SlideShare a Scribd company logo

Improving Security Through Identity-Defined Controls

Download as PPTX, PDF
Identity Defined Security Alliance
Identity Defined Security Alliance

Slides from the IDSA Session at the Charlotte IAM Meetup on October 30th. The agenda included an overview of the IDSA, a review of the IDSA security controls and IAM hygiene tips that are currently in development and an integration demo with SailPoint and CyberArk. Presenters included Narendra Patlolla from Brighthouse Financial, Tom Malta from Wells Fargo and Jerry Chapman from Optiv.

Technology
1 of 24
AGENDA • Introduction to the IDSA • Identity-defined security components, capabilities, controls and reference architectures • Demo of IDSA Security Controls • Questions and discussion encouraged throughout!
MARKET DRIVER: BREACH GROWTH 1,579US breaches in 2017 Medical/ Healthcare Business Government/ Military Education Bank/ Credit/ Financial
MARKET DRIVER: SECURITY COMPLEXITY • Enterprises are bulging with complex security technologies • Identity has not been a foundational element of most security architectures
IMPROVIN G SECURITY THROUGH IDENTITY PAM Service Management DLP Data Access Governance GRC Access Management Network Security Identity Administration UEBA CASB EMM SIEM Fraud + Risk Identity Governance Identity
Customer Advisory Board: MEMBERSHIP
IDENTITY-DEFINED SECURITY ALLIANCE We are an industry community helping to reduce enterprise risk through identity-defined security… 1. Develop best practices and practical guidance 2. Foster vendor collaboration 3. Community validation of technology integrations
HOW WE WORK / WHAT WE DO Security Components Security Capabilities Identity-Defined Security Controls Access Management Identity Governance PAM EMM … Certified Integrations 1. Categorize Technology 2. Specify Controls 3. Certify Products That Fit
IDENTITY-DEFINED SECURITY FRAMEWORK Identity Hygiene Tips Identity-Defined Security Controls Identity-Defined Security Use Cases Reference Architectures Adopting Zero Trust Security Posture Securing Office365 Etc.
HYGIENE TIPS Business process review should be performed at each stage of the program Maintain current application inventory (version, priority, business impact, user community, etc.,) Ensure uniqueness for human and non-human identities Implement directory structure that fits scope your IAM program Automated feeds of your employee and Non-Employee users (as often as possible) Provisioning of access : Start with your most critical applications first such as; SOX, PCI, HIPPA, etc., De-provisioning is tied to HR process Basic transfer access, reviewed by both old and new manager Implement SSO where possible to limit access to applications post termination Make your IAM program an integral part of all application onboarding/major change discussions
SECURITY CONTROLS Security control Description Capabilities Risk-based authentication Authentication based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query F&R at application for risk posture • Must have the ability to query CASB for risk posture • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Risk-based governance Access enforcement based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to initiate attestation campaign • Must have the ability to call out to F&R to update user status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Compliance access enforcement Actions initiated by governance compliance reviews that indicate that action is needed pertaining to user access and entitlements • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to accept disable workflow events and act upon them • Must have the ability to send password reset notifications • Must have the ability to perform self service password functions Securing private web- enabled applications Providing a seamless authentication experience and platform for users to access both public and private cloud web enabled applications. • Must have the ability to provide cloud and on prem applications in the SSO portal • Must have the ability to provide authorization to application via portal regardless of location • Must have the ability to relay/convert SAML protocol to supported application protocol (e.g Kerberos)
SECURITY CONTROLS (CONT’D) Security control Description Capabilities Risk-based privileged access management Step-up authentication based on risk posture • Must have the ability to query F&R for risk posture • Must have the ability to provide step-up auth for high risk postures • Must have the ability to identify sensitive applications • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Multiple authentication session device management Detection of multiple authentication sessions from different mobile devices • Must have the ability to determine the user has another session • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to send data to F&R based on multiple sessions • Must have the ability to provide managed device status • Must have the ability to query EMM for device status Risk-based EMM management EMM device management based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query CASB for anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) • Must have the ability to define / apply data classifications to identified file types Data protection via data security policies Web application and data access is secured utilizing CASB or DAG enforcement policies • Must have the ability to to work with CASB and send authN for reverse proxy • Must have the ability to work with access management to provide access to web based applications • Must have the ability to detect policy violations and terminate access • Must have the ability to consume file and event data to determine policy violations • Must have the ability to notify manager of policy violations
SECURITY CONTROLS (CONT’D) Security control Description Capabilities Profile-based authentication Authentication based on identity profile attribute to determine a higher level of identity assurance • Must have the ability to determine if MFA is required based on user profile data • Must have the ability to provide user data Profile-based data security Data access based on an identity profile attribute • Must have the ability to get user profile data from identity administration • Must have the ability to provide access to attribute data based on profile data and AuthN • Must have the ability to provide user data Data security through classification policies Controlling data encryption via security policy enforcement and / or risk posture • Must have the ability to encrypt documents for administrative analysis • Must have the ability to identify data classifications within a DLP product • Must have the ability to get user profile data from identity administration • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Privileged access management governance Provide compliance overview of accounts designated as privileged • Must have the ability to provide account status information to PAM app • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to provide account information to identity governance app
