IAM refers to identity and access management. It involves managing user identities and access across various systems and applications. In cloud computing, IAM takes on additional considerations like managing access to cloud-based applications and services. Key aspects of IAM include provisioning and de-provisioning user accounts, authentication, authorization, role-based access controls, and auditing. IAM aims to bring order to complex identity and access environments while also improving security, compliance and user experience.

1. CONTRACT LAW IN IT
Identity & access management
Jacques Folon
www.folon.com
Partner Edge Consulting
Maître de conférences
Université de Liège
Chargé de cours
ICHEC Brussels Management School
Professeur invité
Université de Lorraine (Metz)
ESC Rennes
http://www.nyls.edu/institute_for_information_law_and_policy/conferences/visualizing_law_in_the_digital_age/

2. IAM
1. IAM?
2. Preset context?
3. IAM & cloud computing
4. Why is it useful and
mandatory?
5. To do list
6. IAM & privacy
7. IAM & control
8. e-discovery
9. Conclusion

3. 1. IAM ????
Provisioning
Single Sign On
PKIStrong
Authentication
Federation
Directories
Authorization
Secure Remote
Access
Password
Management
Web Services
Security
Auditing &
Reporting
Role based
Management
DRM
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

5. 5 Questions
to ask your CISO

6. Q: What’s posted on this
monitor?
a – password to financial application
b – phone messages
c – to-do’s

7. Q: What determines your
employee’s access?
a – give Alice whatever Wally has
b – roles, attributes, and requests
c – whatever her manager says

8. Q: Who is the most privileged
user in your enterprise?
a – security administrator
b – CFO
c – the summer intern who is now working
for your competitor

9. Q: How secure is your
identity data?
a – It is in 18 different secured stores
b – We protect the admin passwords
c – Privacy? We don’t hold credit card
numbers

10. Q: How much are manual
compliance controls costing
your organization?
a – nothing, no new headcount
b – don’t ask
c – don’t know

11. Today’s IT Challenges
More Agile Business
• More accessibility for employees,
customers and partners
• Higher level of B2B integrations
• Faster reaction to changing requirements
More Secured Business
• Organized crime
• Identity theft
• Intellectual property theft
• Constant global threats
More Compliant Business
• Increasing regulatory demands
• Increasing privacy concerns
• Business viability concerns

12. State Of Security In Enterprise
• Incomplete
• Multiple point solutions from many vendors
• Disparate technologies that don’t work together
• Complex
• Repeated point-to-point integrations
• Mostly manual operations
• ‘Non-compliant’
• Difficult to enforce consistent set of policies
• Difficult to measure compliance with those policies

13. Identity Management Values
• Trusted and reliable security
• Efficient regulatory compliance
• Lower administrative and development costs
• Enable online business networks
• Better end-user experience

14. 15
IAM MEANS MANAGING THE
EMPLOYEES LIFECYCLE (HIRING,
RECRUITING, PROMOTION,
CHANGE, LEAVING) AND THE
IMPACTS ON THE INFORMATION
MANAGEMENT SYSTEM
source clusif
IAM is a legal obligation !

15. • IAM IS DEFINED BY THE BUSINESS (RH, SCM,
ETC.)
• AND
• FOLLOWING THE LEGAL
FRAMEWORK
• AND
• TECHNICALLY IMPLEMENTED
16
IAM IS BUSINESS & ICT + LEGAL
source clusif

16. 17
IAM INCLUDES
• DATABASE OF ALL AND EVERY USER
•DATABASE OF ALL TYPE OF PROFILES
& ROLES
•DEFINITION BEFOREHAND
•DEFINE WICH ROLE FOR WICH
EMPLOYEE
•DEFINITION OF LOGIN & PASSWORDS
•AUDIT
•REPORTING
•ACCESS CONTROL
source clusif

17. • What is Identity Management ?
“Identity management is the set
of business processes, and a
supporting infrastructure, for the
creation, maintenance, and use of
digital identities.” The Burton Group
(a research firm specializing in IT
infrastructure for the enterprise)
• Identity Management in this
sense is sometimes called
“Identity and Access
Management” (IAM)
Définition

18. 19
Identity and Access Management is the process for managing the
lifecycle of digital identities and access for people, systems and
services. This includes:
User Management – management of large, changing user
populations along with delegated- and self-service
administration.
Access Management – allows applications to authenticate
users and allow access to resources based upon policy.
Provisioning and De-Provisioning – automates account
propagation across applications and systems.
Audit and Reporting – review access privileges, validate
changes, and manage accountability.
CA
IAM : J. Tony Goulding CISSP, ITIL CA t ony.goulding@ca.com

19. IAM IN ESC…
• “MY NAME IS JULIE AND I AM A
STUDENT.” (Identity)
• “this is my password.”
(Authentification)
• “I want an access to my account”
(Authorization ok)
• “I want to adapt my grade.”
(Autorization rejected)

20. What are the questions ?
• is this person the one she said she
is?
• Is she a member of our group ?
• Did she receive the necessary
authorization ?
• Is data privacy OK?

