5 reasons your iam solution will fail

1 © 2013 IBM Corporation
IBM Security Systems
Chris Poulin
July, 2014
5 Reasons your IAM Solution Will Fail

© 2014 IBM Corporation
2
In this era of Mobile, Cloud, & Social, security is a major concern
IBM Confidential
Mobile
Cloud
Social
50%
of the employers will require BYOD
for work by 2017
55%
of CIOs to source all their critical
applications in Cloud by 2020
54%
of CIOs cited Social Media as one
of the most disruptive technologies
90%
of the top mobile apps have been
hacked
72%
of organizations saw unauthorized
access to cloud in past 12 months
75%
of enterprises cited social media as
the top information security risk
Source: 1. Gartner – May 2013

3
more than
half a billion records
of personally identifiable information (PII) were leaked in 2013

4
Enterprise Security is only as strong as its weakest link – Identity
of scam and phishing incidents
are campaigns enticing users
to click on malicious links
55%
Criminals are
selling stolen or
fabricated accounts
Social media is fertile
ground for pre-attack
intelligence gathering
Source: IBM X-Force® Research 2013 Trend and Risk Report
Mobile and Cloud breaking
down the traditional
perimeter
IAM becomes fist line of
defense with Threat and
Context awareness

5
Reason #1: Human Factors—User Behavior
Users will try to get around strict policies
 Invest minimum effort in creating passwords
 Lack of strength and variety
 Across multiple authentication domains
 Not enable out-of-band / multi-factor auth
 Use 3rd party cloud services
over enterprise provided ones
 Store passwords in Evernote
….plus strong passwords can sometimes jeopardize safety

6
Reason #2: Identity Sprawl
Multiple internal authentication sources
 Microsoft Active Directory
 Legacy systems and directories
 Custom applications
…and external directories
 Cloud services
 Social media networks
Directories, Databases, Files,
SAP, Web Services, Applications

7
Reason #3: Losing Control
Device ownership model is changing
 Mobile devices (smart phones & tablets)
 BYOD, including employee-owned laptops
 Not all devices have the concept of identity:
the holder is the owner

8
Reason #4: Rogue Privileged Insiders
Those with administrative privileges
can abuse that trust for
 Profit
 Revenge
 Convenience
“$348B a year in corporate losses can be tied directly to privileged user fraud.”
– Raytheon, “Privileged Users” whitepaper, 2014

9
Reason #5: Lack of Visibility—If You Can’t See It...
...is it really a threat?
 What are your users up to?
 How do you know?
 How do you prove it?
When you turn on the lights
the cockroaches skitter
under the fridge
=> Visibility, monitoring, auditing

10
Avoiding the 5 pitfalls of identity and access management
UserBehavior
IdentitySprawl
Control/BYOD
PrivilegedID
Visibility
Single Sign-on
Context-based authentication
Risk-based transaction context
Directory integration
Federated identity (inc SCIM)
One-time registration
Device fingerprinting
Eliminate shared passwords
Audit super users
Record sessions
Security intelligence
Follow user activity
Detect & report anomalous behavior

How to enable security through IAM
11
simplify their experience through context-
based authentication
connect your directory stores, in-house, in the
cloud, on the web
trust the device, trust the application, trust the
transaction
Inventory, control, and track administrative
users & credentials
User behavior
Identity sprawl
Mobile & BYOD
Privileged Users
Lack of visibility Security Intelligence

12
 Single Sign-On to web based
applications on mobile devices
Single sign-on & elimination of password entry using ESSO
Results: Users don’t need to
remember multiple passwords,
improving access security

13
SSO
Enterprise
Applications/Data
User accesses data from inside
the corporate network1
User is only asked for User Id and
Password to authenticate2
Corporate Network
User accesses confidential data from
outside the corporate network3
User is asked for User Id /Password and
OTP based on risk score4
Outside the Corporate Network
Audit
Log
Strong
Authentication
 Security gateway for user access based on risk-level (e.g. permit, deny, step-up authenticate)
 Risk scoring using user attributes and real-time context (e.g. device registration, geolocation, IP reputation, etc)
 Supports built-in One-Time Password (OTP) and ability to integrate with 3rd party strong authentication vendors
 Software Development Kit (SDK) for 3rd integration and extensibility
Context-based authentication & access, based on risk
IBM Security
Access Manager

14
Access Operations Grant/Deny
An authorized user requests access to the portal and SSO Grant
Password is stolen, session is hijacked and HTTP content is compromised Deny
HTTP content contains common vulnerabilities such as SQL Injection, Cross site scripting,
Cross-site request forgery
Deny
IP Address has a low IP Reputation score and Geo Location allowed Deny
Enforce step-up authentication or context-based access to restore authorized user access Grant
Portal, Web Applications
(e.g. Java, .NET, more)
B2B Partners,
Citizens, Mobile
users
Supply Chain
Secure access and protect content against targeted attacks
IBM Security Access Manager

15
Identity-aware application access on mobile devices
Before
Name/Password for
every app launch
One-time registration
code
Identity-aware
application launch
After
Application Server IBM Security
Access Manager
 Eliminate user id and
password based login on
mobile apps
 Assurance through one
time registration code to
link device with application
and user identity
 Identity and Device
“Fingerprinting” - silent
and consent based device
registration
 Self-service user interface
for device registration and
access revocation

