SlideShare a Scribd company logo

Silicon Valley IDSA Meetup October 2018

Download as PPTX, PDF
Identity Defined Security Alliance
Identity Defined Security Alliance

Slides from the first Silicon Valley IDSA Meetup held October 25th. The agenda included an overview of the IDSA, a case study from Adobe Security, including an integration demo with Okta and VMware, and a review of the IDSA security controls and IAM hygiene tips that are currently in development.

Technology
1 of 29
AGENDA • Introduction to the IDSA • Identity-defined security components, capabilities, controls and reference architectures • Enterprise case study: Adobe • Questions and discussion encouraged throughout!
MARKET DRIVER: BREACH GROWTH 1,579US breaches in 2017 Medical/ Healthcare Business Government/ Military Education Bank/ Credit/ Financial
MARKET DRIVER: SECURITY COMPLEXITY • Enterprises are bulging with complex security technologies • Identity has not been a foundational element of most security architectures
IDENTITY-DEFINED SECURITY ALLIANCE We are an industry community helping to reduce enterprise risk through identity-defined security… 1. Develop best practices and practical guidance 2. Foster vendor collaboration 3. Community validation of technology integrations
Customer Advisory Board: MEMBERSHIP
IMPROVIN G SECURITY THROUGH IDENTITY
HOW WE WORK / WHAT WE DO Security Components Security Capabilities Identity-Defined Security Controls Access Management Identity Governance PAM EMM … Certified Integrations 1. Categorize Technology 2. Specify Controls 3. Certify Products That Fit
IDENTITY-DEFINED SECURITY FRAMEWORK Identity Hygiene Tips Identity-Defined Security Controls Identity-Defined Security Use Cases Reference Architectures Adopting Zero Trust Security Posture Securing Office365 Etc.
SECURITY CONTROLS Security control Description Capabilities Risk-based authentication Authentication based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query F&R at application for risk posture • Must have the ability to query CASB for risk posture • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Risk-based governance Access enforcement based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to initiate attestation campaign • Must have the ability to call out to F&R to update user status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Compliance access enforcement Actions initiated by governance compliance reviews that indicate that action is needed pertaining to user access and entitlements • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to accept disable workflow events and act upon them • Must have the ability to send password reset notifications • Must have the ability to perform self service password functions Securing private web- enabled applications Providing a seamless authentication experience and platform for users to access both public and private cloud web enabled applications. • Must have the ability to provide cloud and on prem applications in the SSO portal • Must have the ability to provide authorization to application via portal regardless of location • Must have the ability to relay/convert SAML protocol to supported application protocol (e.g Kerberos)
SECURITY CONTROLS (CONT’D) Security control Description Capabilities Risk-based privileged access management Step-up authentication based on risk posture • Must have the ability to query F&R for risk posture • Must have the ability to provide step-up auth for high risk postures • Must have the ability to identify sensitive applications • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Multiple authentication session device management Detection of multiple authentication sessions from different mobile devices • Must have the ability to determine the user has another session • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to send data to F&R based on multiple sessions • Must have the ability to provide managed device status • Must have the ability to query EMM for device status Risk-based EMM management EMM device management based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query CASB for anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) • Must have the ability to define / apply data classifications to identified file types Data protection via data security policies Web application and data access is secured utilizing CASB or DAG enforcement policies • Must have the ability to to work with CASB and send authN for reverse proxy • Must have the ability to work with access management to provide access to web based applications • Must have the ability to detect policy violations and terminate access • Must have the ability to consume file and event data to determine policy violations • Must have the ability to notify manager of policy violations
SECURITY CONTROLS (CONT’D) Security control Description Capabilities Profile-based authentication Authentication based on identity profile attribute to determine a higher level of identity assurance • Must have the ability to determine if MFA is required based on user profile data • Must have the ability to provide user data Profile-based data security Data access based on an identity profile attribute • Must have the ability to get user profile data from identity administration • Must have the ability to provide access to attribute data based on profile data and AuthN • Must have the ability to provide user data Data security through classification policies Controlling data encryption via security policy enforcement and / or risk posture • Must have the ability to encrypt documents for administrative analysis • Must have the ability to identify data classifications within a DLP product • Must have the ability to get user profile data from identity administration • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Privileged access management governance Provide compliance overview of accounts designated as privileged • Must have the ability to provide account status information to PAM app • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to provide account information to identity governance app