DEMO
• Problem – Unnecessary account privileges (gained through overprovisioning or ineffective de-provisioning policies) increase the risk of a cyber attacker gaining critical access and accomplishing a significant data breach. • IDSA Security Controls – Privileged access management governance • Relevant Hygiene Tips – Implement automated feeds of your employee and non-employee users into your identity store on a daily basis, if not more frequently, as needed. – For certifications, when using entitlements only, consider direct manager capability such that a manager reviews all of his/her subordinates at once, for the period of the cert. Highly restricted apps, privileged access, etc. may require 90 day reviews, whereas all other access could be yearly. – Once roles are deployed for provisioning, they can be expanded to be used in certification of access as well. This has a benefit to all end users, but especially to certifying privileged user access that typically comes with large #’s of entitlements to certify. Be sure to certify the composition of the role at least yearly.
IMPROVIN G SECURITY THROUGH IDENTITY PAM Service Management DLP Data Access Governance GRC Access Management Network Security Identity Administration UEBA CASB EMM SIEM Fraud + Risk Identity Governance Identity
ARCHITECTURE INFRASTRUCTURE
Questions?
GET INVOLVED! Become a part of our community https://forum.idsalliance.org/
APPENDIX 20
HYGIENE TIPS Hygiene Tip Description Implement a directory group structure that fits the scope of your IAM program. Assign access and permissions via group memberships to support authentication and authorization events, allowing for a programmatic approach to managing access and entitlements. Implement automated feeds of your employee and non-employee users into your identity store on a daily basis, if not more frequently, as needed. An automated feed of user changes allows you to react to changes in the user life cycle at a frequency that strengthens your security posture. Ensure uniqueness of every human and non-human identity in your directory. This is the DNA of your IAM program for every service or function you will support (provisioning, certs, privileged access, physical access, etc.) For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPPA, money moving, etc. Perform an assessment and prioritize applications, allowing focus for implementation efforts related to the applications that will provide the most benefit. A role model framework should be implemented to support assignment and revocation of access for users to receive core (birthright), enterprise and job-based entitlements and applications. This framework allows you to quickly assign and revoke access for users during the expected user lifecycle changes (Add, Change, Terminate). Deprovisioning of access should be tied to HR events (term, transfer) and typically never require approval. Whenever you are thinking about provisioning, always think about deprovisioning with it. Separation events should be included in your user lifecycle management processes as it will ensure that unnecessary access no longer exists and minimizes the security risks associated with orphaned accounts and entitlements. Basic transfer access should be reviewed by the old and new manager. Initially, provide a report of access to both and ask them to review what is no longer needed and agree on a time to remove Implementing a transitional rights model into the role framework will allow you to provide a smooth change of responsibilities and mitigate the impact of the organization transfer.
HYGIENE TIPS (CONT’D) Hygiene Tip Description Authorization run-time capabilities should be used to control fine- grained access at the data level. ABAC (attribute based access control) methodology can be employed at run- time and uses policies to authorize or deny access to various data levels. Coupled with coarse grained roles, it is one of the most mature capabilities. Business process review should be performed at the beginning of each phase for the in scope applications. To ensure the effectiveness of the existing business processes and to identify areas of improvement and efficiencies. Automated provisioning / de-provisioning should be implemented after all applicable business processes have been implemented utilizing a simulated provisioning approach. Allows you to realize the full benefit of an IAM program through the automation of provisioning / de-provisioning, reducing the number of manual access requests managed through your Service Management application. Establish governance and policy controls related to the scope and implementation of the IAM Program. Provides for a common understanding, scope and responsibility of the success of your IAM Program. Maintain current application information related to version, priority, business impact, user community, and supported integration methods. This provides the ability to quickly understand your application stack and the priority under which they should be included in an IAM program. Establish an IAM Governance Committee - confirming that IAM policies are followed. Ensures that all IAM policies and controls are adhered to and provides a vehicle to determine overall impact prior to making any IAM program changes. Make your IAM program an integral part of all application onboarding/major change discussions. Considering the IAM implications in these discussions allows for a comprehensive assessment and reduces the risk of delays or violation of security policies
WHAT DRIVES US Traditional security investments are providing solutions to specific problems And yet, Identity has become the context for becoming more secure Enterprises are still struggling with IAM best practices and maturity is inconsistent Practitioners are hungry for independent guidance on leveraging existing investments to reduce risk of a breach
IDSA Resources  IAM Good Hygiene Tips  IDSA Security Controls  Use Case Blueprints  IDS Framework for Business Initiative  Maturity Journey  IDSA Validated Integrations  Customer Success Stories  Collaboration Forum for vendors, solution providers, practitioners  More…. New Revenue Sources for Technology Vendor and Solution Providers Confidence in Vendor Integrations through Peer Reviews and References Community Developed Best Practices and Implementation Approaches From thought leadership to practical guidance

