IDENTITY MANAGEMENT: PROTECTING FROM THE INSIDE OUT MICHAEL FORNAL, SECURITY ANALYST PROVIDENCE HEALTH & SERVICES SOURCE SEATTLE CONFERENCE 10.23.13 -10.24.13.

Slides:



Advertisements
Similar presentations
OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Advertisements

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Privacy Rule Training
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Identity, Governance and Administration as forefront of IT Security model: European and North American Experience Vladislav Shapiro Director of Identity.
Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.
Northwestern University Information Technology System Management Issues for the Future Real-Time University Environment Tom Board September 22, 2004 Northwestern.
First Practice - Information Security Management System Implementation and ISO Certification.
User Authentication for Enterprise Applications - The Future in Transitions.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Cloud Usability Framework
Managing BYOD Legal IT’s Next Great Challenge. Agenda  The BYOD Trend – benefits and risks  Best practices for managing mobile device usage  Overview.
Network security policy: best practices
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Microsoft Identity and Access Solutions Market Trends and Futures
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Unify and Simplify: Security Management
1©2012 Check Point Software Technologies Ltd. Squashing Politics with Policy.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
Continuous Monitoring for Enterprise Applications: Real Needs, Real Solutions. November 22, th Continuous Assurance and Auditing Symposium Newark,
©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.
Security Architecture
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
Records & Information Management (RIM) Risk: Is Your Company Exposed? March 19, 2013.
COMP1321 Networks in Organisations Richard Henson March 2014.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
NON-COMPULSORY BRIEFING SESSION REQUEST FOR INFORMATION: ICT SECURITY SOLUTIONS RAF /2015/00019 Date: 29 September 2015 Time: 10:00.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?
Absence Management System (AMS) Project & System Introduction County of Los Angeles October 2011.
McGraw-Hill/Irwin © 2013 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 11 Computer Crime and Information Technology Security.
B-I-C-T Security Strategy Introducing a new framework November 19, 2015 Aman Raheja
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
PRESENTATION TITLE Presented by: Xxxx Xxxxx. Providence Health & Services Very large Catholic healthcare system 33 hospitals in AK, CA, MT, OR, WA 65,000.
Roles and Responsibilities Explain the roles and responsibilities for health and safety of key personnel in selected workplace.
Computer Security By Duncan Hall.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
John Weigelt, MEng, PEng, CISSP, CISM National Technology Officer Microsoft Canada November 2005 Fighting Fraud Through Data Governance.
BYOD: An IT Security Perspective. What is BYOD? Bring your own device - refers to the policy of permitting employees to bring personally owned mobile.
Building a Sound Security and Compliance Environment for Dynamics AX Frank Vukovits Dennis Christiansen Fastpath, Inc.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Data-centric security at Blue Talon
OVERVIEW OF GIFMIS.
NON-COMPULSORY BRIEFING SESSION REQUEST FOR INFORMATION: ICT SECURITY SOLUTIONS RAF /2015/00019 Date: 29 September 2015 Time: 10:00.
Office 365 Security Assessment Workshop
Identity and Access Management
Design for Security Pepper.
Citrix: Proactively Addressing Enterprise Wide Access Compliance with SAP® Access Violation Management Company Citrix Systems Inc. Headquarters Ft. Lauderdale,
System Management Issues for the Future Real-Time University Environment Tom Board September 22, 2004 Northwestern University Information Technology.
Understanding HIPAA Dr. Jennifer Lu.
BOMGAR REMOTE SUPPORT Karl Lankford
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
What are IAM Key Processes.
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Anuj Dube Jimmy Lambert Michael McClendon
OU BATTLECARD: Oracle Identity Management Training
Presentation transcript:

IDENTITY MANAGEMENT: PROTECTING FROM THE INSIDE OUT MICHAEL FORNAL, SECURITY ANALYST PROVIDENCE HEALTH & SERVICES SOURCE SEATTLE CONFERENCE

Providence Health & Services  Very large Catholic healthcare system  33 hospitals in AK, CA, MT, OR, WA  65,000 employees

ATTENTION: The information you are about to hear is from a Newbie in the InfoSec community who is still learning to manage his own Identity. If you disagree with any of the information that you hear here today PLEASE DON’T REMOVE HIS ACCESS to the InfoSec community!

Topics of Discussion  Why IDM needs to be a business need and not IT.  What can an IDM program do for your company.  How having an IDM program can help you to stay resilient.

What is Identity Management  In short it’s the ability to provide provisioning and governance of users within your environment. This includes:  Password Management  Access Requests  Policy Enforcement

Why IDM is a business need and not an IT need.  Ensures that governance of access is being done correctly.  Reduces risk to the company.  Satisfy compliance and privacy requirements.  Provides a cost saving measure by providing an efficient process for user provisioning.

What IDM can do for your company  Management of employee life cycle from beginning to end.  Provides an overall view of how effective your policies are.  Centralize authentication and authorization of applications across an enterprise.  Gives greater transparency into who has access to what.  Reduce the fears that Executives and IT Managers have around Identity and Access Governance.

Management of employee life cycle  Add an employee  Move an employee  Employee leaves

Provides an overall view of how effective your polices are by:  Providing reports that show employee violations of polices.  Showing you where there could be potential conflicts with a role or group that could limit an employee’s productivity.

Centralize authentication and authorization of applications across an enterprise  Provides accountability  Allows for the burden of account management to be taken off a department like applications support.  One piece of software can control access to all applications in an enterprise reducing redundancy.

Allows for greater transparency  Gives a high level of who has access and to what based on role or group.  Shows who your super users are and where your areas of high risk are.

High Privilege Group

Reduce managements fears around Identity and Access Governance  Executives fear that account management is being done incorrectly.  IT Managers fear for integrity of their data and applications.  Providing leadership with tangible results that allow them the necessary transparency to see that the IAM program is working.

Report Summary

Privilege group membership report

Manager certification

Manager Certification cont.

How you can improve your security program with an IAM tool :  Allows for better creation of company security polices.  Used as a provisioning tool allows for better management of employee life cycle.  Reduce your attack surfaces.

Allows for better creation of company security polices by:  Where to use least privilege and where not to use.  Performing audits and reports.  Giving you the information that you need to make better informed decisions.

Used as a provisioning tool allows for better management of employee life cycle Setup everything from:  Password Management  Application Access  Closing of Accounts

Reduction in attack surface.  Able to clean up old accounts that could be used to access sensitive information.  Mitigates the insider threat especially in a dynamic environment  High privilege accounts can be monitored  Reduces the risk of super user accounts being created by having it approved by another dept.

High Privilege Account Certification

Today’s Takeaways  An IDM tool in your enterprise gives you the benefits of a detective tool and a prevention tool.  IDM needs to be a cornerstone of a security program without it everything else will break down.  Gives the business confidence that process of governance and access is being monitored and performed correctly.

Thank you! Thanks for attending my talk today on Identity Management: Protecting from the inside out Questions…?

Contact On Security blog: Fighting In.Security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.