Slides from the first Silicon Valley IDSA Meetup held October 25th. The agenda included an overview of the IDSA, a case study from Adobe Security, including an integration demo with Okta and VMware, and a review of the IDSA security controls and IAM hygiene tips that are currently in development.
4. MARKET DRIVER:
SECURITY COMPLEXITY
• Enterprises are bulging with complex
security technologies
• Identity has not been a foundational
element of most security architectures
5. IDENTITY-DEFINED SECURITY
ALLIANCE
We are an industry community helping to
reduce enterprise risk through identity-defined
security…
1. Develop best practices and practical
guidance
2. Foster vendor collaboration
3. Community validation of technology
integrations
8. HOW WE WORK / WHAT WE DO
Security
Components
Security
Capabilities
Identity-Defined
Security
Controls
Access
Management
Identity
Governance
PAM EMM …
Certified
Integrations
1. Categorize
Technology
2. Specify
Controls
3. Certify
Products
That Fit
10. SECURITY CONTROLS
Security control Description Capabilities
Risk-based authentication Authentication based on risk
posture derived from at least one
risk engine. (CASB, F&R, UEBA,
SIEM)
• Must have the ability to query F&R at application for risk posture
• Must have the ability to query CASB for risk posture
• Must have the ability to provide MFA based on response of user anomaly
• Must have the ability to return anomaly status
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
Risk-based governance Access enforcement based on
risk posture derived from at least
one risk engine. (CASB, F&R,
UEBA, SIEM)
• Must have the ability to initiate attestation campaign
• Must have the ability to call out to F&R to update user status
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
Compliance access
enforcement
Actions initiated by governance
compliance reviews that indicate
that action is needed pertaining
to user access and entitlements
• Must have the ability to initiate IA workflow for disable/delete
• Must have the ability to accept disable workflow events and act upon them
• Must have the ability to send password reset notifications
• Must have the ability to perform self service password functions
Securing private web-
enabled applications
Providing a seamless
authentication experience and
platform for users to access both
public and private cloud web
enabled applications.
• Must have the ability to provide cloud and on prem applications in the SSO
portal
• Must have the ability to provide authorization to application via portal
regardless of location
• Must have the ability to relay/convert SAML protocol to supported
application protocol (e.g Kerberos)
11. SECURITY CONTROLS (CONT’D)
Security control Description Capabilities
Risk-based privileged
access management
Step-up authentication based on
risk posture
• Must have the ability to query F&R for risk posture
• Must have the ability to provide step-up auth for high risk postures
• Must have the ability to identify sensitive applications
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
Multiple authentication
session device
management
Detection of multiple
authentication sessions from
different mobile devices
• Must have the ability to determine the user has another session
• Must have the ability to provide MFA based on response of user anomaly
• Must have the ability to send data to F&R based on multiple sessions
• Must have the ability to provide managed device status
• Must have the ability to query EMM for device status
Risk-based EMM
management
EMM device management based
on risk posture derived from at
least one risk engine. (CASB,
F&R, UEBA, SIEM)
• Must have the ability to query CASB for anomaly
• Must have the ability to return anomaly status
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
• Must have the ability to define / apply data classifications to identified file types
Data protection via data
security policies
Web application and data access
is secured utilizing CASB or DAG
enforcement policies
• Must have the ability to to work with CASB and send authN for reverse proxy
• Must have the ability to work with access management to provide access to
web based applications
• Must have the ability to detect policy violations and terminate access
• Must have the ability to consume file and event data to determine policy
violations
• Must have the ability to notify manager of policy violations
12. SECURITY CONTROLS (CONT’D)
Security control Description Capabilities
Profile-based
authentication
Authentication based on identity
profile attribute to determine a
higher level of identity assurance
• Must have the ability to determine if MFA is required based on user profile
data
• Must have the ability to provide user data
Profile-based data
security
Data access based on an
identity profile attribute
• Must have the ability to get user profile data from identity administration
• Must have the ability to provide access to attribute data based on profile
data and AuthN
• Must have the ability to provide user data
Data security through
classification policies
Controlling data encryption via
security policy enforcement and /
or risk posture
• Must have the ability to encrypt documents for administrative analysis
• Must have the ability to identify data classifications within a DLP product
• Must have the ability to get user profile data from identity administration
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
Privileged access
management governance
Provide compliance overview of
accounts designated as
privileged
• Must have the ability to provide account status information to PAM app
• Must have the ability to initiate IA workflow for disable/delete
• Must have the ability to provide account information to identity governance
app
13. HYGIENE TIPS
Hygiene Tip Description
Implement a directory group structure that fits the scope of your IAM
program.
Assign access and permissions via group memberships to support
authentication and authorization events, allowing for a programmatic approach
to managing access and entitlements.
