Accenture, profile picture
Uploaded byAccenture
305 views

Veriphyr bright talk 20120523

The document discusses user access governance and compliance challenges in the cloud. It notes that cloud computing shifts ownership and control of resources to multiple independent providers. This makes it important to build or contract identity and access management (IAM) services that work across cloud vendors, and to use identity and access intelligence (IAI) to analyze user access and activity across different cloud resource types. IAI can help identify when user access does not match job responsibilities, revealing inappropriate access. The document promotes contacting the author for more information on IAM as a service and IAI solutions.

Embed presentation

Download to read offline
Chase Away Cloud Challenges: User Access Governance & Compliance Alan Norquist, CEO & Founder Veriphyr, Inc. VERIPHYR PROPRIETARY
Goals of User Access Governance & Compliance  User System Access = User’s Responsibilities  Bank – “Access to everything and nobody knows it”  User Activity Access = User’s Responsibilities  Finance – “Can’t both approve PO and approve payment”  User Data Access = User’s Responsibilities  Healthcare – Only view patients under one’s care May 27, 2012 VERIPHYR PROPRIETARY 2
Requirement Across Industries Healthcare “access … must be restricted to those who have been (HIPAA) granted access rights” Banking “employee’s levels of online access .. match (FFIEC) current job responsibilities” Brokerage “employee’s access … limited strictly to … (FINRA) employee’s function” Utilities “access permissions are consistent with … (NERC) work functions performed” Retail “Limit access to … only individuals whose (PCI) job requires such access” Public Companies “user access rights … in line with … (SOX - COBIT) business needs” May 27, 2012 VERIPHYR PROPRIETARY 3
What is the Effect of the Cloud?  Reduced Cost from Resource Pooling  Rapid Implementation and Elasticity  Ubiquitous Broad Network Access  Accessible from outside your organization perimeter  Accessible from variety of devices  Shift in Ownership and Control  Resource layers controlled by multiple independent providers  Multi-Tenancy (Resource Pooling)  Resources shared across multiple independent consumers  Split in User Access Management  Data center vs. cloud May 27, 2012 VERIPHYR PROPRIETARY 4
Cloud Models – Build vs. Contract RFP or Contract Software It In “The lower down the stack the Cloud provider as a Stops, the more security the consumer is Service (SaaS) tactically responsible for implementing and managing” – CSA Guidance v3.0 Platform Build it in as a Infrastructure Service (PaaS) as a Service (IaaS) May 27, 2012 VERIPHYR PROPRIETARY 5 Source: Cloud Security Alliance 2011
User Access Governance and Compliance Build or Contract What? 1. Identity Stores 2. Logging (Both Access and Activity) 3. Key Data Entities (customers, patients, partners, etc)  Critical Issues  Interfaces  Insufficient - User interface  Required – Standard-based APIs  Capabilities  Detailed logs showing access to sensitive transactions and date (patient, customer, etc.)  Ability to Extract Data  Insufficient - Reports showing single identity’s activity over 2 weeks  Required – Formatted file of all identities and all activity for all time May 27, 2012 VERIPHYR PROPRIETARY 6
Cloud Providers’ Native Identity Mgmt?  Manage Each Cloud Separately? Cloud Consumer Cloud Provider Cloud Provider Cloud Provider Cloud Provider May 27, 2012 VERIPHYR PROPRIETARY 7
IAM as a Service  Centralized federated identity across cloud vendors  Build in or contract requirements for support of standards like SAML, OpenID and Oauth Cloud Consumer IAM as a Service Cloud Provider Cloud Provider Cloud Provider Cloud Provider May 27, 2012 VERIPHYR PROPRIETARY 8
Cloud Provider Compliance Reports?  Cloud facilitates departments use of “best of breed”  Need to integrate compliance reporting across many separate cloud vendors Cloud Consumer Cloud Provider Cloud Provider Cloud Provider Cloud Provider May 27, 2012 VERIPHYR PROPRIETARY 9
Identity and Access Intelligence (IAI)  "Joining together data in identity and access management (IAM) systems and security logs with other data could be massively valuable to both IT and the business." - James Richardson, Gartner  Build or contract in the ability for bulk export of identity store info, logs (both access and activity), and key data (customers, patients, partners, etc). Identity and Access Cloud Consumer Intelligence Cloud Provider Cloud Provider Cloud Provider Cloud Provider May 27, 2012 VERIPHYR PROPRIETARY 10
Identity and Access Intelligence (IAI)  “Access reports of users and applications are requirements in information security and IT governance, risk and compliance management programs, and Identity and Access Intelligence is needed to address those requirements.” – Gartner  Identifies policy violations - identity, rights, activity & data  Determines if policy violation have been exploited  Different from SIEM  SIEM focused on packets and IP addresses  IAI focused on people and data  Works across Cloud Providers  Audit (access and activity) log from all cloud applications  Identity stores from all IAM as a Service vendors  Patient, customer, partner data from applications such as HR May 27, 2012 VERIPHYR PROPRIETARY 11
Revealing - User Access ≠ User’s Responsibilities User Access Activity Across Resources Resources Identity May 27, 2012 VERIPHYR PROPRIETARY 12
Revealing - User Access ≠ User’s Responsibilities IAI Analytics Reveal Inappropriate Access Resources Identity May 27, 2012 VERIPHYR PROPRIETARY 13
Summary  Goal of Access Governance and Compliance  User Access = User’s Responsibility  Cloud Changes Underlying Architecture  Need to “Build or Contract In”  Standards for IAM as a Service  Data Sources for Identity and Access Intelligence (IAI)  For more information contact me  anorquist@veriphyr.com  # 650.384.0560 May 27, 2012 VERIPHYR PROPRIETARY 14
For more information  Whitepaper on IAM as a Service https://cloudsecurityalliance.org/research/  Whitepaper on Identity and Access Intelligence http://bit.ly/IAI-whitepaper Alan Norquist CEO, Veriphyr anorquist@veriphyr.com www.Veriphyr.com # 650.384.0560 May 27, 2012 VERIPHYR PROPRIETARY 15

