IT Audit & Identity Management Challenges in a De-perimeterisation Scenario Henry S. Teng, CISSP, CISM Enterprise Security Compliance Officer Philips International B.V. & Jericho Forum Board March 27, 2007 London, UK 2 nd Annual Identity Management Summit 2007 By MIS Training

2 Agenda  De-perimeterisation primer  Challenges to Identity Management  Challenges to IT Audit

3 Once upon a time…. Perimeterised Protection

4 and we have to prepare for the future Business Demands Differently

5 The Reality of “Castles” It’s fundamentally acceptance that:  Most exploits will easily transit perimeter security –We let through –We let through web –We will need to let through VoIP –We let through encrypted traffic (SSL, SMTP-TLS, VPN) –We have multiple “partner” connections –Business demand fast inter-company connectivity

6 Why the Jericho Forum?  No one else was discussing the problem in January 2004  Everyone was fixated on perimeter based designs  Somebody needed to point out the “Kings new clothes” to the world  Someone needed to start the discussion What’s in it for us?  We need Security Solutions that support de-perimeterisation – so we aim to stimulate a market for solutions to de-perimeterisation problems  We want these solutions to use open standards, to improve interoperability and integration, both within our own IT systems and with our business partners

7 The RSA Conference 2007 Confirms At the keynote speech in February, Craig Mundie, the chief research & strategy officer for Microsoft, told the attendees: "It is sort of like we have been in the medieval age of computer networking and access… we have to build more and more fortress-like protections…" "What we didn't really see coming yet is essentially the airplane and the air–to-surface missile and other things. The threat model is changing in fundamental ways.“ (Based on transcript from Microsoft PressPass at

8 So what is its effect?  Your border is effectively a QoS Boundary  Protection has little/no benefit at the perimeter  It’s easier to protect data the closer we get to it  A hardened perimeter strategy is at odds with current and/or future business needs  A hardened perimeter strategy is un-sustainable.

9 So what is it actually? It’s a concept:  It’s how we solve the business needs for our businesses without a hardened perimeter,  It’s how businesses leverage new opportunities when there is no hardened perimeter,  It’s a set of solutions within a framework that we can pick and mix from,  It’s defence in depth,  It’s business-driven security solutions It is not a single solution – it’s a way of thinking...

10 The Jericho Forum Charter & Remit The Jericho Forum AIMS...  to drive and influence the discussion / change the mindset  to demonstrate how de-perimeterised solutions can work in the corporate space  to refine and distinguish between what are Jericho Forum architectural principals vs. good secure design  to build on the work in the published Visioning Document  to define key items aligned with messages that make them specifically part of the Jericho Forum solutions space  to clarify that there is not just one “Jericho Forum solution” The Jericho Forum IS NOT...  another standards body  a cartel – this is not about buying a single solution  here to compete with or dismantle existing “good security”.

11 Cabinet OfficeForeign & Commonwealth Office Some of our members

12 “Commandments” - Rationale  Jericho Forum in a nutshell: “Your security perimeters are disappearing: what are you going to do about it?”  Need to express what / why / how to do it in high level terms (but allowing for detail)  Need to be able to draw distinctions between ‘good’ security (e.g. ‘principle of least privilege’) and ‘de-perimeterisation security’ (e.g. ‘end-to- end principle’)

13 Why should I care?  De-perimeterisation is a disruptive change  There is a huge variety of: –Starting points / business imperatives –Technology dependencies / evolution –Appetite for change / ability to mobilise –Extent of de-perimeterisation that makes business sense / ability to influence  So we need rules-of-thumb, not a ‘bible’ –“A benchmark by which concepts, solutions, standards and systems can be assessed and measured.”

14 Structure of the Commandments  Fundamentals (3)  Surviving in a hostile world (2)  The need for trust (2)  Identity, management and federation (1)  Access to data (3)

15 Fundamentals 1. The scope and level of protection must be specific and appropriate to the asset at risk.  Business demands that security enables business agility and is cost effective.  Whereas boundary firewalls may continue to provide basic network protection, individual systems and data will need to be capable of protecting themselves.  In general, it’s easier to protect an asset the closer protection is provided.

