Compliance & Identity access management

Digital law and governance
Identity & access management
Jacques
Folon
www.folon.com
Partner
Edge
Consulting
Maître
de
conférences
Université
de
Liège
Chargé
de
cours
ICHEC
Brussels
Management
School
Professeur
invité
Université
de
Lorraine
(Metz)
ESC
Rennes
http://www.nyls.edu/institute_for_information_law_and_policy/conferences/visualizing_law_in_the_digital_age/

IAM
1. IAM?
2. Preset
context?
3. IAM
&
cloud
computing
4. Why
is
it
useful
and
mandatory?
5. To
do
list
6. IAM
&
privacy
7. IAM
&
control
8. e-‐discovery
9. Conclusion

1.
IAM
????
Provisioning
Single
Sign
On
PKI
Strong
Authentication
Federation
Directories
Authorization
Secure
Remote
Access
Password
Management
Web
Services
Security
&
Auditing
Reporting
Role
based
Management
DRM
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd
rafal@projectbotticelli.co.uk

Q: What’s posted on this
monitor?
a – password to financial application
b – phone messages
c – to-do’s

Q: What determines your
employee’s access?
a – give Alice whatever Wally has
b – roles, attributes, and requests
c – whatever her manager says

Q: Who is the most privileged
user in your enterprise?
a – security administrator
b – CFO
c – the summer intern who is now working
for your competitor

Q: How secure is your
identity data?
a – It is in 18 different secured stores
b – We protect the admin passwords
c – Privacy? We don’t hold credit card
numbers

Q: How much are manual
compliance controls costing
your organization?
a – nothing, no new headcount
b – don’t ask
c – don’t know

Today’s IT Challenges
More Compliant Business
• Increasing regulatory demands
• Increasing privacy concerns
• Business viability concerns
More Agile Business
• More accessibility for employees,
customers and partners
• Higher level of B2B integrations
• Faster reaction to changing requirements
More Secured Business
• Organized crime
• Identity theft
• Intellectual property theft
• Constant global threats

State Of Security In Enterprise
• Incomplete
• Multiple point solutions from many vendors
• Disparate technologies that don’t work together
• Complex
• Repeated point-to-point integrations
• Mostly manual operations
• ‘Non-compliant’
• Difficult to enforce consistent set of policies
• Difficult to measure compliance with those policies

Identity Management Values
• Trusted and reliable security
• Efficient regulatory compliance
• Lower administrative and development costs
• Enable online business networks
• Better end-user experience

15
IAM
MEANS
MANAGING
THE
EMPLOYEES
LIFECYCLE
(HIRING,
RECRUITING,
PROMOTION,
CHANGE,
LEAVING)
AND
THE
IMPACTS
ON
THE
INFORMATION
MANAGEMENT
SYSTEM
source
clusif
IAM
is
a
legal
obligation
!

• IAM
IS
DEFINED
BY
THE
BUSINESS
(RH,
SCM,
ETC.)
• AND
• FOLLOWING THE LEGAL
FRAMEWORK
• AND
• TECHNICALLY IMPLEMENTED
16
IAM
IS
BUSINESS
&
ICT
+
LEGAL
source
clusif

IAM INCLUDES
• DATABASE OF ALL AND EVERY USER
•DATABASE OF ALL TYPE OF PROFILES
& ROLES
•DEFINITION BEFOREHAND
•DEFINE WICH ROLE FOR WICH
EMPLOYEE
•DEFINITION OF LOGIN & PASSWORDS
•AUDIT
•REPORTING
•ACCESS CONTROL
17
source
clusif

• What
Définition
is
Identity
Management
?
“Identity
management
is
the
set
of
business
processes,
and
a
supporting
infrastructure,
for
the
creation,
maintenance,
and
use
of
digital
identities.”
The
Burton
Group
(a
research
firm
specializing
in
IT
infrastructure
for
the
enterprise)
• Identity
Management
in
this
sense
is
sometimes
called
“Identity
and
Access
Management”
(IAM)