HYGIENE TIPS Hygiene Tip Description Implement a directory group structure that fits the scope of your IAM program. Assign access and permissions via group memberships to support authentication and authorization events, allowing for a programmatic approach to managing access and entitlements. Implement automated feeds of your employee and non-employee users into your identity store on a daily basis, if not more frequently, as needed. An automated feed of user changes allows you to react to changes in the user life cycle at a frequency that strengthens your security posture. Ensure uniqueness of every human and non-human identity in your directory. This is the DNA of your IAM program for every service or function you will support (provisioning, certs, privileged access, physical access, etc.) For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPPA, money moving, etc. Perform an assessment and prioritize applications, allowing focus for implementation efforts related to the applications that will provide the most benefit. A role model framework should be implemented to support assignment and revocation of access for users to receive core (birthright), enterprise and job-based entitlements and applications. This framework allows you to quickly assign and revoke access for users during the expected user lifecycle changes (Add, Change, Terminate). Deprovisioning of access should be tied to HR events (term, transfer) and typically never require approval. Whenever you are thinking about provisioning, always think about deprovisioning with it. Separation events should be included in your user lifecycle management processes as it will ensure that unnecessary access no longer exists and minimizes the security risks associated with orphaned accounts and entitlements. Basic transfer access should be reviewed by the old and new manager. Initially, provide a report of access to both and ask them to review what is no longer needed and agree on a time to remove Implementing a transitional rights model into the role framework will allow you to provide a smooth change of responsibilities and mitigate the impact of the organization transfer.
HYGIENE TIPS (CONT’D) Hygiene Tip Description Authorization run-time capabilities should be used to control fine- grained access at the data level. ABAC (attribute based access control) methodology can be employed at run- time and uses policies to authorize or deny access to various data levels. Coupled with coarse grained roles, it is one of the most mature capabilities. Business process review should be performed at the beginning of each phase for the in scope applications. To ensure the effectiveness of the existing business processes and to identify areas of improvement and efficiencies. Automated provisioning / de-provisioning should be implemented after all applicable business processes have been implemented utilizing a simulated provisioning approach. Allows you to realize the full benefit of an IAM program through the automation of provisioning / de-provisioning, reducing the number of manual access requests managed through your Service Management application. Establish governance and policy controls related to the scope and implementation of the IAM Program. Provides for a common understanding, scope and responsibility of the success of your IAM Program. Maintain current application information related to version, priority, business impact, user community, and supported integration methods. This provides the ability to quickly understand your application stack and the priority under which they should be included in an IAM program. Establish an IAM Governance Committee - confirming that IAM policies are followed. Ensures that all IAM policies and controls are adhered to and provides a vehicle to determine overall impact prior to making any IAM program changes. Make your IAM program an integral part of all application onboarding/major change discussions. Considering the IAM implications in these discussions allows for a comprehensive assessment and reduces the risk of delays or violation of security policies
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. ZEN - Zero-Trust Enterprise Network Den Jones | Carlos Martinez
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Agenda  The Purpose of ZEN  Current State  ZEN Benefits  Connecting the Pieces Together  Lessons learned  Q&A 16
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Purpose  Transform our network and applications to a “cloud-like” state  Enable application access without the need to be internal or use VPN  Secure network level access based on user and device posture 17
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Network Security & User Experience: Current State  Internal application access outdated (requires VPN, not cloud-like)  No device security enforced, even to access restricted data  Any device can join the network with network level access to almost all DC infrastructure  Application authentication and authorization standards are not consistent or enforceable (not close to SSO) 18
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Network Security & User Experience: ZEN Benefits  Improving user experience (removing VPN requirements & improved authentication)  Improving Security by restricting network level access to infrastructure  Almost eliminating lateral movement during compromise  Protecting internal applications while enabling a cloud-like experience 19
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. ZEN Leverages Existing Investments  Authentication  Network Access Control  Logging  EDR  Device Management 20
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. ZEN – Abstract Overview 21
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 22
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Progress  Certificates deployed to over 20,000 devices  1300 ZEN enabled applications  20+ applications available via proxy  Trust Score Engine in production  12,000 authentications per hour 23
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Lessons Learned  No single off-the-shelf solution exists  Bringing vendors together is time consuming  Technology overlap 24
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. IDSA Participation Benefits  Forum for pushing cross-vendor initiatives  Provides reality to the vendor ’echo-chamber’  Exposure to vendors, technologies, use cases, best practices  Improves knowledge and effectiveness of the team  Help drive innovation in the industry with vendors and solution providers 25
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. IDSA-DP-002 26
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. IDSA-DP-002 27 IDS Security Controls  Multiple Authentication session device management  Risk Based EMM Management
© 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Reach out  Den Jones - den.jones@adobe.com  Carlos Martinez – carlos.martinez@adobe.com 28
GET INVOLVED! Become a part of our community https://forum.idsalliance.org/

