Understanding Identity Management and Security.

Understanding Identity Management and Security.
Starring:
Chinatu Uzuegbu
Identity Management Day, April 13, 2021
Cyber in Africa Event

KeyNote Speaker
• Top 50 women in Cyber Security, Africa 2020 Accolade.
• Founding Cyber Security Consultant: RoseTech CyberCrime Solutions
Limited.(2016 till Date).
• President, (ISC)2 Nigeria Chapter(2018 till Date).
• Experienced BanKer(2007 to 2016):
– Afribank Nigeria Plc/Mainstreet Bank Ltd(2007 to 2015):
. IT/Application/Data Custodian (Core Banking Applications, Third Party
Applications, Enterprise Applications Development, Others).
. Information Security Assistant
– Skyebank Nig Plc(2015 to 2016):
. Business Relationship Manager
• Afribank Insurance Brokerage(2004 to 2007):
– Head, Information Technology
• Nigeria Distilleries Ltd(2002 to 2004):
-Ag, Head, Information Technology.
-Senior IT Officer
• Professional Membership in Good Standing:
– Cyber Security Experts Association of Nigeria(CSEAN)
– International Information Systems Security Certification Consortium(ISC)2
– Information Systems Audit and Control Association (ISACA)
– EC-Council
ChinatuUzuegbu
CCISO, CISSP, CISM,
CISA, CEH,…………

Overview
• What is Identity Management ?
• Why Identity Management Day?
• Report on Data Breaches, 2020.
• The Concept of Identification, Authentication,
Authorization and Accountability or Auditing..
• Organizational Digital Identifiable Information
• Personal Digital Identifiable Information
• Best Practices in Identity Management
• Questions

What is Identity Management?
Identity management (ID management) is
the organizational process for identifying,
authenticating and authorizing individuals
or groups of people to have access to
applications, systems or networks by
associating user rights and restrictions with
established identities.

Why Identity Management Day?
Security Awareness
Digital Identity Security;
a priority
Reduce Risk of Data
Breaches and losses
Dangers of non-
challancy
Inculcate Best Practices
and MFA
Tremendous and Steady Growth of Identifiable Elements
Leverage on Vendor
Support

Data Breaches in High Rise:
IDSA Report 2020
https://www.idsalliance.org/wp-content/uploads/2020/08/IDSA-
Infographic-v3-1.pdf
Successful Identity-related security
breaches in the last two years
Global loss to Data Breaches from
2017 till Date
Leveraged on Weak and stolen
Identities(Verizon Report, 2020)
Thought the above breaches could be
prevented.
79% of Orgs
99% of the
victims
81% of the
breaches
$6T

The IAAA Concept
Identification
Authentication
Authorization
Accountability

Identification
Process of making a Claim:
• Personal Identifiable Information(PII)
• Organizational Identifiable Information

Organizational Identifiable Information:
• Employees
• Contractors
• Third parties(Federated
Identities)
• Customers
• End-Users
• machines

• Bots
• RPA(Robotic Process Automation).
• Application to Application Accounts.
• Built-in IaaS, Idaas, XaaS Concept
Machine identities:

Bots(Zombie)
• An autonomous program on the
internet or another network that
can interact with systems or users.
• Botnets: group of autonomous
programs on a distributed network
of Systems mandated to interact for
a purpose.

Robotic Process Automation(RPA)
• Technology that uses software
robots to automate repetitive tasks
and manual processes.
• Enhancing the work of your
employees by interacting with
websites, business and desktop
applications, databases and people
to execute repetitive and often
mundane work.

Application to Application Identities(STP)
Concept of the Straight-Through Process(STP) from the
diagram in below:
1. Application A is automatically registered to request
authentication to access Resources from Application B
using the Application Identity(App ID).
1. Application A on registration with the App ID, obtains a
client ID and secret key(token).

