my privacy and did not ask for too much information My authentication experience is the same now as it was during Trial Eval I have visibility into new products and services that my identity is allowed to see and purchase Happy that Enterprise recognizes my global ID and credentials across all of its products and services Enterprise provides me with the tools I need to monitor and manage my users Excited that the enterprise really knows me and correctly identifies me in every context of interaction I will recommend to my colleagues based on my experiences Trust Helpfulness Trust Helpfulness Trust Helpfulness Trust Helpfulness
  2. 2. Business Driven IAM Typical Approach Typical Challenges • Focused within the perimeter • Static protection (rule based) • Isolated from SOC & GRC controls • Legacy systems and applications • Too many silos Intelligent IAM SSO Dynamic user provisioning Automated access governance Event/activity monitoring
  3. 3. Business Concerns • We don’t want to be the next massive data breach • We want to make sure our identity providers are as secure as it can be • We are prioritizing our security spend around that
  4. 4. Risk Aware IAM is the new black
  5. 5. Risk Aware IAM • Quantify user risk scores over time to enhance adaptive authentication • Connect risk insight into meaningful and rapid response • Addresses the biggest cause of modern day data breaches UEBA Detect risky behaviors SIEM Single pane of glass for on-prem and cloud Credential Verification Detect leaked credentials during logon
  6. 6. Detect & Verify Compromised Credentials • Prevent stolen credentials from being used during logon • Automate response & remediation • Outsource liabilities & risk • Support for NIST 800-63B • Complement 2FA and MFA
  7. 7. 2FA & MFA ≠ Modern IAM
  8. 8. L1 Risk 15 – 40% When When a compromised credential is linked to the username (E.g. email address) When only either compromised credential or account is known Where During login and self-service password reset Risk score, user and domain dashboard Action Taken Force change password; step-up authentication; revoke user access Assess degree of risk; display a warning L2 Risk 87%
  9. 9. • Check if your credentials have been leaked • Check how many credentials are leaked in your business domain • Search against more than 6B leaked accounts • Your information stays private • Mobile friendly
  10. 10. How do you get there? • Integrating and uniting these platforms —Begin using CASB, SIEM and credential verification services • Start small – increase the scope of “risk aware IAM” every quarter —Begin with the end in mind, and work backwards • Avoid silo’d thinking —Connect your IAG/IAM initiatives to other SOC and GRC initiatives
  11. 11. The Future • Not as simple as enabling MFA and creating a dashboard —Analytics, reports, dashboards – potential data overload! • The industry will move more towards risk aware IAM that: — Automates risk insight into actionable policy enforcement • Assume you have been breached already — Good enough usually isn’t
  12. 12. Thank you! @stevetout For more information visit