Recommended

IDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIdentity Defined Security Alliance
 
IDSA at Charlotte IAM Meetup
IDSA at Charlotte IAM MeetupIDSA at Charlotte IAM Meetup
IDSA at Charlotte IAM MeetupIdentity Defined Security Alliance
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Gallagher Systems Catalogue
Gallagher Systems CatalogueGallagher Systems Catalogue
Gallagher Systems CatalogueClaudiu Sandor
 
Contextual Authentication
Contextual AuthenticationContextual Authentication
Contextual AuthenticationPortalGuard dba PistolStar, Inc.
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 

Recommended

IDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIdentity Defined Security Alliance
 
IDSA at Charlotte IAM Meetup
IDSA at Charlotte IAM MeetupIDSA at Charlotte IAM Meetup
IDSA at Charlotte IAM MeetupIdentity Defined Security Alliance
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Gallagher Systems Catalogue
Gallagher Systems CatalogueGallagher Systems Catalogue
Gallagher Systems CatalogueClaudiu Sandor
 
Contextual Authentication
Contextual AuthenticationContextual Authentication
Contextual AuthenticationPortalGuard dba PistolStar, Inc.
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTGlobal Online Trinings
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesHitachi ID Systems, Inc.
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management OverviewSAP Technology
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access ManagementLance Peterman
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlAidy Tificate
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)MHumaamAl
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will failIBM Security
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesTrish McGinity, CCSK
 
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_finalSso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_finalGrant Reveal
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&AHitachi ID Systems, Inc.
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceArijan Horvat
 
Tuebora Self Driven IAM
Tuebora Self Driven IAMTuebora Self Driven IAM
Tuebora Self Driven IAMIranna Hurakadli
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 

More Related Content

What's hot

Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTGlobal Online Trinings
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management OverviewSAP Technology
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access ManagementLance Peterman
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlAidy Tificate
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)MHumaamAl
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will failIBM Security
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesTrish McGinity, CCSK
 
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_finalSso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_finalGrant Reveal
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceArijan Horvat
 

What's hot (20)

Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC Guidelines
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management Overview
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access Management
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access Control
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA Technologies
 
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_finalSso security&business tool_2018_issa_infosecsummit_grant_reveal_final
Sso security&business tool_2018_issa_infosecsummit_grant_reveal_final
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access Manager
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity Governance
 
Tuebora Self Driven IAM
Tuebora Self Driven IAMTuebora Self Driven IAM
Tuebora Self Driven IAM
 