More Related Content

PDF
Cloud computing identity management summary
byBrandon Dunlap
 
PPTX
Identity and Access Management Introduction
byAidy Tificate
 
PPTX
IdM vs. IDaaS
byDrew Koenig
 
PPTX
Identiverse 2021 enterprise identity: What foundations
byBertrand Carlier
 
PPTX
Intel IT's Identity and Access Management Journey
byIntel IT Center
 
PDF
Hitachi ID Identity and Access Management Suite
byHitachi ID Systems, Inc.
 
PDF
Identity as a Service: a missing gap for moving enterprise applications in In...
byHoang Tri Vo
 
PPTX
Con 8810 who should have access to what - final
byOracleIDM
 
Cloud computing identity management summary
byBrandon Dunlap
 
Identity and Access Management Introduction
byAidy Tificate
 
IdM vs. IDaaS
byDrew Koenig
 
Identiverse 2021 enterprise identity: What foundations
byBertrand Carlier
 
Intel IT's Identity and Access Management Journey
byIntel IT Center
 
Hitachi ID Identity and Access Management Suite
byHitachi ID Systems, Inc.
 
Identity as a Service: a missing gap for moving enterprise applications in In...
byHoang Tri Vo
 
Con 8810 who should have access to what - final
byOracleIDM
 

What's hot

PDF
Overview of Identity and Access Management Product Line
byNovell
 
PDF
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
byCA Technologies
 
PDF
SELECTION MECHANISM OF MICRO-SERVICES ORCHESTRATION VS. CHOREOGRAPHY
byIJwest
 
PPSX
The security of SAAS and private cloud
byAzure Group
 
PDF
Large Scale User Provisioning with Hitachi ID Identity Manager
byHitachi ID Systems, Inc.
 
PDF
Extending the Power of Consent with User-Managed Access & OpenUMA
bykantarainitiative
 
PPTX
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
byLance Peterman
 
PDF
Hexnode Identity and Access Management solution
byHexnode
 
PDF
AWS Identity Access Management
byRichard Harvey
 
PPTX
Smart Identity for the Hybrid Multicloud World
byKatherine Cola
 
PPTX
2012-01 How to Secure a Cloud Identity Roadmap
byRaleigh ISSA
 
PDF
Mt26 identity management as a service
byDell World
 
PDF
Identity and Access Management Tools
byijtsrd
 
PDF
Identity & Access Management by K. K. Mookhey
byNetwork Intelligence India
 
PDF
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
byCloudEntr
 
PPTX
PROACTEYE ACCESS MANAGEMENT
byhardik soni
 
PPTX
Smart Analytics for The Big Unknown
byAdrian Dumitrescu
 
PPTX
Authentication and Privacy in Cloud
byMphasis
 
PPTX
FUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENT
byForgeRock
 
Overview of Identity and Access Management Product Line
byNovell
 
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
byCA Technologies
 
SELECTION MECHANISM OF MICRO-SERVICES ORCHESTRATION VS. CHOREOGRAPHY
byIJwest
 
The security of SAAS and private cloud
byAzure Group
 
Large Scale User Provisioning with Hitachi ID Identity Manager
byHitachi ID Systems, Inc.
 