16 Fundamentals 2. Security mechanisms must be pervasive, simple, scalable and easy to manage.  Unnecessary complexity is a threat to good security.  Coherent security principles are required which span all tiers of the architecture.  Security mechanisms must scale: –from small objects to large objects.  To be both simple and scalable, interoperable security “building blocks” need to be capable of being combined to provide the required security mechanisms.

17 Fundamentals 3. Assume context at your peril.  Security solutions designed for one environment may not be transferable to work in another: –thus it is important to understand the limitations of any security solution.  Problems, limitations and issues can come from a variety of sources, including: –Geographic –Legal –Technical –Acceptability of risk, etc.

18 Surviving in a hostile world 4. Devices and applications must communicate using open, secure protocols.  Security through obscurity is a flawed assumption –secure protocols demand open peer review to provide robust assessment and thus wide acceptance and use.  The security requirements of confidentiality, integrity and availability (reliability) should be assessed and built in to protocols as appropriate, not added on.  Encrypted encapsulation should only be used when appropriate and does not solve everything.

19 Surviving in a hostile world 5. All devices must be capable of maintaining their security policy on an untrusted network.  A “security policy” defines the rules with regard to the protection of the asset.  Rules must be complete with respect to an arbitrary context.  Any implementation must be capable of surviving on the raw Internet, e.g., will not break on any input.

20 The need for trust 6. All people, processes, technology must have declared and transparent levels of trust for any transaction to take place.  There must be clarity of expectation with all parties understanding the levels of trust.  Trust models must encompass people/organisations and devices/infrastructure.  Trust level may vary by location, transaction type, user role and transactional risk.

21 The need for trust 7. Mutual trust assurance levels must be determinable.  Devices and users must be capable of appropriate levels of (mutual) authentication for accessing systems and data.  Authentication and authorisation frameworks must support the trust model.

22 Finally, access to data 9. Access to data should be controlled by security attributes of the data itself.  Attributes can be held within the data (DRM/Metadata) or could be a separate system.  Access / security could be implemented by encryption.  Some data may have “public, non-confidential” attributes.  Access and access rights have a temporal component.

23 Finally, access to data 10. Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties/privileges  Permissions, keys, privileges etc. must ultimately fall under independent control –or there will always be a weakest link at the top of the chain of trust.  Administrator access must also be subject to these controls.

24 Finally, access to data 11. By default, data must be appropriately secured both in storage and in transit.  Removing the default must be a conscious act.  High security should not be enforced for everything: –“appropriate” implies varying levels with potentially some data not secured at all.

25 Identity, Management and Federation 8. Authentication, authorisation and accountability must interoperate/ exchange outside of your locus/ area of control.  People/systems must be able to manage permissions of resources they don't control.  There must be capability of trusting an organisation, which can authenticate individuals or groups, thus eliminating the need to create separate identities.  In principle, only one instance of person / system / identity may exist, but privacy necessitates the support for multiple instances, or once instance with multiple facets.  Systems must be able to pass on security credentials/assertions.  Multiple loci (areas) of control must be supported.

26 Position on Federated Identity Problem –Identity provider requires to be a privileged position. –User credentials are combined with user attributes, that would lead to privacy issues. Jericho Forum Response –No requirement for a privileged Identity Provider. –Support for different credentials and authentication technology referring to the same individual. –Clear distinction between credentials and attributes in use of data.

27 Position on Federated Identity (cont.) Challenges to the Industry 1.Create common schemas for the majority of transaction data attributes requested, including name, address and payment details, to remove the need for centralised attribute storage. 2.Mutual authentication should be used by default. 3.Peer-to-peer authentication should be permitted, without the need of a privileged identity provider. 4.The currently assumed role of an individual should be made explicit to systems. 5.Subject attributes should not be used as credentials. 6.Credentials and authorisation information should be able to be transferred between organisations using open protocols and standards, and be simple to manage the equivalence relationships. 7.It should be possible to support a multiplicity of credentials and technologies for an individual.

28 Proposal on IT Audit Position Paper  To understand and assess the strategic impact of the Jericho Forum de-perimeterization initiative to the principles of IT Audit from an industry standard perspective.  To understand and assess the tactical impact of the Jericho Forum de-perimeterization initiative to the specific practice of IT Audit from a security community perspective.  To prescribe risk-based solutions to minimize the strategic and tactical impacts to the IT Audit community including but not limited to best practice guidelines, checklists, and technical solutions.