Similar to Silicon Valley IDSA Meetup October 2018

Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3Abe Newton
 
20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptx20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptxAnand Dhouni
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessIvan Dwyer
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the HourTechdemocracy
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Identity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingIdentity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingCiente
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant Saravanan Purushothaman
 
SailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfSailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfVishnuGone
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
Risk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldRisk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldForte Advisory, Inc.
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 

Similar to Silicon Valley IDSA Meetup October 2018 (20)

Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3
 
20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptx20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptx
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & Access
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the Hour
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
Identity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingIdentity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud Computing
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
CCSK.pptx
CCSK.pptxCCSK.pptx
CCSK.pptx
 
Denver ISSA Chapter Meetings - Changing the Security Paradigm
Denver ISSA Chapter Meetings - Changing the Security ParadigmDenver ISSA Chapter Meetings - Changing the Security Paradigm
Denver ISSA Chapter Meetings - Changing the Security Paradigm
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
 
SailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfSailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdf
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
 
CyberArk
CyberArkCyberArk
CyberArk
 
Risk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldRisk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure World
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

Silicon Valley IDSA Meetup October 2018

  • 1.
  • 2. AGENDA • Introduction to the IDSA • Identity-defined security components, capabilities, controls and reference architectures • Enterprise case study: Adobe • Questions and discussion encouraged throughout!
  • 3. MARKET DRIVER: BREACH GROWTH 1,579US breaches in 2017 Medical/ Healthcare Business Government/ Military Education Bank/ Credit/ Financial
  • 4. MARKET DRIVER: SECURITY COMPLEXITY • Enterprises are bulging with complex security technologies • Identity has not been a foundational element of most security architectures
  • 5. IDENTITY-DEFINED SECURITY ALLIANCE We are an industry community helping to reduce enterprise risk through identity-defined security… 1. Develop best practices and practical guidance 2. Foster vendor collaboration 3. Community validation of technology integrations
  • 8. HOW WE WORK / WHAT WE DO Security Components Security Capabilities Identity-Defined Security Controls Access Management Identity Governance PAM EMM … Certified Integrations 1. Categorize Technology 2. Specify Controls 3. Certify Products That Fit
  • 9. IDENTITY-DEFINED SECURITY FRAMEWORK Identity Hygiene Tips Identity-Defined Security Controls Identity-Defined Security Use Cases Reference Architectures Adopting Zero Trust Security Posture Securing Office365 Etc.
  • 10. SECURITY CONTROLS Security control Description Capabilities Risk-based authentication Authentication based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query F&R at application for risk posture • Must have the ability to query CASB for risk posture • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Risk-based governance Access enforcement based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to initiate attestation campaign • Must have the ability to call out to F&R to update user status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Compliance access enforcement Actions initiated by governance compliance reviews that indicate that action is needed pertaining to user access and entitlements • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to accept disable workflow events and act upon them • Must have the ability to send password reset notifications • Must have the ability to perform self service password functions Securing private web- enabled applications Providing a seamless authentication experience and platform for users to access both public and private cloud web enabled applications. • Must have the ability to provide cloud and on prem applications in the SSO portal • Must have the ability to provide authorization to application via portal regardless of location • Must have the ability to relay/convert SAML protocol to supported application protocol (e.g Kerberos)
  • 11. SECURITY CONTROLS (CONT’D) Security control Description Capabilities Risk-based privileged access management Step-up authentication based on risk posture • Must have the ability to query F&R for risk posture • Must have the ability to provide step-up auth for high risk postures • Must have the ability to identify sensitive applications • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Multiple authentication session device management Detection of multiple authentication sessions from different mobile devices • Must have the ability to determine the user has another session • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to send data to F&R based on multiple sessions • Must have the ability to provide managed device status • Must have the ability to query EMM for device status Risk-based EMM management EMM device management based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query CASB for anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) • Must have the ability to define / apply data classifications to identified file types Data protection via data security policies Web application and data access is secured utilizing CASB or DAG enforcement policies • Must have the ability to to work with CASB and send authN for reverse proxy • Must have the ability to work with access management to provide access to web based applications • Must have the ability to detect policy violations and terminate access • Must have the ability to consume file and event data to determine policy violations • Must have the ability to notify manager of policy violations
  • 12. SECURITY CONTROLS (CONT’D) Security control Description Capabilities Profile-based authentication Authentication based on identity profile attribute to determine a higher level of identity assurance • Must have the ability to determine if MFA is required based on user profile data • Must have the ability to provide user data Profile-based data security Data access based on an identity profile attribute • Must have the ability to get user profile data from identity administration • Must have the ability to provide access to attribute data based on profile data and AuthN • Must have the ability to provide user data Data security through classification policies Controlling data encryption via security policy enforcement and / or risk posture • Must have the ability to encrypt documents for administrative analysis • Must have the ability to identify data classifications within a DLP product • Must have the ability to get user profile data from identity administration • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Privileged access management governance Provide compliance overview of accounts designated as privileged • Must have the ability to provide account status information to PAM app • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to provide account information to identity governance app
