Veriphyr bright talk 20120523


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Veriphyr bright talk 20120523

  1. 1. Chase Away Cloud Challenges:User Access Governance & Compliance Alan Norquist, CEO & Founder Veriphyr, Inc. VERIPHYR PROPRIETARY
  2. 2. Goals of User Access Governance & Compliance User System Access = User’s Responsibilities  Bank – “Access to everything and nobody knows it” User Activity Access = User’s Responsibilities  Finance – “Can’t both approve PO and approve payment” User Data Access = User’s Responsibilities  Healthcare – Only view patients under one’s careMay 27, 2012 VERIPHYR PROPRIETARY 2
  3. 3. Requirement Across Industries Healthcare “access … must be restricted to those who have been (HIPAA) granted access rights” Banking “employee’s levels of online access .. match (FFIEC) current job responsibilities” Brokerage “employee’s access … limited strictly to … (FINRA) employee’s function” Utilities “access permissions are consistent with … (NERC) work functions performed” Retail “Limit access to … only individuals whose (PCI) job requires such access” Public Companies “user access rights … in line with … (SOX - COBIT) business needs”May 27, 2012 VERIPHYR PROPRIETARY 3
  4. 4. What is the Effect of the Cloud? Reduced Cost from Resource Pooling Rapid Implementation and Elasticity Ubiquitous Broad Network Access  Accessible from outside your organization perimeter  Accessible from variety of devices Shift in Ownership and Control  Resource layers controlled by multiple independent providers Multi-Tenancy (Resource Pooling)  Resources shared across multiple independent consumers Split in User Access Management  Data center vs. cloudMay 27, 2012 VERIPHYR PROPRIETARY 4
  5. 5. Cloud Models – Build vs. Contract RFP or Contract Software It In “The lower down the stack the Cloud provider as a Stops, the more security the consumer is Service (SaaS) tactically responsible for implementing and managing” – CSA Guidance v3.0 Platform Build it in as a Infrastructure Service (PaaS) as a Service (IaaS)May 27, 2012 VERIPHYR PROPRIETARY 5 Source: Cloud Security Alliance 2011
  6. 6. User Access Governance and ComplianceBuild or Contract What?1. Identity Stores2. Logging (Both Access and Activity)3. Key Data Entities (customers, patients, partners, etc) Critical Issues  Interfaces  Insufficient - User interface  Required – Standard-based APIs  Capabilities  Detailed logs showing access to sensitive transactions and date (patient, customer, etc.)  Ability to Extract Data  Insufficient - Reports showing single identity’s activity over 2 weeks  Required – Formatted file of all identities and all activity for all timeMay 27, 2012 VERIPHYR PROPRIETARY 6
  7. 7. Cloud Providers’ Native Identity Mgmt? Manage Each Cloud Separately? Cloud ConsumerCloud Provider Cloud Provider Cloud Provider Cloud ProviderMay 27, 2012 VERIPHYR PROPRIETARY 7
  8. 8. IAM as a Service Centralized federated identity across cloud vendors Build in or contract requirements for support of standards like SAML, OpenID and Oauth Cloud Consumer IAM as a ServiceCloud Provider Cloud Provider Cloud Provider Cloud ProviderMay 27, 2012 VERIPHYR PROPRIETARY 8
  9. 9. Cloud Provider Compliance Reports? Cloud facilitates departments use of “best of breed” Need to integrate compliance reporting across many separate cloud vendors Cloud ConsumerCloud Provider Cloud Provider Cloud Provider Cloud ProviderMay 27, 2012 VERIPHYR PROPRIETARY 9
  10. 10. Identity and Access Intelligence (IAI) "Joining together data in identity and access management (IAM) systems and security logs with other data could be massively valuable to both IT and the business." - James Richardson, Gartner Build or contract in the ability for bulk export of identity store info, logs (both access and activity), and key data (customers, patients, partners, etc). Identity and Access Cloud Consumer IntelligenceCloud Provider Cloud Provider Cloud Provider Cloud ProviderMay 27, 2012 VERIPHYR PROPRIETARY 10
  11. 11. Identity and Access Intelligence (IAI) “Access reports of users and applications are requirements in information security and IT governance, risk and compliance management programs, and Identity and Access Intelligence is needed to address those requirements.” – Gartner Identifies policy violations - identity, rights, activity & data  Determines if policy violation have been exploited Different from SIEM  SIEM focused on packets and IP addresses  IAI focused on people and data Works across Cloud Providers  Audit (access and activity) log from all cloud applications  Identity stores from all IAM as a Service vendors  Patient, customer, partner data from applications such as HRMay 27, 2012 VERIPHYR PROPRIETARY 11
  12. 12. Revealing - User Access ≠ User’s Responsibilities User Access Activity Across Resources ResourcesIdentity May 27, 2012 VERIPHYR PROPRIETARY 12
  13. 13. Revealing - User Access ≠ User’s Responsibilities IAI Analytics Reveal Inappropriate Access ResourcesIdentity May 27, 2012 VERIPHYR PROPRIETARY 13
  14. 14. Summary Goal of Access Governance and Compliance  User Access = User’s Responsibility Cloud Changes Underlying Architecture Need to “Build or Contract In”  Standards for IAM as a Service  Data Sources for Identity and Access Intelligence (IAI) For more information contact me   # 650.384.0560May 27, 2012 VERIPHYR PROPRIETARY 14
  15. 15. For more information Whitepaper on IAM as a Service Whitepaper on Identity and Access Intelligence NorquistCEO, 650.384.0560May 27, 2012 VERIPHYR PROPRIETARY 15