Recommended

IDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIdentity Defined Security Alliance
 
Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Identity Defined Security Alliance
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1OracleIDM
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesHitachi ID Systems, Inc.
 
Gallagher Systems Catalogue
Gallagher Systems CatalogueGallagher Systems Catalogue
Gallagher Systems CatalogueClaudiu Sandor
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlAidy Tificate
 

Recommended

IDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIdentity Defined Security Alliance
 
Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Identity Defined Security Alliance
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1OracleIDM
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesHitachi ID Systems, Inc.
 
Gallagher Systems Catalogue
Gallagher Systems CatalogueGallagher Systems Catalogue
Gallagher Systems CatalogueClaudiu Sandor
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlAidy Tificate
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTGlobal Online Trinings
 
Chris siteminder
Chris siteminderChris siteminder
Chris siteminderJoseph Christie
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&AHitachi ID Systems, Inc.
 
Inevitability of Multi-Tenancy & SAAS in Product Engineering
Inevitability of Multi-Tenancy & SAAS in Product EngineeringInevitability of Multi-Tenancy & SAAS in Product Engineering
Inevitability of Multi-Tenancy & SAAS in Product EngineeringPrashanth Panduranga
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management OverviewSAP Technology
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged PasswordsHitachi ID Systems, Inc.
 
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_finalSso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_finalGrant Reveal
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Sverige
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Ca site minder r12 professional study guide
Ca site minder r12 professional study guideCa site minder r12 professional study guide
Ca site minder r12 professional study guideNitish Nagar
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...IBM Security
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesTrish McGinity, CCSK
 
Oracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracleIDM
 
Denver ISSA Chapter Meetings - Changing the Security Paradigm
Denver ISSA Chapter Meetings - Changing the Security ParadigmDenver ISSA Chapter Meetings - Changing the Security Paradigm
Denver ISSA Chapter Meetings - Changing the Security ParadigmIdentity Defined Security Alliance
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 

More Related Content

What's hot

Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTGlobal Online Trinings
 
Inevitability of Multi-Tenancy & SAAS in Product Engineering
Inevitability of Multi-Tenancy & SAAS in Product EngineeringInevitability of Multi-Tenancy & SAAS in Product Engineering
Inevitability of Multi-Tenancy & SAAS in Product EngineeringPrashanth Panduranga
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management OverviewSAP Technology
 
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_finalSso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_finalGrant Reveal
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Sverige
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Ca site minder r12 professional study guide
Ca site minder r12 professional study guideCa site minder r12 professional study guide
Ca site minder r12 professional study guideNitish Nagar
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...IBM Security
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesTrish McGinity, CCSK
 
Oracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracleIDM
 

What's hot (19)

Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
 
Chris siteminder
Chris siteminderChris siteminder
Chris siteminder
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
 
Inevitability of Multi-Tenancy & SAAS in Product Engineering
Inevitability of Multi-Tenancy & SAAS in Product EngineeringInevitability of Multi-Tenancy & SAAS in Product Engineering
Inevitability of Multi-Tenancy & SAAS in Product Engineering
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management Overview
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged Passwords
 
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_finalSso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_final
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access Manager
 