  • 13. HYGIENE TIPS Hygiene Tip Description Implement a directory group structure that fits the scope of your IAM program. Assign access and permissions via group memberships to support authentication and authorization events, allowing for a programmatic approach to managing access and entitlements. Implement automated feeds of your employee and non-employee users into your identity store on a daily basis, if not more frequently, as needed. An automated feed of user changes allows you to react to changes in the user life cycle at a frequency that strengthens your security posture. Ensure uniqueness of every human and non-human identity in your directory. This is the DNA of your IAM program for every service or function you will support (provisioning, certs, privileged access, physical access, etc.) For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPPA, money moving, etc. Perform an assessment and prioritize applications, allowing focus for implementation efforts related to the applications that will provide the most benefit. A role model framework should be implemented to support assignment and revocation of access for users to receive core (birthright), enterprise and job-based entitlements and applications. This framework allows you to quickly assign and revoke access for users during the expected user lifecycle changes (Add, Change, Terminate). Deprovisioning of access should be tied to HR events (term, transfer) and typically never require approval. Whenever you are thinking about provisioning, always think about deprovisioning with it. Separation events should be included in your user lifecycle management processes as it will ensure that unnecessary access no longer exists and minimizes the security risks associated with orphaned accounts and entitlements. Basic transfer access should be reviewed by the old and new manager. Initially, provide a report of access to both and ask them to review what is no longer needed and agree on a time to remove Implementing a transitional rights model into the role framework will allow you to provide a smooth change of responsibilities and mitigate the impact of the organization transfer.
  • 14. HYGIENE TIPS (CONT’D) Hygiene Tip Description Authorization run-time capabilities should be used to control fine- grained access at the data level. ABAC (attribute based access control) methodology can be employed at run- time and uses policies to authorize or deny access to various data levels. Coupled with coarse grained roles, it is one of the most mature capabilities. Business process review should be performed at the beginning of each phase for the in scope applications. To ensure the effectiveness of the existing business processes and to identify areas of improvement and efficiencies. Automated provisioning / de-provisioning should be implemented after all applicable business processes have been implemented utilizing a simulated provisioning approach. Allows you to realize the full benefit of an IAM program through the automation of provisioning / de-provisioning, reducing the number of manual access requests managed through your Service Management application. Establish governance and policy controls related to the scope and implementation of the IAM Program. Provides for a common understanding, scope and responsibility of the success of your IAM Program. Maintain current application information related to version, priority, business impact, user community, and supported integration methods. This provides the ability to quickly understand your application stack and the priority under which they should be included in an IAM program. Establish an IAM Governance Committee - confirming that IAM policies are followed. Ensures that all IAM policies and controls are adhered to and provides a vehicle to determine overall impact prior to making any IAM program changes. Make your IAM program an integral part of all application onboarding/major change discussions. Considering the IAM implications in these discussions allows for a comprehensive assessment and reduces the risk of delays or violation of security policies
  • 15. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. ZEN - Zero-Trust Enterprise Network Den Jones | Carlos Martinez
  • 16. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Agenda  The Purpose of ZEN  Current State  ZEN Benefits  Connecting the Pieces Together  Lessons learned  Q&A 16
  • 17. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Purpose  Transform our network and applications to a “cloud-like” state  Enable application access without the need to be internal or use VPN  Secure network level access based on user and device posture 17
  • 18. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Network Security & User Experience: Current State  Internal application access outdated (requires VPN, not cloud-like)  No device security enforced, even to access restricted data  Any device can join the network with network level access to almost all DC infrastructure  Application authentication and authorization standards are not consistent or enforceable (not close to SSO) 18
  • 19. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Network Security & User Experience: ZEN Benefits  Improving user experience (removing VPN requirements & improved authentication)  Improving Security by restricting network level access to infrastructure  Almost eliminating lateral movement during compromise  Protecting internal applications while enabling a cloud-like experience 19
  • 20. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. ZEN Leverages Existing Investments  Authentication  Network Access Control  Logging  EDR  Device Management 20
  • 21. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. ZEN – Abstract Overview 21
  • 22. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 22
  • 23. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Progress  Certificates deployed to over 20,000 devices  1300 ZEN enabled applications  20+ applications available via proxy  Trust Score Engine in production  12,000 authentications per hour 23
  • 24. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Lessons Learned  No single off-the-shelf solution exists  Bringing vendors together is time consuming  Technology overlap 24
  • 25. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. IDSA Participation Benefits  Forum for pushing cross-vendor initiatives  Provides reality to the vendor ’echo-chamber’  Exposure to vendors, technologies, use cases, best practices  Improves knowledge and effectiveness of the team  Help drive innovation in the industry with vendors and solution providers 25
  • 26. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. IDSA-DP-002 26
  • 27. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. IDSA-DP-002 27 IDS Security Controls  Multiple Authentication session device management  Risk Based EMM Management
  • 28. © 2018 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Reach out  Den Jones - den.jones@adobe.com  Carlos Martinez – carlos.martinez@adobe.com 28
  • 29. GET INVOLVED! Become a part of our community https://forum.idsalliance.org/