21. Type of questions for a newcomer
– Which kind of password?
– Which activities are accepted?
– Which are forbidden?
– To which category this person belongs?
– When do we have to give the authorization??
– What control do we need ?
– Could we demonstrate in court our procedure?

22. 24
IAM triple A
Authentication
WHO ARE YOU?
Authorization / Access Control
WHAT CAN YOU DO?
Audit
WHAT HAVE YOU DONE?
24

23. Components of IAM
• Administration
– User Management
– Password Management
– Workflow
– Delegation
• Access Management
– Authentication
– Authorization
• Identity Management
– Account Provisioning
– Account Deprovisioning
– Synchronisation
Reliable Identity Data
Administration
Authorization
Authentication
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

24. 2. Context in 2016

25. 28
various identity co-exists

26. 29
IRL & virtual identity

27. • Internet is based on IP identification
• everybody has different profiles
• Each platform has a different
authentification system
• Users are the weakest link
• Cybercrime increases
• Controls means identification
• Data privacy imposes controls & security
• e-discovery imposes ECM
Welcome to a digital world

29. Explosion of IDs
Pre 1980’s 1980’s 1990’s 2000’s
# of
Digital IDs
Time
Applications
Mainframe
Client Server
Internet
Business
Automation
Company
(B2E)
Partners
(B2B)
Customers
(B2C)
Mobility
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

30. The Disconnected Reality
• “Identity Chaos”
– Many users
– Many ID
– Many log in & passwords
– Multiple repositories of identity information
– Multiple user IDs, multiple passwords
Enterprise Directory
HR
Infra
Application
Office
In-House
Application
External app
Finance
employee
Application
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authorization
•Identity Data
•Authentication
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

31. Your COMPANY and
your EMPLOYEES
Your SUPPLIERS
Your PARTNERSYour REMOTE and
VIRTUAL EMPLOYEES
Your CUSTOMERS
Customer satisfaction & customer intimacy
Cost competitiveness
Reach, personalization
Collaboration
Outsourcing
Faster business cycles; process
automation
Value chain
M&A
Mobile/global workforce
Flexible/temp workforce
Multiple Contexts
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

32. Trends Impacting Identity
Increasing Threat Landscape
Identity theft costs banks and credit card issuers $1.2 billion in 1 yr
•$250 billion lost from exposure of confidential info
Maintenance Costs Dominate IT Budget
On average employees need access to 16 apps and systems
•Companies spend $20-30 per user per year for PW resets
Deeper Line of Business Automation and Integration
One half of all enterprises have SOA under development
•Web services spending growing 45%
Rising Tide of Regulation and Compliance
SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …
•$15.5 billion spend on compliance (analyst estimate)
Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice

33. 37

34. Business
Owner
End UserIT Admin Developer Security/ Compliance
Too expensive
to reach new
partners,
channels
Need for
control
Too many
passwords
Long waits for
access to apps,
resources
Too many user
stores and
account admin
requests
Unsafe sync
scripts
Pain Points
Redundant
code in each
app
Rework code
too often
Too many
orphaned
accounts
Limited
auditing ability
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

35. 3. IAM & Cloud computing

36. First,
What the heck is
Cloud Computing
First, what the heck is
Cloud Computing?
…in simple, plain
English please!
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

37. Let’s use a simple analogy
Say you just
moved to a city,
and you’re looking
for a nice
place to
live
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

38. You can either
Build a house
or
Rent an
apartment
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

39. If you build a house, there are a few
important decisions you have to make…
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

40. How big is the house?
are you planning to grow a large
family?
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

41. Remodel, addition typically cost a lot more once the
house is built
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

42. But, you get a
chance to
customize it
Roof
Andy Harjanto I’m cloud confused

43. Once the house is built,
you’re
responsible for
maintenance
Hire Landscaper
Electrician
Plumber
Pay
property tax
Electricity
Water
Gutter Cleaning
Heating and Cooling
House Keeping
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

44. How about renting?

45. Consider a builder in your city builds a
Huge
number of apartment units
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

46. A unit can easily be converted
into a 2,3,4 or more units
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

47. You make a fewer,
simpler
decisions
You can start with one
unit and grow later, or
downsize
Andy Harjanto I’m cloud confused
http://www.andyharjanto.com

48. But…
You do not
have
a lot of
options to
customize
your unit Andy Harjanto I’m cloud confuse
d http://www.andyharjanto.com