Ca site minder r12 professional study guide
Ca site minder r12 professional study guideCa site minder r12 professional study guide
Ca site minder r12 professional study guide
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA Technologies
 
Oracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcast
 

Similar to Improving Security Through Identity-Defined Controls

Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessIvan Dwyer
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptx20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptxAnand Dhouni
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3Abe Newton
 
Risk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldRisk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldForte Advisory, Inc.
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...IBM Security
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 

Similar to Improving Security Through Identity-Defined Controls (20)

Denver ISSA Chapter Meetings - Changing the Security Paradigm
Denver ISSA Chapter Meetings - Changing the Security ParadigmDenver ISSA Chapter Meetings - Changing the Security Paradigm
Denver ISSA Chapter Meetings - Changing the Security Paradigm
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
Co p
Co pCo p
Co p
 
Aruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassAruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPass
 
Co p
Co pCo p
Co p
 
Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & Access
 
Context Based Authentication
Context Based AuthenticationContext Based Authentication
Context Based Authentication
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
March Boston Cloud Security Alliance Meetup
March Boston Cloud Security Alliance MeetupMarch Boston Cloud Security Alliance Meetup
March Boston Cloud Security Alliance Meetup
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the Cloud
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptx
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptx20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptx
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3
 
Risk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldRisk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure World
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