16
Risk-based access and stronger authentication for transactions
User attempts high-
value transaction
Strong authentication
challenge Transaction completes
Reduce risk associated with mobile user and service transactions
Example: transactions less than $100 are allowed with no additional authentication
User attempts transfer of amount greater than $100 – requires an OTP for strong authentication

17
Migrate or co-exist
Join multiple
directories
Enrich with
data from
other sources
Federate authentication
back to original source
Selective
“writes” of
changes to the
original source
 Create a single source of truth for identity information using
Federated Directory Services
SCIM REST interface for
LDAP server
“Untangle” identity silos with directory integration and federation

18
 Privileged User Activity Monitoring:
• Recording and logging of user activity in sessions accessed through a shared ID
• Discourage users with privilege from abusing their rights
Find, control, and track privileged & shared identity activity

19
Full visibility and accountability with closed-loop IAM analytics
IAM Analytics &
Security Intelligence
Accounts
Updated
Access
Certification
Access
Policy
Identity
Change
Detect and Correct Local Privilege Settings
HR Systems/Identity Stores
DataApplications
On/Off-premise
Resources
Cloud Mobile
Identity Management
Real-time insider fraud detection with
integrated IAM Analytics and Security Intelligence
Risk Based
Access

20
Detect threats, monitor user activity and detect anomalies
• Identity and Access Manager event logs offers rich
insights into actual users and their roles
• IAM integration with QRadar SIEM provides
detection of break-ins tied to actual users & roles

© 2013 IBM Corporation21 IBM Security Systems
Manage Enterprise Identity Context Across All Security Domains
Compete Threat-aware Identity and Access Management

22
Identity is a key security control for a multi-perimeter world
• Operational management
• Compliance driven
• Static, Trust-based
• Security risk management
• Business driven
• Dynamic, context-based
Today: Administration
Tomorrow: Assurance
IAM is centralized and internal
Enterprise
IAM
Cloud IAM
BYO-IDs
SaaS
Device-IDs
App IDs
IAM is decentralized and external
Enterprise
IAM
IaaS,
PaaS

23
Optimized
Security Intelligence:
User activity monitoring, Anomaly detection, Identity Analytics & Reporting
IAM Integration
with GRC
Fine-grained
entitlements
Integrated Web &
Mobile Access
Gateway
Risk / Context based
Access
Governance of
SaaS applications
IAM as a SaaS
IAM integration with
GRC
Risk/ Context-based
IAM Governance
Risk / Context-
based Privileged
Identity Mgmt
Proficient
Closed-loop
Identity & Access
Mgmt
Strong
Authentication
Strong Authentication
(e.g. device based)
Web Application
Protection
Bring your own ID
Integrated IAM for
IaaS, PaaS & SaaS
(Enterprise)
Closed-loop Identity
and Access Mgmt
Access Certification &
fulfillment (Enterprise)
Closed-loop
Privileged Identity
Mgmt
Basic
Request based
Identity Mgmt
Web Access
Management
Federated SSO
Mobile User Access
Management
Federated access
to SaaS (LoB)
User Provisioning
for Cloud/SaaS
Access Certification
(LoB)
Request based Identity
Mgmt.
Shared Access and
Password
Management
Compliance Mobile Security Cloud Security IAM Governance Privileged IdM
Organizations use a maturity model for IAM to support security

24
Landscape of Identity & Access Management market is evolving
By 2020,
70%
of enterprises will use
attribute-based access control
as the dominant mechanism to protect critical
assets ...
... and
80%
of user access will be shaped by
new mobile and non-PC
architectures that service all
identity types regardless of origin.1
With the growing adoption of
mobile, adaptive
authentication &
fine-grained authorization,
traditional
Web Access Management
is being replaced by a broader
“access management.”1
A clear need exists in the
market for a
converged solution2
that is able to provide or
integrate with
MDM, authentication,
federation, and fraud
detection solutions.3
1 Gartner, Predicts 2014: Identity and Access Management, November 26, 2013
2 Gartner, MarketScope for Web Access Management, November 15, 2013
3 Forrester, Predictions 2014: Identity and Access Management, January 7, 2014

25
Deliver
actionable identity
intelligence
Safeguard
mobile, cloud and social
access
Simplify
cloud integrations and
identity silos
Prevent
advanced
insider threats
• Validate “who is who”
especially when users connect
from outside the enterprise
• Proactively enforce access
policies on web, social and
mobile collaboration channels
• Manage and audit privileged
access across the enterprise
• Defend applications and data
against unauthorized access
• Provide federated access to
enable secure online business
collaboration
• Unify “Universe of Identities”
for efficient directory management
• Streamline identity management across
all security domains
• Manage and monitor user entitlements
and activities with security intelligence
Threat-aware Identity and Access Management becomes the
first line of defense for securing multi perimeter world

26
Connect with IBM Security
IBM Security Insights blog at www.SecurityIntelligence.com
www.ibm.com/Identity-
Access-Management
Follow us at @ibmsecurity

www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only,
and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or
otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or
representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of
IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which
IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on
market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM
logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to
improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or
can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and
no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part
of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or
services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR
ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only,
and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or
otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or
representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of
IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which
IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on
market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM
logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to
improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or
can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and
no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part
of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or
services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR
ILLEGAL CONDUCT OF ANY PARTY.

5 reasons your iam solution will fail

More Related Content

What's hot

Similar to 5 reasons your iam solution will fail

More from IBM Security

Recently uploaded

5 reasons your iam solution will fail