49. However, builders provide you with
very high quality infrastructure
high speed Internet
high capacity electricity
triple pane windows
green materials

50. No need to worry
about maintenance
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

51. Just pay your
rent
and utilities
Pay as You Go
Andy Harjanto I’m cloud confused
http://www.andyharjanto.com

52. Let’s translate to
Cloud Computing?

53. As an end-consumer, believe it or not
you’ve been using Cloud for long times
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

54. most of
them are
Free

55. In return, you’re willing to
give away
your information for ads and
other purposes

56. But you’ve been
enjoying
High Reliability Service
Limited Storage
Connecting, Sharing

57. OK, Now tell that to the business
owner
Give up your data,
then
you can use this
infrastructure for free

58. Are You crazy?
will answer the CEO

59. My Business
Needs…
Security
Privacy
Reliability
High
Availability

60. Building Enterprise
Software
Stone Wall
Fire-proof
Moat
Army
Death Hole
is like….Building
Medieval
Castle
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

61. Let’s Hire an Army of IT Engineers
Software Upgrade
Support
Backup/Restore
Service Pack
Development
Network issues
Andy Harjanto I’m cloud confused http://www.andyharjanto.com

62. Let’s Build
Huge Data
Center
Capacity Planning
Disaster Plan
Cooling Management
Server
Crashes
Andy Harjanto I’m cloud confused
http://www.andyharjanto.com

63. Your data is replicated
3 or 4 times in their data
center
High Availability

64. Adding “servers” is a click
away.
Running in just minutes, not
days
HighTraffic?

65. It can even load balance
your server traffic

66. Expect your Cloud
Network
is always up

67. Yes, you can even pick
where your data
and “servers” reside
Don’t forget data privacy issues

68. So we know what
Cloud is and the
choice we have

69. Cloud Computing: Definition
• No Unique Definition or General Consensus about what Cloud
Computing is …
• Different Perspectives & Focuses (Platform, SW, Service Levels…)
• Flavours:
– Computing and IT Resources Accessible Online
– Dynamically Scalable Computing Power
– Virtualization of Resources
– Access to (potentially) Composable & Interchangeable Services
– Abstraction of IT Infrastructure
! No need to understand its implementation: use Services & their APIs
– Some current players, at the Infrastructure & Service Level:
SalesfoRce.com, Google Apps, Amazon, Yahoo, Microsoft, IBM, HP, etc.
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009

70. Cloud Computing: Implications
• Enterprise:
Paradigm Shift from “Close & Controlled” IT Infrastructures and Services to
Externally Provided Services and IT Infrastructures
• Private User:
Paradigm Shift from Accessing Static Set of Services to Dynamic & Composable
Services
• General Issues:
– Potential Loss of Control (on Data, Infrastructure, Processes, etc.)
– Data & Confidential Information Stored in The Clouds
– Management of Identities and Access (IAM) in the Cloud
– Compliance to Security Practice and Legislation
– Privacy Management (Control, Consent, Revocation, etc.)
– New Threat Environments
– Reliability and Longevity of Cloud & Service Providers
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009

71. Identity in the Cloud: Enterprise Case
Enterprise
Data
Storage
Service
Office
Apps
On Demand
CPUsPrinting
Service
Cloud
Provider #1
Cloud
Provider #2
Internal Cloud
CRM
Service
…
Service 3
Backup
Service ILM
Service
Service
Service
Service
Business
Apps/Service
Employee
…
…
…
The
Internet
Identity &
Credentials
Identity &
Credentials
Identity &
Credentials
Identity &
Credentials
Identity &
Credentials
Identity &
Credentials
Identity &
Credentials
Authentication
Authorization
Audit
Authentication
Authorization
Audit
Authentication
Authorization
Audit
Authentication
Authorization
Audit
User Account
Provisioning/
De-provisioning
User Account
Provisioning/
De-provisioning
User Account
Provisioning/
De-provisioning
User Account
Provisioning/
De-provisioning
Data
& Confidential
Information
Data
& Confidential
Information
Data
& Confidential
Information
Data
& Confidential
Information
IAM Capabilities
and Services
Can be
Outsourced in
The Cloud …
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009