29 Fundamental Questions to Ask 1. With a fundamental change of the security perimeter protection model, does this change require a strategic change of the prevalent IT Audit framework? 2. From an IT Audit practice perspective, can the tactical/operational control aspects of IT audit scale to meet the Jericho Forum challenges?

30 Approach in Assessment IT Audit Tech Infrastr. Business Application Business Process What (Strategic) Samples: OS Network Samples: Supply Chain Samples: Change Controls How (Tactical) Samples: A-Virus FW Rule Samples: SAP Samples: Exception Mgmt

31 Phase 1 - IT Audit Strategic Focus The primary focus of Phase 1 is to assess and document the impact of the Jericho Forum 11 Commandments against prevalent (IT) control frameworks: –Control Framework/Model Communities –Framework Taxonomy –CobiT, COSO, and ISO Mapping

32 What is CobiT? CobiT stands for the Control Objectives for Information and related Technology. –Issued and maintained by the Information Systems Audit and Control Association (ISACA). –Focuses on IT Governance processes to bridge the gaps between business risks, control needs, and technical issues. –Provides “good practice” from consensus of experts.

33 Why Choose CobiT? Business orientation is the main theme of CobiT. It offers a comprehensive guidance for management and business process owners by providing: –A Control Framework of 34 high-level control objectives, 215 recommended detailed controls and Maturity Models with KPI’s. –A standard and common language among IT Auditors. –Maintenance and update including SOX. CobiT V4.0 is the latest release. –Research shows that CobiT is sufficient to cover or relate to major control frameworks such as ISO and COSO.

34 The Jericho Forum Eleven Commandments

35 The CobiT Control Framework

36 Phase 2 - IT Audit Tactical Focus The primary focus of Phase 2 is to assess and document the impact of the Jericho Forum problem/position papers against the 215 CobiT detail control objectives in areas such as: –IT Audit Planning –IT Audit Scope –Review of Audit Assumptions –Considerations in Performing IT Audits

37 Changes for Considerations  Control points that were centralised and external to applications and systems will change (end points have shifted….).  Reliance and assumptions of controls over traditional internal components, such as a WAN or LAN, may no longer be relevant or appropriate. (audit scope changes)  A sampled assessment of decentralised components may not give a clear picture of the overall IT control environment. (partners spread spyware, business boundary and IT boundary, problems go easier, auditors to think about in business terms instead of IT constraints. Protection explicit)  The focus and importance of core IT systems may need to change – for example, increased reliance on Data Centre, client and application controls.  Additional foundation services (Identity, Audit, Monitoring) may need to be included in the scope of future audits.

38 Key Challenges  Expanding the corporate boundary of the network.  Thinking of the internal network as a semi public or public network.  Pushing more applications and systems into data centers that are Internet accessible.  Developing applications that are Internet enabled and take advantage of security controls such as transport layer security, authentication and authorisation controls  Relying more on endpoints in the network to protect themselves using patching, firewalling, anti-virus technologies.  Identifying users and devices that connect to business systems and applications.  Patching and managing devices that connect to corporate systems from remote and often untrusted Internet sources.  Providing users who may be employees, customers, business partners, 3rd party suppliers with access to business applications.  Providing a bridge between legacy systems and Internet accessible services.  Supporting a variety of remote access methods through wireless, dial-up, VPN, 3G etc.

39 Phase 3 Operational Focus on Gap Resolutions In this phase the gaps and impact identified in Phase 1 & 2 are addressed via: –Sharing among members of practical solutions for the short term. –Proposals and recommendations to IT audit standard bodies for updates, guidelines, and checklists. –RFI’s to the vendor community for technical solutions to seek improvements in the effectiveness and efficiency during the IT audit processes.

40 Papers available from the Jericho Forum  The Jericho Forum “Commandments” are freely available from the Jericho Forum Website  Plus ten more papers

41 Future Position Papers There are position papers in progress on:  Encryption & Encapsulation  Regulation, Compliance & Certification  Network Security & QoS  Audit & Management in a distributed environment  Data/Information Management

42 Shaping security for tomorrow’s world