Improving Security Through Identity-Defined Controls

  • 1.
  • 2. AGENDA • Introduction to the IDSA • Identity-defined security components, capabilities, controls and reference architectures • Demo of IDSA Security Controls • Questions and discussion encouraged throughout!
  • 3. MARKET DRIVER: BREACH GROWTH 1,579US breaches in 2017 Medical/ Healthcare Business Government/ Military Education Bank/ Credit/ Financial
  • 4. MARKET DRIVER: SECURITY COMPLEXITY • Enterprises are bulging with complex security technologies • Identity has not been a foundational element of most security architectures
  • 7. IDENTITY-DEFINED SECURITY ALLIANCE We are an industry community helping to reduce enterprise risk through identity-defined security… 1. Develop best practices and practical guidance 2. Foster vendor collaboration 3. Community validation of technology integrations
  • 8. HOW WE WORK / WHAT WE DO Security Components Security Capabilities Identity-Defined Security Controls Access Management Identity Governance PAM EMM … Certified Integrations 1. Categorize Technology 2. Specify Controls 3. Certify Products That Fit
  • 9. IDENTITY-DEFINED SECURITY FRAMEWORK Identity Hygiene Tips Identity-Defined Security Controls Identity-Defined Security Use Cases Reference Architectures Adopting Zero Trust Security Posture Securing Office365 Etc.
  • 10. HYGIENE TIPS Business process review should be performed at each stage of the program Maintain current application inventory (version, priority, business impact, user community, etc.,) Ensure uniqueness for human and non-human identities Implement directory structure that fits scope your IAM program Automated feeds of your employee and Non-Employee users (as often as possible) Provisioning of access : Start with your most critical applications first such as; SOX, PCI, HIPPA, etc., De-provisioning is tied to HR process Basic transfer access, reviewed by both old and new manager Implement SSO where possible to limit access to applications post termination Make your IAM program an integral part of all application onboarding/major change discussions
  • 11. SECURITY CONTROLS Security control Description Capabilities Risk-based authentication Authentication based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query F&R at application for risk posture • Must have the ability to query CASB for risk posture • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Risk-based governance Access enforcement based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to initiate attestation campaign • Must have the ability to call out to F&R to update user status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Compliance access enforcement Actions initiated by governance compliance reviews that indicate that action is needed pertaining to user access and entitlements • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to accept disable workflow events and act upon them • Must have the ability to send password reset notifications • Must have the ability to perform self service password functions Securing private web- enabled applications Providing a seamless authentication experience and platform for users to access both public and private cloud web enabled applications. • Must have the ability to provide cloud and on prem applications in the SSO portal • Must have the ability to provide authorization to application via portal regardless of location • Must have the ability to relay/convert SAML protocol to supported application protocol (e.g Kerberos)
  • 12. SECURITY CONTROLS (CONT’D) Security control Description Capabilities Risk-based privileged access management Step-up authentication based on risk posture • Must have the ability to query F&R for risk posture • Must have the ability to provide step-up auth for high risk postures • Must have the ability to identify sensitive applications • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Multiple authentication session device management Detection of multiple authentication sessions from different mobile devices • Must have the ability to determine the user has another session • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to send data to F&R based on multiple sessions • Must have the ability to provide managed device status • Must have the ability to query EMM for device status Risk-based EMM management EMM device management based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query CASB for anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) • Must have the ability to define / apply data classifications to identified file types Data protection via data security policies Web application and data access is secured utilizing CASB or DAG enforcement policies • Must have the ability to to work with CASB and send authN for reverse proxy • Must have the ability to work with access management to provide access to web based applications • Must have the ability to detect policy violations and terminate access • Must have the ability to consume file and event data to determine policy violations • Must have the ability to notify manager of policy violations
  • 13. SECURITY CONTROLS (CONT’D) Security control Description Capabilities Profile-based authentication Authentication based on identity profile attribute to determine a higher level of identity assurance • Must have the ability to determine if MFA is required based on user profile data • Must have the ability to provide user data Profile-based data security Data access based on an identity profile attribute • Must have the ability to get user profile data from identity administration • Must have the ability to provide access to attribute data based on profile data and AuthN • Must have the ability to provide user data Data security through classification policies Controlling data encryption via security policy enforcement and / or risk posture • Must have the ability to encrypt documents for administrative analysis • Must have the ability to identify data classifications within a DLP product • Must have the ability to get user profile data from identity administration • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Privileged access management governance Provide compliance overview of accounts designated as privileged • Must have the ability to provide account status information to PAM app • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to provide account information to identity governance app