Application to Application Identities(STP)
Cont’d
3. On authentication with the client ID and token,
Application A requests authorization to access
Resources from Application B.
4. Application B automatically grants Application A
access rights based on the token strings(Response
Handshake) earlier issued by APP ID.
5. Application A is now able to send requests and
access Resources from Application B leveraging on
the Handshake.

Federated(Third Party) Identities
• Identities issued by an organization to
Third Party Partners(P2P),
Businesses(B2B), Regulatory bodies,
Suppliers, Escrows, Vendors and
others directly or indirectly in
Business relationship.
• Access Rights to Third Parties are
Time-bound with close monitoring as
the case may be.

Cloud-Based Identities
• Identity As a Service(IDaaS) is a
Cloud-based authentication built and
operated by a third-party provider.
• IDaaS companies supply cloud-based
authentication or identity
management to enterprises who
subscribe.
• The ID issued by the IDaaS Provider
is what the organization applies for
enrollment into the Cloud platform as
a Subscriber.

Personal Identifiable Information(PII)
• Email Address
• Security Identity
• National Identity
• Bank Account Number
• Bank Verification Number
• User Identity
• Others

Authentication
Process of Validating a Claim:
–Passwords
–Biometrics
–Smart Cards
–ATM Cards
–Tokens
–Cloud based Authentication
–Others
–Multi Factor Authentication is the way to go!

Factors of Authentication
The three Factors of Authentication:
• Something You Know: Password, PIN;
the weakest.
• Something You have : Token, Phone,
Smart Card.
• Something You are: Biometrics(Finger
prints, others); the strongest.
• A combination of two or more of the
above factors makes a strong
authentication.

Multi-Factor Authentication(MFA)
• A combination of two or more of the three
factors of Authentication.
• No critical Identifiable Information is
authenticated with single factor approach.
• MFA promotes strong authentication mechanism
as no one of the factors of authentication is
strong enough and must not be applied alone for
critical Information assets.

Authorization
• Process of assigning access rights on
authentication.
• Grant Access Rights based on Concept
of : Least Privilege and Need to Know.
• Role Based Access Control is the way to
go!

Accountability
• Process of trailing activities on the system/network
and assuring that all activities are traceable
whatsoever:
– Time Stamps
– Digital Signatures
– Audit Trails
– Non-Repudiation
– Log Files(SIEM)
– Others

NSA and IDSA Advise
To promote a secured Identity and Access Management across all Sectors,
National Security Alliance(NSA) and Identity Defined Security Alliance(IDSA)
recommend that:
• Best Practices be enforced and mandated.
• Multi-Factor Authentication(MFA) be inculcated into the
Authentication framework of organizations.
• All Access points be integrated with growth and adoption of
Technology in mind. Think IAM system and PAM system.
• Organizations establish Handshakes with Vendors for necessary
Support.
• Organizations Embrace Zero Trust Architecture around all
Infrastructures and Applications.

Identity Management Best Practices
• Clarify Ownership of ALL Identities.
• Ascertain the custodian of All Identities.
• Who is responsible for the creation, removal,
ongoing maintenance and security of an identity
within your organization?
• Imbibe the culture of Multi Factor
Authentication(MFA) for all Handshakes.
• Deploy a resilient and robust Privileged Access
Management(PAM) System.
• Deploy a resilient and robust Identity and Access
Management(IAM) System.
• Zero Trust Architecture in everything is the way to
go!

Happy
Identity Management Day
April 13, 2021

Thank You
Chinatu Uzuegbu (CCISO, CISSP, CISM,
CISA CEH, …).
Founding Cyber Security Consultant, RoseTech.
President, (ISC)2 Nigeria chapter.
chinatuuzuegbu@outlook.com
c.uzuegbu@isc2nigeriachapter.org
info@rtechccsl.com
https://www.linkedin.com/in/chinatu-uzuegbu-
67593119/
+2348037815577

Understanding Identity Management and Security.

More Related Content

What's hot

Similar to Understanding Identity Management and Security.

More from Chinatu Uzuegbu

Recently uploaded

Understanding Identity Management and Security.