Extending the Power of Consent with User-Managed Access & OpenUMA
bykantarainitiative
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
byLance Peterman
 
Hexnode Identity and Access Management solution
byHexnode
 
AWS Identity Access Management
byRichard Harvey
 
Smart Identity for the Hybrid Multicloud World
byKatherine Cola
 
2012-01 How to Secure a Cloud Identity Roadmap
byRaleigh ISSA
 
Mt26 identity management as a service
byDell World
 
Identity and Access Management Tools
byijtsrd
 
Identity & Access Management by K. K. Mookhey
byNetwork Intelligence India
 
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
byCloudEntr
 
PROACTEYE ACCESS MANAGEMENT
byhardik soni
 
Smart Analytics for The Big Unknown
byAdrian Dumitrescu
 
Authentication and Privacy in Cloud
byMphasis
 
FUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENT
byForgeRock
 

Viewers also liked

PDF
Gdfs sg246374
byAccenture
 
PDF
Pg cloud sla040512mgreer
byAccenture
 
PDF
Ibm 1129-the big data zoo
byAccenture
 
PDF
Guide to design_global_infrastructure
byAccenture
 
PDF
Empowered customer
byAccenture
 
PDF
Silverton cleversafe-object-based-dispersed-storage
byAccenture
 
PDF
PAM g.tr 3832
byAccenture
 
PDF
Na vsc install
byAccenture
 
PDF
Eiu china country_report_april_2012
byAccenture
 
TXT
Ak13 pam
byAccenture
 
Gdfs sg246374
byAccenture
 
Pg cloud sla040512mgreer
byAccenture
 
Ibm 1129-the big data zoo
byAccenture
 
Guide to design_global_infrastructure
byAccenture
 
Empowered customer
byAccenture
 
Silverton cleversafe-object-based-dispersed-storage
byAccenture
 
PAM g.tr 3832
byAccenture
 
Na vsc install
byAccenture
 
Eiu china country_report_april_2012
byAccenture
 
Ak13 pam
byAccenture
 

Similar to Veriphyr bright talk 20120523

PPTX
Executive Briefing: Strategic Issues Surrounding Cloud Services
byWhitmeyerTuffin
 
PPTX
Enterprise Security in Hybrid Cloud ISACA-SV 2012
bySymosis Security (Previously C-Level Security)
 
PPTX
Enterprise Security in Cloud
byLenin Aboagye
 
PDF
Cloud Security Alliance - Guidance
bySubra Kumaraswamy CISSP CISM
 
PDF
IBM Point of View: Security and Cloud Computing
byIBM India Smarter Computing
 
PDF
Cloud Security - Made simple
bySameer Paradia
 
PDF
110307 cloud security requirements gourley
byGovCloud Network
 
PPTX
Leveraging Identity to Manage Change and Complexity
byNetIQ
 
PDF
451 Research Client Event Nov 10
bystavvmc
 
PDF
Extending Enterprise Security into the Cloud
byCA API Management
 
PPTX
talk6securingcloudamarprusty-191030091632.pptx
byTrongMinhHoang1
 
PDF
Ciphercloud Solutions Overview hsa oct2011
byRamy Houssaini
 
PPTX
security and compliance in the cloud
byAjay Rathi
 
PDF
Enterprise Strategy for Cloud Security
byBob Rhubart
 
PPTX
Cloud securityperspectives cmg
byNeha Dhawan
 
PDF
Himss 2011 securing health information in the cloud -- feisal nanji
byFeisal Nanji
 
PDF
IBM Point of view -- Security and Cloud Computing (Tivoli)
byIBM India Smarter Computing
 
PDF
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
PDF
Cloud Webinar Neiditz Weitz Mitchell Goodman
byjonneiditz
 
PPT
Mr. desmond cloud security_format
byMULTIMATICS_ID
 
Executive Briefing: Strategic Issues Surrounding Cloud Services
byWhitmeyerTuffin
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
bySymosis Security (Previously C-Level Security)
 
Enterprise Security in Cloud
byLenin Aboagye
 
Cloud Security Alliance - Guidance
bySubra Kumaraswamy CISSP CISM
 
IBM Point of View: Security and Cloud Computing
byIBM India Smarter Computing
 
Cloud Security - Made simple
bySameer Paradia
 
110307 cloud security requirements gourley
byGovCloud Network
 
Leveraging Identity to Manage Change and Complexity
byNetIQ
 
451 Research Client Event Nov 10
bystavvmc
 
Extending Enterprise Security into the Cloud
byCA API Management
 
talk6securingcloudamarprusty-191030091632.pptx
byTrongMinhHoang1
 
Ciphercloud Solutions Overview hsa oct2011
byRamy Houssaini
 
security and compliance in the cloud
byAjay Rathi
 
Enterprise Strategy for Cloud Security
byBob Rhubart
 
Cloud securityperspectives cmg
byNeha Dhawan
 
Himss 2011 securing health information in the cloud -- feisal nanji
byFeisal Nanji
 