  • 14. DEMO
  • 15. • Problem – Unnecessary account privileges (gained through overprovisioning or ineffective de-provisioning policies) increase the risk of a cyber attacker gaining critical access and accomplishing a significant data breach. • IDSA Security Controls – Privileged access management governance • Relevant Hygiene Tips – Implement automated feeds of your employee and non-employee users into your identity store on a daily basis, if not more frequently, as needed. – For certifications, when using entitlements only, consider direct manager capability such that a manager reviews all of his/her subordinates at once, for the period of the cert. Highly restricted apps, privileged access, etc. may require 90 day reviews, whereas all other access could be yearly. – Once roles are deployed for provisioning, they can be expanded to be used in certification of access as well. This has a benefit to all end users, but especially to certifying privileged user access that typically comes with large #’s of entitlements to certify. Be sure to certify the composition of the role at least yearly.
  • 19. GET INVOLVED! Become a part of our community https://forum.idsalliance.org/
  • 21. HYGIENE TIPS Hygiene Tip Description Implement a directory group structure that fits the scope of your IAM program. Assign access and permissions via group memberships to support authentication and authorization events, allowing for a programmatic approach to managing access and entitlements. Implement automated feeds of your employee and non-employee users into your identity store on a daily basis, if not more frequently, as needed. An automated feed of user changes allows you to react to changes in the user life cycle at a frequency that strengthens your security posture. Ensure uniqueness of every human and non-human identity in your directory. This is the DNA of your IAM program for every service or function you will support (provisioning, certs, privileged access, physical access, etc.) For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPPA, money moving, etc. Perform an assessment and prioritize applications, allowing focus for implementation efforts related to the applications that will provide the most benefit. A role model framework should be implemented to support assignment and revocation of access for users to receive core (birthright), enterprise and job-based entitlements and applications. This framework allows you to quickly assign and revoke access for users during the expected user lifecycle changes (Add, Change, Terminate). Deprovisioning of access should be tied to HR events (term, transfer) and typically never require approval. Whenever you are thinking about provisioning, always think about deprovisioning with it. Separation events should be included in your user lifecycle management processes as it will ensure that unnecessary access no longer exists and minimizes the security risks associated with orphaned accounts and entitlements. Basic transfer access should be reviewed by the old and new manager. Initially, provide a report of access to both and ask them to review what is no longer needed and agree on a time to remove Implementing a transitional rights model into the role framework will allow you to provide a smooth change of responsibilities and mitigate the impact of the organization transfer.
  • 22. HYGIENE TIPS (CONT’D) Hygiene Tip Description Authorization run-time capabilities should be used to control fine- grained access at the data level. ABAC (attribute based access control) methodology can be employed at run- time and uses policies to authorize or deny access to various data levels. Coupled with coarse grained roles, it is one of the most mature capabilities. Business process review should be performed at the beginning of each phase for the in scope applications. To ensure the effectiveness of the existing business processes and to identify areas of improvement and efficiencies. Automated provisioning / de-provisioning should be implemented after all applicable business processes have been implemented utilizing a simulated provisioning approach. Allows you to realize the full benefit of an IAM program through the automation of provisioning / de-provisioning, reducing the number of manual access requests managed through your Service Management application. Establish governance and policy controls related to the scope and implementation of the IAM Program. Provides for a common understanding, scope and responsibility of the success of your IAM Program. Maintain current application information related to version, priority, business impact, user community, and supported integration methods. This provides the ability to quickly understand your application stack and the priority under which they should be included in an IAM program. Establish an IAM Governance Committee - confirming that IAM policies are followed. Ensures that all IAM policies and controls are adhered to and provides a vehicle to determine overall impact prior to making any IAM program changes. Make your IAM program an integral part of all application onboarding/major change discussions. Considering the IAM implications in these discussions allows for a comprehensive assessment and reduces the risk of delays or violation of security policies
  • 23. WHAT DRIVES US Traditional security investments are providing solutions to specific problems And yet, Identity has become the context for becoming more secure Enterprises are still struggling with IAM best practices and maturity is inconsistent Practitioners are hungry for independent guidance on leveraging existing investments to reduce risk of a breach
  • 24. IDSA Resources  IAM Good Hygiene Tips  IDSA Security Controls  Use Case Blueprints  IDS Framework for Business Initiative  Maturity Journey  IDSA Validated Integrations  Customer Success Stories  Collaboration Forum for vendors, solution providers, practitioners  More…. New Revenue Sources for Technology Vendor and Solution Providers Confidence in Vendor Integrations through Peer Reviews and References Community Developed Best Practices and Implementation Approaches From thought leadership to practical guidance