72. Identity in the Cloud: Enterprise Case
Issues and Risks [1/2]
• Potential Proliferation of Required Identities & Credentials to Access Services
! Misbehaviours when handling credentials (writing down, reusing, sharing, etc.)
• Complexity in correctly “enabling” Information Flows across boundaries
! Security Threats
(Enterprise ! Cloud & Service Providers, Service Provider ! Service Provider, …_
• Propagation of Identity and Personal Information across Multiple Clouds/Services
! Privacy issues (e.g. compliance to multiple Legislations, Importance of Location, etc.)
! Exposure of business sensitive information
(employees’ identities, roles, organisational structures, enterprise apps/services, etc.)
! How to effectively Control this Data?
• Delegation of IAM and Data Management Processes to Cloud and Service Providers
! How to get Assurance that these Processes and Security Practice are Consistent with
Enterprise Policies?
- Recurrent problem for all Stakeholders: Enterprise, Cloud and Service Providers …
! Consistency and Integrity of User Accounts & Information across various Clouds/Services
! How to deal with overall Compliance and Governance issues?
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009

73. Identity in the Cloud: Enterprise Case
Issues and Risks [2/2]
• Migration of Services between Cloud and Service Providers
! Management of Data Lifecycle
• Threats and Attacks in the Clouds and Cloud Services
! Cloud and Service Providers can be the “weakest links” in Security & Privacy
! Reliance on good security practice of Third Parties
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009

74. 4.Why do we need IAM?
•Security
•Compliance
•Cost control
•Audit support
•Access control

75. Source: ftp://ftp.boulder.ibm.com/software/uk/productnews/tv/vh_-_access_and_identity_management.pdf

76. cost reduction
• Directory Synchronization
“Improved updating of user data: $185 per user/year”
“Improved list management: $800 per list”
- Giga Information Group
• Password Management
“Password reset costs range from $51 (best case) to $147 (worst case) for
labor alone.” – Gartner
• User Provisioning
“Improved IT efficiency: $70,000 per year per 1,000 managed users”
“Reduced help desk costs: $75 per user per year”
- Giga Information Group

77. Can We Just Ignore It All?
• Today, average corporate user
spends 16 minutes a day logging on
• A typical home user maintains 12-18
identities
• Number of phishing sites grew over
1600% over the past year
• Corporate IT Ops manage an average
of 73 applications and 46 suppliers,
often with individual directories
• Regulators are becoming stricter
about compliance and auditing
• Orphaned accounts and identities
lead to security problems
Source: Microsoft’s internal research and Anti-phishing Working Group

78. IAM Benefits
Benefits to take you
forward
(Strategic)
Benefits today
(Tactical)
Save money and improve operational
efficiency
Improved time to deliver applications and
service
Enhance Security
Regulatory Compliance and Audit
New ways of working
Improved time to market
Closer Supplier, Customer,
Partner and Employee relationships
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk

79. 5. IAM to do list
• Automatic account
management
• Archiving
• Data privacy
• Compliance
• Securiry VS Risks
• user identification
• E-business
• M2M

80. 6. Data protection

81. Source : https://www.britestream.com/difference.html.

82. need to check

83. legal limits

84. data controller responsibility

85. teleworking

86. data theft

87. 87

89. 7. IAM & control

91. data transfer

92. • limitation of control
• Private email
• penalties
• who controls

93. • security is mandatory !

94. • technical security
– Risk analysis
– Back-up
– desaster recovery
– identity management
– Strong login & passwords

95. • legal security
– information in the
employment contracts
– Contracts with subcontractors
– Code of conduct
– Compliance
– Control of the employees

96. Control ?

97. 8. E-discovery

98. Definition of e-discovery
• Electronic discovery (or e-discovery) refers to discovery in civil
litigation which deals with information in electronic format
also referred to as Electronically Stored Information (ESI).
• It means the collection, preparation, review and production of
electronic documents in litigation discovery.
• Any process in which electronic data is sought, located,
secured, and searched with the intent of using it as evidence
in a civil or criminal legal case
• This includes e-mail, attachments, and other data stored on a
computer, network, backup or other storage media. e-
Discovery includes metadata.

99. Recommandations
Organizations should update and/or create information
management policies and procedures that include:
– e-mail retention policies, On an individual level, employees tend to
keep information on their hard drives “just in case” they might need
it.
– Work with users to rationalize their storage requirements and
decrease their storage budget.
– off-line and off-site data storage retention policies,
– controls defining which users have access to which systems andunder
what circumstances,
– instructions for how and where users can store data, and • backup
and recovery procedures.
– Assessments or surveys should be done to identify business functions,
data repositories, and the systems that support them.
– Legal must be consulted. Organizations and their legal teams should
work together to create and/or update their data retention policies
and procedures for managing litigation holds.

100. 9. Conclusion
• IAM is a legal question, not only
business & IT
• compliance is important
• More security due to
– Cloud computing
– Virtualisation
– Data privacy
– archiving
• Transparency
• E-discovery

101. IAM could be an opportunity
• Rethink security
• risks reduction
• costs reduction
• precise roles & responsibilities

102. Any question?

103. Jacques Folon
Jacques.folon@ichec.be