IBM Point of view -- Security and Cloud Computing (Tivoli)
byIBM India Smarter Computing
 
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
byjonneiditz
 
Mr. desmond cloud security_format
byMULTIMATICS_ID
 

More from Accenture

PDF
Calabrio analyze
byAccenture
 
DOCX
NetApp system installation workbook Spokane
byAccenture
 
DOCX
Performance problems on ethernet networks when the e0m management interface i...
byAccenture
 
DOCX
Tier 2 net app baseline design standard revised nov 2011
byAccenture
 
DOC
NA notes
byAccenture
 
DOCX
Perf stat windows
byAccenture
 
PPTX
Net app virtualization preso
byAccenture
 
PPTX
Reporting demo
byAccenture
 
PDF
WSC Net App storage for windows challenges and solutions
byAccenture
 
PDF
Tr 3749 -net_app_storage_best_practices_for_v_mware_vsphere,_dec_11
byAccenture
 
PDF
50,000-seat_VMware_view_deployment
byAccenture
 
PDF
Certify 2014trends-report
byAccenture
 
DOCX
Data storage requirements AK
byAccenture
 
PDF
Tr 3998 -deployment_guide_for_hosted_shared_desktops_and_on-demand_applicatio...
byAccenture
 
DOCX
C mode class
byAccenture
 
PPT
Providence net app upgrade plan PPMC
byAccenture
 
PDF
Snap mirror source to tape to destination scenario
byAccenture
 
DOCX
Migrate volume in akfiler7
byAccenture
 
DOCX
Migrate vol in akfiler7
byAccenture
 
DOCX
Akfiler upgrades providence july 2012
byAccenture
 
Calabrio analyze
byAccenture
 
NetApp system installation workbook Spokane
byAccenture
 
Performance problems on ethernet networks when the e0m management interface i...
byAccenture
 
Tier 2 net app baseline design standard revised nov 2011
byAccenture
 
NA notes
byAccenture
 
Perf stat windows
byAccenture
 
Net app virtualization preso
byAccenture
 
Reporting demo
byAccenture
 
WSC Net App storage for windows challenges and solutions
byAccenture
 
Tr 3749 -net_app_storage_best_practices_for_v_mware_vsphere,_dec_11
byAccenture
 
50,000-seat_VMware_view_deployment
byAccenture
 
Certify 2014trends-report
byAccenture
 
Data storage requirements AK
byAccenture
 
Tr 3998 -deployment_guide_for_hosted_shared_desktops_and_on-demand_applicatio...
byAccenture
 