19
Identity and Access Management is the process for managing the
lifecycle of digital identities and access for people, systems and
services. This includes:
User Management – management of large, changing user
populations along with delegated- and self-service
administration.
Access Management – allows applications to authenticate
users and allow access to resources based upon policy.
Provisioning and De-Provisioning – automates account
propagation across applications and systems.
Audit and Reporting – review access privileges, validate
changes, and manage accountability.
CA
IAM : J. Tony Goulding CISSP, ITIL CA t ony.goulding@ca.com

IAM
IN
ESC…
• “MY
NAME
IS
JULIE
AND
I
AM
A
STUDENT.”
(Identity)
• “this
is
my
password.”
(Authentification)
• “I
want
an
access
to
my
account”
(Authorization
ok)
• “I
want
to
adapt
my
grade.”
(Autorization
rejected)

What
are
the
questions
?
• is
this
person
the
one
she
said
she
is?
• Is
she
a
member
of
our
group
?
• Did
she
receive
the
necessary
authorization
?
• Is
data
privacy
OK?

Type
of
questions
for
a
newcomer
– Which
kind
of
password?
– Which
activities
are
accepted?
– Which
are
forbidden?
– To
which
category
this
person
belongs?
– When
do
we
have
to
give
the
authorization??
– What
control
do
we
need
?
– Could
we
demonstrate
in
court
our
procedure?

24
IAM
triple
A
Authentication
WHO ARE YOU?
Authorization / Access Control
WHAT CAN YOU DO?
Audit
WHAT HAVE YOU DONE?

Components
of
IAM
• Administration
– User
Management
– Password
Management
– Workflow
– Delegation
• Access
Management
– Authentication
– Authorization
• Identity
Management
– Account
Provisioning
– Account
Deprovisioning
– Synchronisation
Administration
Authorization
Authentication
Reliable Identity Data
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd

28
various
identity
co-‐exists

• Internet
Welcome
to
a
digital
world
is
based
on
IP
identification
• everybody
has
different
profiles
• Each
platform
has
a
different
authentification
system
• Users
are
the
weakest
link
• Cybercrime
increases
• Controls
means
identification
• Data
privacy
imposes
controls
&
security
• e-‐discovery
imposes
ECM

Explosion
of
IDs
#
of
Digital
IDs
Pre
1980’s 1980’s 1990’s 2000’s
Time
Applications
Mainframe
Client
Server
Internet
Business
Automation
Company
(B2E)
Partners
(B2B)
Customers
(B2C)
Mobility
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd

The
Disconnected
Reality
Enterprise Directory
• “Identity
Chaos”
– Many
users
– Many
ID
– Many
log
in
&
passwords
– Multiple
repositories
of
identity
information
– Multiple
user
IDs,
multiple
passwords
HR
Finance
Office
Infra
Application
External app
In-House
Application
employee
Application
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd

Multiple
Contexts
Customer
satisfaction
&
customer
intimacy
Cost
competitiveness
Reach,
personalization
Your
COMPANY
and
your
EMPLOYEES
Your
SUPPLIERS
Your
CUSTOMERS
Collaboration
Outsourcing
Faster
business
cycles;
process
automation
Value
chain
M&A
Mobile/global
workforce
Flexible/temp
workforce
Your
REMOTE
and Your
PARTNERS
VIRTUAL
EMPLOYEES
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd

Trends
Impacting
Identity
Rising Tide of Regulation and Compliance
SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …
•$15.5 billion spend on compliance (analyst estimate)
Deeper Line of Business Automation and Integration
One half of all enterprises have SOA under development
•Web services spending growing 45%
Increasing Threat Landscape
Identity
theft
costs
banks
and
credit
card
issuers
$1.2
billion
in
1
yr
•$250 billion lost from exposure of confidential info
Maintenance Costs Dominate IT Budget
On average employees need access to 16 apps and systems
•Companies spend $20-30 per user per year for PW resets
Data
Sources:
Gartner,
AMR
Research,
IDC,
eMarketer,
U.S.
Department.
of
Justice

Business
Owner
IT
Admin Developer End
User Security/
Compliance
Too
expensive
to
reach
new
partners,
channels
Need
for
control
Too
many
passwords
Long
waits
for
access
to
apps,
resources
Too
many
user
stores
and
account
admin
requests
Unsafe
sync
scripts
Pain
Points
Redundant
code
in
each
app
Rework
code
too
often
Too
many
orphaned
accounts
Limited
auditing
ability
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd

First,
What the heck is
Cloud Computing
First, what the heck is
Cloud Computing?
…in simple, plain
English please!
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

Let’s use a simple analogy
Say you just
moved to a city,
and you’re looking
for a nice
place to
live

You can either
Build a house
or
Rent an
apartment

If you build a house, there are a few
important decisions you have to make…

How big is the house?
are you planning to grow a large
family?