Implement automated feeds of your employee and non-employee
users into your identity store on a daily basis, if not more frequently,
as needed.
An automated feed of user changes allows you to react to changes in the user
life cycle at a frequency that strengthens your security posture.
Ensure uniqueness of every human and non-human identity in your
directory.
This is the DNA of your IAM program for every service or function you will
support (provisioning, certs, privileged access, physical access, etc.)
For provisioning of access, start with building workflows based on
your most critical applications, such as SOX, PCI, HIPPA, money
moving, etc.
Perform an assessment and prioritize applications, allowing focus for
implementation efforts related to the applications that will provide the most
benefit.
A role model framework should be implemented to support
assignment and revocation of access for users to receive core
(birthright), enterprise and job-based entitlements and applications.
This framework allows you to quickly assign and revoke access for users during
the expected user lifecycle changes (Add, Change, Terminate).
Deprovisioning of access should be tied to HR events (term,
transfer) and typically never require approval. Whenever you are
thinking about provisioning, always think about deprovisioning with
it.
Separation events should be included in your user lifecycle management
processes as it will ensure that unnecessary access no longer exists and
minimizes the security risks associated with orphaned accounts and
entitlements.
Basic transfer access should be reviewed by the old and new
manager. Initially, provide a report of access to both and ask them
to review what is no longer needed and agree on a time to remove
Implementing a transitional rights model into the role framework will allow you to
provide a smooth change of responsibilities and mitigate the impact of the
organization transfer.
14. HYGIENE TIPS (CONT’D)
Hygiene Tip Description
Authorization run-time capabilities should be used to control fine-
grained access at the data level.
ABAC (attribute based access control) methodology can be employed at run-
time and uses policies to authorize or deny access to various data levels.
Coupled with coarse grained roles, it is one of the most mature capabilities.
Business process review should be performed at the beginning of
each phase for the in scope applications.
To ensure the effectiveness of the existing business processes and to identify
areas of improvement and efficiencies.
Automated provisioning / de-provisioning should be implemented
after all applicable business processes have been implemented
utilizing a simulated provisioning approach.
Allows you to realize the full benefit of an IAM program through the automation
of provisioning / de-provisioning, reducing the number of manual access
requests managed through your Service Management application.
Establish governance and policy controls related to the scope and
implementation of the IAM Program.
Provides for a common understanding, scope and responsibility of the success
of your IAM Program.
Maintain current application information related to version, priority,
business impact, user community, and supported integration
methods.
This provides the ability to quickly understand your application stack and the
priority under which they should be included in an IAM program.
Establish an IAM Governance Committee - confirming that IAM
policies are followed.
Ensures that all IAM policies and controls are adhered to and provides a vehicle
to determine overall impact prior to making any IAM program changes.
Make your IAM program an integral part of all application
onboarding/major change discussions.
Considering the IAM implications in these discussions allows for a
comprehensive assessment and reduces the risk of delays or violation of
security policies
Need more evidence that enterprise identities are under attack?
Breaches increased 45% from 2016 – 2107 and the majority are still tied back to credentials that have been compromised.
Need more evidence that enterprise identities are under attack?
Breaches increased 45% from 2016 – 2107 and the majority are still tied back to credentials that have been compromised.
Who we are….
We are 18 vendors across IAM AND Cybersecurity. If not listed, encourage your vendor partners to engage.
While we have 4 customers who are members of the customer advisory board.
These vendors and CAB members are essentially kick starting the IDSA, but ultimately we want to want to become end user driven – our success is measured by the number of organizations who have been successful implementing an identity centric approach to security.
Now on to our session. Our lunch and learn presenters are Den Jones and Carlos Martinez from Adobe Security.
Den Jones is the Director of Enterprise Security at Adobe. He manages the team focused on delivering proactive security for Adobe internally. The Enterprise Security team is focused on leading the vision and strategy for Zero-Trust networking, as well as delivering core security services such as Identity, Authentication, Endpoint, Network and Enterprise Security Architecture. For more than, 20 years Den has been inspiring and driving initiatives that pioneer the industry.
Carlos Martinez is a Sr. Security Engineer in Adobe’s Enterprise Security team, where he is currently focused on the company’s Zero-Trust Enterprise Network (ZEN) initiative. He is passionate about creating and balancing a seamless end-user experience while increasing the security posture of the organization. He holds a Bachelor’s degree in Information Systems from the University of San Francisco.
And now, I’ll turn it over to Den to discuss Adobe Security’s Path to ZEN.
Join us in our mission. We are vendors today, but we want to make sure that we incorporate the voice of the customer and help building tools, resources and best practices that help you stay secure and reduce risk in your organizations.