C mode class
byAccenture
 
Providence net app upgrade plan PPMC
byAccenture
 
Snap mirror source to tape to destination scenario
byAccenture
 
Migrate volume in akfiler7
byAccenture
 
Migrate vol in akfiler7
byAccenture
 
Akfiler upgrades providence july 2012
byAccenture
 

Veriphyr bright talk 20120523

  • 1.
    Chase Away CloudChallenges: User Access Governance & Compliance Alan Norquist, CEO & Founder Veriphyr, Inc. VERIPHYR PROPRIETARY
  • 2.
    Goals of UserAccess Governance & Compliance  User System Access = User’s Responsibilities  Bank – “Access to everything and nobody knows it”  User Activity Access = User’s Responsibilities  Finance – “Can’t both approve PO and approve payment”  User Data Access = User’s Responsibilities  Healthcare – Only view patients under one’s care May 27, 2012 VERIPHYR PROPRIETARY 2
  • 3.
    Requirement Across Industries Healthcare “access … must be restricted to those who have been (HIPAA) granted access rights” Banking “employee’s levels of online access .. match (FFIEC) current job responsibilities” Brokerage “employee’s access … limited strictly to … (FINRA) employee’s function” Utilities “access permissions are consistent with … (NERC) work functions performed” Retail “Limit access to … only individuals whose (PCI) job requires such access” Public Companies “user access rights … in line with … (SOX - COBIT) business needs” May 27, 2012 VERIPHYR PROPRIETARY 3
  • 4.
    What is theEffect of the Cloud?  Reduced Cost from Resource Pooling  Rapid Implementation and Elasticity  Ubiquitous Broad Network Access  Accessible from outside your organization perimeter  Accessible from variety of devices  Shift in Ownership and Control  Resource layers controlled by multiple independent providers  Multi-Tenancy (Resource Pooling)  Resources shared across multiple independent consumers  Split in User Access Management  Data center vs. cloud May 27, 2012 VERIPHYR PROPRIETARY 4
  • 5.
    Cloud Models –Build vs. Contract RFP or Contract Software It In “The lower down the stack the Cloud provider as a Stops, the more security the consumer is Service (SaaS) tactically responsible for implementing and managing” – CSA Guidance v3.0 Platform Build it in as a Infrastructure Service (PaaS) as a Service (IaaS) May 27, 2012 VERIPHYR PROPRIETARY 5 Source: Cloud Security Alliance 2011
  • 6.
    User Access Governanceand Compliance Build or Contract What? 1. Identity Stores 2. Logging (Both Access and Activity) 3. Key Data Entities (customers, patients, partners, etc)  Critical Issues  Interfaces  Insufficient - User interface  Required – Standard-based APIs  Capabilities  Detailed logs showing access to sensitive transactions and date (patient, customer, etc.)  Ability to Extract Data  Insufficient - Reports showing single identity’s activity over 2 weeks  Required – Formatted file of all identities and all activity for all time May 27, 2012 VERIPHYR PROPRIETARY 6
  • 7.
    Cloud Providers’ NativeIdentity Mgmt?  Manage Each Cloud Separately? Cloud Consumer Cloud Provider Cloud Provider Cloud Provider Cloud Provider May 27, 2012 VERIPHYR PROPRIETARY 7
  • 8.
    IAM as aService  Centralized federated identity across cloud vendors  Build in or contract requirements for support of standards like SAML, OpenID and Oauth Cloud Consumer IAM as a Service Cloud Provider Cloud Provider Cloud Provider Cloud Provider May 27, 2012 VERIPHYR PROPRIETARY 8
  • 9.
    Cloud Provider ComplianceReports?  Cloud facilitates departments use of “best of breed”  Need to integrate compliance reporting across many separate cloud vendors Cloud Consumer Cloud Provider Cloud Provider Cloud Provider Cloud Provider May 27, 2012 VERIPHYR PROPRIETARY 9
  • 10.
    Identity and AccessIntelligence (IAI)  "Joining together data in identity and access management (IAM) systems and security logs with other data could be massively valuable to both IT and the business." - James Richardson, Gartner  Build or contract in the ability for bulk export of identity store info, logs (both access and activity), and key data (customers, patients, partners, etc). Identity and Access Cloud Consumer Intelligence Cloud Provider Cloud Provider Cloud Provider Cloud Provider May 27, 2012 VERIPHYR PROPRIETARY 10
  • 11.
    Identity and AccessIntelligence (IAI)  “Access reports of users and applications are requirements in information security and IT governance, risk and compliance management programs, and Identity and Access Intelligence is needed to address those requirements.” – Gartner  Identifies policy violations - identity, rights, activity & data  Determines if policy violation have been exploited  Different from SIEM  SIEM focused on packets and IP addresses  IAI focused on people and data  Works across Cloud Providers  Audit (access and activity) log from all cloud applications  Identity stores from all IAM as a Service vendors  Patient, customer, partner data from applications such as HR May 27, 2012 VERIPHYR PROPRIETARY 11
  • 12.
    Revealing - UserAccess ≠ User’s Responsibilities User Access Activity Across Resources Resources Identity May 27, 2012 VERIPHYR PROPRIETARY 12
  • 13.
    Revealing - UserAccess ≠ User’s Responsibilities IAI Analytics Reveal Inappropriate Access Resources Identity May 27, 2012 VERIPHYR PROPRIETARY 13
  • 14.
    Summary  Goal of Access Governance and Compliance  User Access = User’s Responsibility  Cloud Changes Underlying Architecture  Need to “Build or Contract In”  Standards for IAM as a Service  Data Sources for Identity and Access Intelligence (IAI)  For more information contact me  anorquist@veriphyr.com  # 650.384.0560 May 27, 2012 VERIPHYR PROPRIETARY 14
  • 15.
    For more information  Whitepaper on IAM as a Service https://cloudsecurityalliance.org/research/  Whitepaper on Identity and Access Intelligence http://bit.ly/IAI-whitepaper Alan Norquist CEO, Veriphyr anorquist@veriphyr.com www.Veriphyr.com # 650.384.0560 May 27, 2012 VERIPHYR PROPRIETARY 15