This document discusses identity and access management (IAM) programs that can help secure data in modern enterprises. It outlines why identity has become central to security and notes that recent high-profile data breaches involved compromised credentials. The document recommends implementing IAM programs around user management, entitlement management, privileged access management and federation. It also discusses emerging standards like OAuth 2.0, SCIM and OpenID Connect that can help improve security and management of identities.

1. Identity & Access
Management (IAM)
Securing Your Data in the 21st Century Enterprise
Lance Peterman

2. A little about me…
 In & around Identity &
Access Management for 22
years
 Currently IAM (insert hat
here) at Merck & Co.
 Volunteer High School
Speech & Debate Coach
 Opinions are my own
 Twitter: @lpeterman
2

4. Agenda
 Why Identity?
 Center of Everything
 Identity is the New Perimeter
 In the News
 Recent Data Loss / Breaches
 IAM Programs to Reduce Risk
 Help is On the Way…Eventually
 A word on federal initiatives & standards
 Adoption Approach/Keys to Success
 A Note on Security vs. Opportunity…

5. Why Identity?

6. Does this look familiar?

7. Identity is not the New Perimeter
(hint: the perimeter is gone)
Identity is still a top security control today that can
determine what you are authorized to do, regardless of
your location
Old Model New Reality

8. Breaches, old and new…

9.  Inherent weakness in Knowledge
Based Authentication (KBA) led to
theft of over 100,000 taxpayer filings
 1 complete tax filing = easy identity
theft
 Irony…Best way to prevent was to
create an account at launch. Race
condition?

10. Anthem
 Largest PII breach in history (78.8M
insured records) or 1 in 4 adult
Americans
 Phished into front door
 Exfiltrated records using compromised
database administrator credentials
 There is good news…attack info shared
with HITRUST & NH-ISAC

11. OPM…WTF
 Largest employer in the US had
their personnel records breached
(4.1 million current & former
employees)
 PII not encrypted at rest…WHY?
 SF-86 database breached…for the
SECOND TIME
 OPM didn’t have security
department until 2013
 No MFA for VPN…AYFKM?
 Wired article on breach is a must
read
 Breach discovered during a vendor
demo…(ka-ching)

12. What does that tell us?
The threat landscape is changing…DAILY
“The compromise of privileged access is a key
stage in 100% of all advanced attacks.” –
CyberSheath Report 4/13 3
This is the critical attack vector for internal and
external threats
Verizon DBIR – 100% of data breaches involve the
use of compromised credentials

13. A few definitions – IdM and IAM
 Gartner defines IdM as "Identity management is the set of
business processes, and a supporting infrastructure for the
creation, maintenance, and use of digital identities.“
 Access Management leverages IdM and attributes surrounding
those digital identities to control access to resources*
 Identity is about context
 User
 Time
 Device
 Location
*Deliberately broad
** List not exhaustive

14. IAM Programs to Reduce Risk
 User management / Provisioning
 Entitlement Management
 Privileged Access Management
 Federation
 A note about authentication

15. Provisioning
 Most common to what people think IdM is
 Involves CRUD operations to identity store(s)
 Data/Attribute sources are many:
 HRIS
 Contract Management Systems
 Policy Management
 Directory Systems (Active Directory, LDAP, DB, etc)
 Other providers (Cloud, IoT, Credit Bureaus, DMV, etc)
 Processes drives events (technology is lowest factor)
 Key protocols & standards – LDAP, SPML, SCIM (emerging),
WS*

16. Entitlement Management
 Sometimes referred to as access control or access
management
 Often the ‘next phase’ of maturity for IdM installations in the
Enterprise
 Focus is on tying digital identities and related attributes to a
resource target*
 Key Protocols & Standards – SAML (JIT profile), SPML, WS*,
XACML, LDAP

17. Privileged Access Management
 Name kinda says most of it
 Focuses on identities that have elevated privileges within a
given system or resource
 Focus is on auditing, compliance, and controls to ensure
(ideally) that the principle of least privilege is enforced
 Key use cases are password vaulting & session
management/recording
 Critical area for modern enterprises. Nearly all breaches
involved compromise of privileged identities (Verizon DBIR)
 Most mature vendors still struggling with cloud management

18. Federation
 Broad term, not related to Star Trek in this context
 Common use simply means creation of contracts with external
parties surrounding IAM and IdM transactions
 Use cases:
 Single or Simplified Sign On – SaaS, Office365, Partner Software
 Provisioning (push, pull, JIT, cruD is hard)
 Access or Entitlement Management
 PAM
 Cloud emergence has made this both harder and easier
 Using old protocols & standards = hard
 Emerging protocols & standards may help (OAuth 2.0, SCIM,
OpenID Connect)

19. A note about authentication…
As long as passwords are the primary
authentication factor, we are at risk
Look at other factors, mobile is a huge resource in
this space
If MFA is available to you, USE IT
19

20. Help is on the way!
Eventually…

21. OAuth 2
 “Auth” stands for Authorization, NOT Authentication
 Gained maturity with 2.0 release
 More a framework than a protocol
 Has its own threat model, challenge developers & vendors to
implement securely
 This is THE vector for leveraging API security
 Great development still ongoing
 http://oauth.net/2/

22.  System for Cross-Domain Identity Management
 Simplified provisioning/management of federated identities
 Answer to the pain of SPML
 Emerging standard, still low adoption rate
 Adoption will be key to success, press your vendors on this!
 2.0 specification in particular will aid enterprises, ratified soon
 http://www.simplecloud.info/

23.  Profile of OAuth 2.0
 Provides an Identity Layer
 Replacement for SAML
 Better Mobile Use Cases
 Now has a certification model for vendors and implementers!
 Get this on your internal development roadmap
 Vendors…you get the idea
 http://openid.net/connect/

24. Federal Help
 National Strategy for Trusted Identities in Cyberspace
(NSTIC)
 IDESG=Identity Ecosystem Steering Group
 NOT a National ID Program, Public/Private Partnership
 501c3
 Some really amazing pilots (ex. NC SNAP Enrollment)
 Needs volunteers…see me if you want learn more
 https://www.idecosystem.org/

25. Keys to Success
 Adoption MUST have senior leadership support & driven by policy
 People & Process First Approach, THEN focus on tooling
 Be creative, one size does not fit all
 When selecting a vendor, strongly consider cloud implications &
capabilities, be picky!
 Eat your own dog food first
 Don’t think you’re too small for this…

26. A Note on Security vs.
Opportunity
The value proposition of IAM has changed
Yes, protection & risk management are still
primary drivers
But…identity can now be disruptive
Enable your customers
Enable your employees
Enable your partners
26

27. Questions?

28. Contact
 Twitter: @lpeterman
 LinkedIn: Lance Peterman
 Slides will be available on SlideShare