Remodel, addition typically cost a lot more once the
house is built

But, you get a
chance Roof
to
customize it
Andy Harjanto I’m cloud confused
http://www.andyharjanto.com

Hire Landscaper
Once the house is built,
you’re
responsible for
maintenance
Plumber Electrician
Pay
property tax
Heating and Cooling Gutter Cleaning
Water House Keeping
Electricity

Consider a builder in your city builds a
Huge
number of apartment units

A unit can easily be converted
into a 2,3,4 or more units

You make a fewer,
simpler
decisions
You can start with one
unit and grow later, or
downsize

But…
You do not
have
a lot of
options to
customize
your unit Andy Harjanto I’m cloud confuse
d http://www.andyharjanto.com

triple pane windows
green materials
high capacity electricity
high speed Internet
However, builders provide you with
very high quality infrastructure

No need to worry
about maintenance

Just pay your
rent
and utilities
Pay as You Go

Let’s translate to
Cloud Computing?

As an end-consumer, believe it or not
you’ve been using Cloud for long times

In return, you’re willing to
give away
your information for ads and
other purposes

But you’ve been
enjoying
High Reliability Service
Limited Storage
Connecting, Sharing

OK, Now tell that to the business
owner
Give up your data,
then
you can use this
infrastructure for free

Are You crazy?
will answer the CEO

My Business
Needs…
Security
Privacy
Reliability
High
Availability

Building Enterprise
Software
Biusi lldikineg… .
Medieval
Castle
Stone Wall
Fire-proof
Moat
Army
Death Hole

Let’s Hire an Army of IT Engineers
Software Upgrade Support
Service Pack
Backup/Restore
Network issues
Development

Let’s Build
Huge Data
Center
Cooling Management
Capacity Planning
Disaster Plan
Server
Crashes

Your data is replicated
3 or 4 times in their data
center
High Availability

Adding “servers” is a click
away.
Running in just minutes, not
days High Traffic?

It can even load balance
your server traffic

Expect your Cloud
Network
is always up

Don’t forget data privacy issues
Yes, you can even pick
where your data
and “servers” reside

So we know what
Cloud is and the
choice we have

Cloud
Computing:
Definition
• No
Unique
Definition
or
General
Consensus
about
what
Cloud
Computing
is
…
• Different
Perspectives
&
Focuses
(Platform,
SW,
Service
Levels…)
• Flavours:
– Computing
and
IT
Resources
Accessible
Online
– Dynamically
Scalable
Computing
Power
– Virtualization
of
Resources
– Access
to
(potentially)
Composable
&
Interchangeable
Services
– Abstraction
of
IT
Infrastructure
!
No
need
to
understand
its
implementation:
use
Services
&
their
APIs
– Some
current
players,
at
the
Infrastructure
&
Service
Level:
SalesfoRce.com,
Google
Apps,
Amazon,
Yahoo,
Microsoft,
IBM,
HP,
etc.
The
Future
of
Identity
in
the
Cloud:
Requirements,
Risks
&
OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA
e-‐Identity
Conference,
2009

Cloud
Computing:
Implications
• Enterprise:
Paradigm
Shift
from
“Close
&
Controlled”
IT
Infrastructures
and
Services
to
Externally
Provided
Services
and
IT
Infrastructures
• Private
User:
Paradigm
Shift
from
Accessing
Static
Set
of
Services
to
Dynamic
&
Composable
Services
• General
Issues:
–
Potential
Loss
of
Control
(on
Data,
Infrastructure,
Processes,
etc.)
–
Data
&
Confidential
Information
Stored
in
The
Clouds
–
Management
of
Identities
and
Access
(IAM)
in
the
Cloud
–
Compliance
to
Security
Practice
and
Legislation
–
Privacy
Management
(Control,
Consent,
Revocation,
etc.)
–
New
Threat
Environments
–
Reliability
and
Longevity
of
Cloud
&
Service
Providers
The
Future
of
Identity
in
the
Cloud:
Requirements,
Risks
&
e-‐Identity
Conference,
2009

