Taking Lessons from End Users, “Convergence” Rises from the Ashes Bassam Al-Khalidi Co-CEO and Principal Consultant Axiad IDS ISCW April 6, 2017 (10:00-11:00am PT)

Convergence: A New Day “Convergence”: what has changed Why we need convergence more than ever What went wrong Lessons learned are the new benchmarks IT & Corporate Security are in this together: Impacting success or failure Issuance and personalization Lifecycle events leading to success or failure Policies Bandwidth/Skills and Resources From Understanding to Action )

CONVERGENCE Lots of buzz Deployment teams didn’t embrace 1-click build CONVERGENCE Lots of buzz Deployment teams didn’t embrace Adoption failed A negative experience for all Skepticism abounds

auto build ALIVE OR DEAD? Is the convergence of physical and logical identity credentials just a relic of the past?

And the stakes are higher. 2-click build Convergence is NOT dead. We’ve learned many lessons. And the stakes are higher. The way it was delivered didn’t work. We’ve been listening.

A New Reality We can’t ignore it. Convergence is NOT dead. auto build A New Reality We can’t ignore it. Convergence is NOT dead. We’ve learned many lessons. Align with Corporate & IT security needs and today’s risks. The way it was delivered didn’t work. We’ve been listening. .

A lot has changed and the stakes got higher. auto build A lot has changed and the stakes got higher.

Engine and dash computer systems A lot has changed: The stakes are higher No Industry is immune Broader avenues of attack Everything is connected (IoT) Mobile-everything 24/7 web connections Troublesome consequences The Usuals: Brand | Financial | Identity | Legal Auto Engine and dash computer systems Healthcare Medical devices New breed: Government Cyber terrorism Financial Point of Sale

A lot has changed: We need converged solutions more than ever People AND connected devices must be protected…across the physical and logical spectrum.

Where did we go wrong? IT had misconceptions HR LEGAL IT SECURITY IT vision of ‘leapfrogging’ to a converged solution wasn’t achievable (software upgrades not the same for PACS) Functional silos led to security gaps Issuance and personalization impacted

What round 1 taught us Round 1 challenges Lessons learned = new benchmarks Frustrated both Corporate Security and IT Security functions The experience of deployment team matters Gaps in Security One size fits all Piecemeal Infrastructure not considered Must address gaps and frustrations Customized Comprehensive Match skill set/resources Complex to install, upgrade, maintain Less complex – more manageable Inefficient lifecycle management Maintainable across the lifecycle Security business objectives not met Must achieve multiple business objectives Reduced costs & inefficiencies Improved controls Compliance 1 2 3 4 5

Elements of an Integrated Solution auto build Elements of an Integrated Solution SECURE EVERYTHING MONITOR EVERYTHING NOTIFY EVERYTHING

Recap: State of Convergence auto build Recap: State of Convergence New reality Higher stakes Affects all industries

IT and Corporate Security: Shared Concerns Security: Reduce risk of breach Cost-effective: Implement and manage a mix of user credentials Flexibility: Choose from a range of assurance and authentication levels Customized: Map to unique needs (protection, workflow, reporting, policies) Business value: Prove security to stakeholders Compliant: Meet compliance needs and mandates Unified: Approach as a single organization (HR, Legal, IT, Facilities) Efficient: Leverage limited cyber-expert resources and skills

Decisions Impacting Success or Failure: Policies Issuance & Personalization Lifecycle Management Bandwidth and Skill Sets

A New Vision for Issuance and Personalization IT approach must integrate with Corporate Security reality Credentials must be future-proofed to upgrade with Corporate Security changes Must align with processes and procedures must align with business objectives/ compliance needs of organization INTEGRATION ALIGNMENT IT and Corporate Security must each have control over day to day domains Don’t want disruptions/ownership questions (provisioning/de-provisioning) Compliance needs differ Each needs proper tools RESPECTING FUNCTIONAL ROLES

Lifecycle Management Impacts Success or Failure FUTURE PROOFING ASSESSMENT Is the platform extensible? Understand current situation and future needs? ENABLEMENT METHODOLOGY | PLANNING Have all uses been considered? (PKI @ the door wasn’t fully analyzed . . not fast enough) Strategy - use best-of-breed products or single solution? Bandwidth/skill set – host in-house or prefer hosted solution?

Converged Project Approach BUSINESS ANALYSIS OPERATIONAL ASSESSMENT PROGRAM DEFINITION DEPLOYMENT ONGOING SERVICES

Policies and Compliance auto build Policies and Compliance External Policies Internal Policies Obtain Support Find Balance Enforce Policies HIPAA 800-171 800-53 PCI Access rights, permissions, data retention etc. Across all stakeholders Realize ties between internal and external - what’s achievable Deploy solutions. Internal training

CONTROL Audit and Accountability Access Awareness Control and Training Identification and Authentication Configuration Management Incident Response CONTROL Maintenance Media Protection Personnel Security Risk Assessment Physical Protection Security Assessment System and Information Security System and Communication Protection

From Understanding to Action STILL NEED to refine Understand the benefits of a converged approach and position it to your executive team Determine the effort and investment required for your organization Look at the value vs complexity of a converged program and understand trade-offs for your organization Map out a phased approach on the back-end Embrace best practices that help ensure success; and avoid common pitfalls that undermine projects

Thank You