Editor's Notes

  1. Everyone recognizes that enterprise identities are under attack In 2016 81% of breaches were related to compromised credentials – lost, stolen or compromised Further evidence that are that enterprise identities are under attack - Breaches increased 45% from 2016 – 2107 and the majority are still tied back to credentials that have been compromised. What’s going on in your organizations – are you concerned about a breach?
  2. What are the key drivers for us – Security spending is increasing - Worldwide spending on information security products and services will reach more than $114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124 billion. Organizations are feeling under attack, so they continue to spend, but is it effective? In most organizations – in yours? - identity as been considered an operational control, a user experience requirement vs a security foundation. Given the recent threat environment, Identity has finally transitioned from operational and user experience driven to being understood as core to security.
  3. This intersection of identity and security is why we exist. We believe that organizations can reduce their risk by l We believe that leveraging identity context throughout a security infrastructure makes you more secure. It’s not a new concept – identity organizations have been talking about the role of IAM (and identity) in a security strategy for a few years. As a community, we’ve taken the next step and are collaborated with security companies to start driving that message at a higher level and as a community, as well as provide organizations with resources to be successful – with IAM as a foundation and extending it to security infrastructures.
  4. Who we are…. We are 18 vendors across IAM AND Cybersecurity. If not listed, encourage your vendor partners to engage. While we have 4 customers who are members of the customer advisory board. These vendors and CAB members are essentially kick starting the IDSA, but ultimately we want to want to become end user driven – our success is measured by the number of organizations who have been successful implementing an identity centric approach to security.
  5. How we are doing it… Develop best practices and practical guidance – community developed, but practitioner approved. Will talk about the specific deliverables we are creating and get your feedback. Foster vendor collaboration - vendors come together organically, but also a place for customers to go to advocate for collaboration amongst the vendors and provide some guidelines for how vendors integrate – what are best practices for the vendors, that give enterprises a sense of security/confidence. Community validation of technology integrations – working toward providing an online community that can share vendor integration experiences, best practices, scoring, on-line Q&A. Practice, discuss and evolve as a community – work together to continue to share best practices/expertise, provide case studies – see the adobe ZEN story (webcast) on our website. Work for the community, on behalf of the community – at the end let’s talk about what else we can do?
  6. More specifics in what we are creating… Back to the graphic – We’ve categorized technology across identity and security in to discrete components – and defined the minimum capabilities we think an organization should have. We’ve defined security controls – which are the intersection of components to address a specific requirement, for example, risk-based authentication (Denver). Privileged access governance (Charlotte). Which we will see in action during the demo. Mapped integrations to those security controls. What vendors (mostly likely vendors you have) support integrations for that particular control. If you have that requirement and your vendors don’t integrate, come to the IDSA and we can help bring them together. Over time, we will certify those integrations and provide a place to share best practices and recommendations, as described before. This gives you confidence in the integration and a place to ask questions of other practitioners. All of these are elements that contribute to the framework.
  7. The IDSA framework provide the building blocks needed to implement an identity-centric approach to security. It starts with hygiene tips – these are foundational best practices, capabilities and security controls that the IDSA recommends and that will provide a solid foundation to build upon. Identity Defined security controls – we talked about before are the intersection of components to address a specific requirement, for example, risk-based authentication (Denver). Privileged access governance (Charlotte). Which we will see in action during the demo. Use cases are an interim building block of security controls – combine security controls to achieve a specific goal – 16 of them are defined on our website today. Reference architectures – combine all of these things – and provide guidance on implementing an identity centric approach to security for a specific business initiative. We’ll start with Office365, but what are others that should be included? Now let’s look at examples of hygiene tips and security controls, specific to the demo we will see. We’ll come back and brainstorm, too.
  8. Stephen set stage, intro others.
  9. Identity Governance is responsible for ensuring that people have the: Right access Right time Right reasons Privileged Access Management grants privileges to users: Only where authorized Only when authorized In a centralized store, not local to a particular machine In an auditable way Security Information and Event Management, or SIEM, provides real time analysis of security alerts generated within complex organizational environments. They can detect and report policy anomalies as they occur, and the latest generation of these SIEM applications can also respond automatically to these anomalies. Before we get into the solution itself, lets take a look at the architecture that makes this possible. First, IdentityIQ serves as the governance platform in this scenario. IdentityIQ is connected to CyberArk via the PAM connector that is packed with our PAM module. This relies on a PAM specific extension to the SCIM 2.0 standard. Is through this connector that we are able to expose the PAM users and their access inside of IdentityIQ, as well as provide the ability to take direct, immediate remediation actions on those users. Additionally, IdentityIQ has the ‘SIEM Plugin’ installed, which contains RESTful endpoints that are capable of launching 13 distinct governance actions at the request of a SIEM product. CyberArk maintains the users to safes relationship, as well as hosts a PAM enabled SCIM server for communication with IdentityIQ. In the diagram here we can see that we have a ‘safe’ in CyberArk that contains the credentials used to authenticate to some secure system with read/write/execute privileges. LogRhythm is set up to monitor the Secure System in this example, and when an event is triggered, a SmartResponse is executed that will launch a PowerShell script that will make a POST request to the IdentityIQ SIEM Plugin to initiate a governance control if appropriate.
  10. Join us in our mission. We are vendors today, but we want to make sure that we incorporate the voice of the customer and help building tools, resources and best practices that help you stay secure and reduce risk in your organizations.
  11. Join us in our mission. We are vendors today, but we want to make sure that we incorporate the voice of the customer and help building tools, resources and best practices that help you stay secure and reduce risk in your organizations.
  12. Get validation that all of these assumptions are true – if not, then why would we exist? Engage the audience, ideally practitioners, but vendors, as well… Identity is core to security: Yes? No, why not? There is overwhelming evidence of identity’s role in security – identity is the leading cause of breaches, vendors are introducing “identity aware” solutions, but what is happening in the customer community? Majority of organizations are not leading with this premise: We don’t believe that organizations are there – does anyone in the audience have evidence to the contrary? Organizations are across the spectrum of maturity for implementing this approach: We believe that even still, organizations are all across the board in terms of implementing an IAM strategy – tactical/project based, implemented solutions but not tied in to all aspects of people, process and technology, and few are at a mature level (see last bullet) Organizations are hungry for guidance on how to approach implementing an identity centric approach to security: We believe that there is a gap in guidance – vendors, peers, analysts – no one is looking at it holistically. We want to be the 4th pillar in your places to go for help. Those on the far end of the spectrum (20%) can help educate those that are just getting started (80%): If we make a group of organizations successful, we can then use those organizations as advocates and educators for the rest of the customer community.
  13. IDSA Maturity Journey (working title) that provide best practices for good IAM hygiene and the processes and security controls that support them. Security and identity leaders and implementers – IDSA Security Controls are identity centric security patterns which combine identity and security capabilities that help organizations improve their security posture by leveraging an identity context. Implementers – implementation best practices that provide blueprints for combining Security Controls to meet the common security challenges organizations are facing. (revamp of use cases)