Identity
in
the
Cloud:
Enterprise
Case
Enterprise
Identity
&
Credentials
Data
Storage
Service
Office
Apps
On
Demand
Printing
CPUs
Service
Cloud
Provider
#1
Cloud
Provider
#2
User
Account
Provisioning/
De-‐provisioning
Service
Internal
Cloud
CRM
Service
…
Backup
Service
3
ILM
Service
Service
Service
Service
Employee
Business
Apps/Service
…
…
… The
Internet
Identity
&
Credentials
Identity
&
Credentials
Identity
&
Credentials
Identity
&
Credentials
Identity
&
Credentials
Identity
&
Credentials
Authentication
Authorization
Audit
Authentication
Authorization
Audit
Authentication
Authorization
Audit
Authentication
Authorization
Audit
User
Account
Provisioning/
De-‐provisioning
User
Account
Provisioning/
De-‐provisioning
User
Account
Provisioning/
De-‐provisioning
Data
&
Confidential
Information
Data
&
Confidential
Information
Data
&
Confidential
Information
Data
&
Confidential
Information
IAM
Capabilities
and
Services
Can
be
Outsourced
in
The
Cloud
…
The
Future
of
Identity
in
the
Cloud:
Requirements,
Risks
&
e-‐Identity
Conference,
2009

Identity
in
the
Cloud:
Enterprise
Case
Issues
and
Risks
[1/2]
•
Potential
Proliferation
of
Required
Identities
&
Credentials
to
Access
Services
!
Misbehaviours
when
handling
credentials
(writing
down,
reusing,
sharing,
etc.)
•
Complexity
in
correctly
“enabling”
Information
Flows
across
boundaries
!
Security
Threats
(Enterprise
!
Cloud
&
Service
Providers,
Service
Provider
!
Service
Provider,
…_
•
Propagation
of
Identity
and
Personal
Information
across
Multiple
Clouds/Services
!
Privacy
issues
(e.g.
compliance
to
multiple
Legislations,
Importance
of
Location,
etc.)
!
Exposure
of
business
sensitive
information
(employees’
identities,
roles,
organisational
structures,
enterprise
apps/services,
etc.)
!
How
to
effectively
Control
this
Data?
•
Delegation
of
IAM
and
Data
Management
Processes
to
Cloud
and
Service
Providers
!
How
to
get
Assurance
that
these
Processes
and
Security
Practice
are
Consistent
with
Enterprise
Policies?
-‐
Recurrent
problem
for
all
Stakeholders:
Enterprise,
Cloud
and
Service
Providers
…
!
Consistency
and
Integrity
of
User
Accounts
&
Information
across
various
Clouds/Services
!
How
to
deal
with
overall
Compliance
and
Governance
issues?
The
Future
of
Identity
in
the
Cloud:
Requirements,
Risks
&
e-‐Identity
Conference,
2009

Identity
in
the
Cloud:
Enterprise
Case
Issues
and
Risks
[2/2]
•
Migration
of
Services
between
Cloud
and
Service
Providers
!
Management
of
Data
Lifecycle
•
Threats
and
Attacks
in
the
Clouds
and
Cloud
Services
!
Cloud
and
Service
Providers
can
be
the
“weakest
links”
in
Security
&
Privacy
!
Reliance
on
good
security
practice
of
Third
Parties
The
Future
of
Identity
in
the
Cloud:
Requirements,
Risks
&
e-‐Identity
Conference,
2009

4.Why
do
we
need
IAM?
•Security
•Compliance
•Cost
control
•Audit
support
•Access
control

Source:
ftp://ftp.boulder.ibm.com/software/uk/productnews/tv/vh_-‐_access_and_identity_management.pdf

cost
reduction
• Directory
Synchronization
“Improved
updating
of
user
data:
$185
per
user/year”
“Improved
list
management:
$800
per
list”
-‐
Giga
Information
Group
• Password
Management
“Password
reset
costs
range
from
$51
(best
case)
to
$147
(worst
case)
for
labor
alone.”
–
Gartner
• User
Provisioning
“Improved
IT
efficiency:
$70,000
per
year
per
1,000
managed
users”
“Reduced
help
desk
costs:
$75
per
user
per
year”
-‐
Giga
Information
Group