Editor's Notes

  1. Need more evidence that enterprise identities are under attack? Breaches increased 45% from 2016 – 2107 and the majority are still tied back to credentials that have been compromised.
  2. Need more evidence that enterprise identities are under attack? Breaches increased 45% from 2016 – 2107 and the majority are still tied back to credentials that have been compromised.
  3. Who we are…. We are 18 vendors across IAM AND Cybersecurity. If not listed, encourage your vendor partners to engage. While we have 4 customers who are members of the customer advisory board. These vendors and CAB members are essentially kick starting the IDSA, but ultimately we want to want to become end user driven – our success is measured by the number of organizations who have been successful implementing an identity centric approach to security.
  4. Now on to our session. Our lunch and learn presenters are Den Jones and Carlos Martinez from Adobe Security.   Den Jones is the Director of Enterprise Security at Adobe.  He manages the team focused on delivering proactive security for Adobe internally.  The Enterprise Security team is focused on leading the vision and strategy for Zero-Trust networking, as well as delivering core security services such as Identity, Authentication, Endpoint, Network and Enterprise Security Architecture.  For more than, 20 years Den has been inspiring and driving initiatives that pioneer the industry.    Carlos Martinez is a Sr. Security Engineer in Adobe’s Enterprise Security team, where he is currently focused on the company’s Zero-Trust Enterprise Network (ZEN) initiative. He is passionate about creating and balancing a seamless end-user experience while increasing the security posture of the organization. He holds a Bachelor’s degree in Information Systems from the University of San Francisco.   And now, I’ll turn it over to Den to discuss Adobe Security’s Path to ZEN.
  5. Join us in our mission. We are vendors today, but we want to make sure that we incorporate the voice of the customer and help building tools, resources and best practices that help you stay secure and reduce risk in your organizations.