Can
We
Just
Ignore
It
All?
• Today,
average
corporate
user
spends
16
minutes
a
day
logging
on
• A
typical
home
user
maintains
12-‐18
identities
• Number
of
phishing
sites
grew
over
1600%
over
the
past
year
• Corporate
IT
Ops
manage
an
average
of
73
applications
and
46
suppliers,
often
with
individual
directories
• Regulators
are
becoming
stricter
about
compliance
and
auditing
• Orphaned
accounts
and
identities
lead
to
security
problems
Source:
Microsoft’s
internal
research
and
Anti-‐phishing
Working
Group

IAM
Benefits
Benefits to take you
forward
(Strategic)
Benefits today
(Tactical)
Save money and improve operational
efficiency
Improved time to deliver applications and
service
Enhance Security
Regulatory Compliance and Audit
New ways of working
Improved time to market
Closer Supplier, Customer,
Partner and Employee relationships
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd

5.
IAM
to
do
list
• Automatic
account
management
• Archiving
• Data
privacy
• Compliance
• Securiry
VS
Risks
• user
identification
• E-‐business
• M2M

Source
:
https://www.britestream.com/difference.html.

data
controller
responsibility

• limitation
of
control
• Private
email
• penalties
• who
controls

• security
is
mandatory
!

• technical
security
– Risk
analysis
– Back-‐up
– desaster
recovery
– identity
management
– Strong
login
&
passwords

• legal
security
– information
in
the
employment
contracts
– Contracts
with
subcontractors
– Code
of
conduct
– Compliance
– Control
of
the
employees

Definition
of
e-‐discovery
• Electronic
discovery
(or
e-‐discovery)
refers
to
discovery
in
civil
litigation
which
deals
with
information
in
electronic
format
also
referred
to
as
Electronically
Stored
Information
(ESI).
• It
means
the
collection,
preparation,
review
and
production
of
electronic
documents
in
litigation
discovery.
• Any
process
in
which
electronic
data
is
sought,
located,
secured,
and
searched
with
the
intent
of
using
it
as
evidence
in
a
civil
or
criminal
legal
case
• This
includes
e-‐mail,
attachments,
and
other
data
stored
on
a
computer,
network,
backup
or
other
storage
media.
e-‐
Discovery
includes
metadata.

Recommandations
Organizations
should
update
and/or
create
information
management
policies
and
procedures
that
include:
– e-‐mail
retention
policies,
On
an
individual
level,
employees
tend
to
keep
information
on
their
hard
drives
“just
in
case”
they
might
need
it.
– Work
with
users
to
rationalize
their
storage
requirements
and
decrease
their
storage
budget.
– off-‐line
and
off-‐site
data
storage
retention
policies,
– controls
defining
which
users
have
access
to
which
systems
andunder
what
circumstances,
– instructions
for
how
and
where
users
can
store
data,
and
•
backup
and
recovery
procedures.
– Assessments
or
surveys
should
be
done
to
identify
business
functions,
data
repositories,
and
the
systems
that
support
them.
– Legal
must
be
consulted.
Organizations
and
their
legal
teams
should
work
together
to
create
and/or
update
their
data
retention
policies
and
procedures
for
managing
litigation
holds.

9.
Conclusion
• IAM
is
a
legal
question,
not
only
business
&
IT
• compliance
is
important
• More
security
due
to
– Cloud
computing
– Virtualisation
– Data
privacy
– archiving
• Transparency
• E-‐discovery

IAM
could
be
an
opportunity
• Rethink
security
• risks
reduction
• costs
reduction
• precise
roles
&
responsibilities

http://www.novell.com/docrep/2013/09/The_Forrester_Wave_IAM_9_4_1130.4pdf

105
http://ts.fujitsu.com/rl/Fujitsu_Forum_2013/documentation/BOSB110a_20131030_v3_final_Security.pdf

Jacques Folon
Jacques.folon@ichec.be

Compliance & Identity access management

More Related Content

What's hot

Similar to Compliance & Identity access management

More from Prof. Jacques Folon (Ph.D)

Recently uploaded

Compliance & Identity access management