Presentation is loading. Please wait.

Presentation is loading. Please wait.

7 The Tenets of IAM Put Identity Management at the Center of Your Security Strategy Doug MacPherson, CISSP .

Published byEmery Norton Modified over 8 years ago

Similar presentations

Presentation on theme: "7 The Tenets of IAM Put Identity Management at the Center of Your Security Strategy Doug MacPherson, CISSP ."— Presentation transcript:

1 7 The Tenets of IAM Put Identity Management at the Center of Your Security Strategy Doug MacPherson, CISSP .

2 40% International Customers 95% Customer Satisfaction & Retention
THE RECOGNIZED LEADER Magic Quadrant Leader, Gartner 2016 500+ customers worldwide 40% International Customers 95% Customer Satisfaction & Retention Hundreds of millions of access rights under management While this may look like a commercial for SailPoint, it is simply to show you we know what we are talking about. SailPoint is the IAM market leader and while we say that to ourselves all the time, it is nice when the leading industry analysts point it out. As you can see SailPoint is and has been a Gartner Magic Quadrant market leader for several years with over 450 customers around the world. We are innovators in the area of identity and access management and have helped a lot of customers navigate through exactly the obstacles we are about to highlight. Copyright © SailPoint Technologies, Inc All rights reserved.

3 Agenda Security Driving IAM The Evolution of Access
Taking a Governance-based Approach The 7 Tenets of Successful IAM Q&A Our Agenda today will review: 1. I’ll kick things off a brief review of how security is now driving identity management 2. I will phrase this in context of the ongoing evolution of security & identity that’s happening as we speak. 3. I’ll define what identity governance is, and explain the benefits of taking a governance-based approach 4. Follow this with what we consider to be the 7 tenets of successful IAM. These are the fundamental design and implementation philosophies that have helped SailPoint get where we are in the market today. And finally, we’ll finish up with a Q&A session.

4 The nature of is evolving from Network centric to IDENTITYcentric
SECURITY I think the very nature of security itself has to evolve from a network and authentication centric, to an Identity & authorization centric approach.

5 Fundamental Principles of Access Security
Data People Access Controls At the end of the day, everything comes down to the three simple primitives of data, access controls and people. Access controls are the system level constraints that make sure that the right people have access to the right data… Now as a security industry, we first started thinking about managing access, with a network centric security mind set.

6 Network Centric Security
Firewall The good old days We selectively allowed people into our applications and data, and we grouped and managed our access controls accordingly. Good guys on the inside and bad guys on the outside. At that time, we could actually tell the difference between the two, and so the “organizing security principle” was around network and perimeter defense.

7 Network Centric Security
Firewall vast array of customers, employees, contractors and partners And with cloud, mobile and the social democratization of IT, we’ve seen a further escalation of applications, data and users both sides of that firewall. Unfortunately over the year’s that followed, application and data exploded inside that network perimeter, and so did the types of people that required access to it. Organizations large and small needed to provide application services to a vast array of customers, employees, contractors and partners. People and data are now no longer even remotely related to the network or a network perimeter-centric way of organizing things. We now have apps in the cloud and on-prem, and a confusing mix of SaaS, mobile and system-to-system data flows that completely ignore it. As a result, a network centric approach is dissolving as an effective way to think about organizing, managing and protecting data.

8 Identity Centric Security
DATA PEOPLE RIGHT ACCESS Identity Centric Security Network Identity As an applications and data security community, we’re now starting to adopt an identity centric approach, in which we put IAM at the center of security, and we focus on understanding, cataloging and managing the data and the access, as the currency of security. Because, ensuring that the right people have the right access to the right data, is something that transients any notion of a network or now an application that we even own, and we have to focus on identity and access management as the new organizing principle.

9 Increasingly Complex Environment
DATA PEOPLE RIGHT ACCESS Increasingly Complex Environment IT STAFF EMPLOYEES Contractors Suppliers X-Employees Customers HR Systems Directory Mainframe SaaS & Cloud Infrastructure Apps Devices We all now face an increasingly complex environment, with IT staff, employees, suppliers and customers, accessing on-prem, cloud and mobile applications. Just stop for a moment, and consider all the applications and systems you access on a daily basis; maybe you’ve got SAP deployed onprem, and service management in the cloud… The access and the data is extremely varied these days, and so this is a very hard problem. And when we look inside any datacenter, or behind the web interface of any SaaS application, at analyze how identity and access is manage

10 Potential Points of Weakness
Complex Data Access Over Entitled Users Rogue Accounts IT Infrastructure & Data Assets Privileged Access Complex Data – Sony, no inventory, no monitoring – what went missing? Over entitled users – Jerome Kerviel at Societe General – Trader and back office Rogue accounts - Target, hacker generated accounts existed for 18 months, classic Escalation of authority, 40M credit cards Privileged access – can you identity who has privileged access vs elevated access? We always see multiple potential points of weakness and risk – and very frequently, some quite basic Identity and access management flaws, flaws that turn out to be fundamental stepping-stones for cyber attack. Now I’m always super interested by the forensic analysis that goes on after a big data breach. For all the complex zero-day malware and network centric exploits that gets cited, if you read the small print, there’s always the same basic identity and access management mistakes that have either caused, or escalated the breach. Simple things like overly complex effective data access and an unknown data inventory is usually contributing factor. For example in the Sony breach, no one really knew what documents had been stolen, because no one had a reliable unstructured data inventory and there was no data access governance in place. And basic problems like over entitled users with accumulated privileges and toxic combinations magnify the impact… When Jerome Kerviel retained the ability to make trades and then settle those same trades, Society General had to a 4.9 trillion euro problem. And if you’re IT controls don’t understand the difference between a valid account and a rouge account, you’ve got a fatal blind spot. Rouge accounts played a major part in the 2013 Target breach. These fake accounts, created during the initial attack, remained undetected for over 18 months. These accounts were then leveraged for classic abuse of privilege and escalation attacks, all of which directly contributed to the loss of over 40 million credit cards. So we’ve got to get the basics of identity management right here.

11 Tenets of Successful IAM
7 Comprehensive Approach 1 User Experience 2 Identity Context 3 Model-based Governance 4 Risk-based Controls 5 Approach to Connectivity 6 Consistency 7

12 IAM TENET 1: Comprehensive Approach
Role Management Identity Analytics Password Management Compliance Controls Data Governance IAM Platform Single Sign-on Access Request And this first tenet, addresses the need for an integrated and complete set of IAM functions, working together as a single system. Today, capabilities like role management, identity analytics, data governance, access request, single sign-on, compliance controls and password management are all required… Single Identity warehouse Policy model, ie SOD, that applies at attestation time and provisioning Designed from the ground up, not loosely coupled causing currency and data consistency issues They are the functional capabilities required for an effective identity management program. And of course, each of these capabilities must be delivered as part of a single integrated IAM platform… A comprehensive approach can’t be a loose collection of stand-alone products, with fragile links between them. They have to be designed from the ground up to work together. Of course, coming from a vendor, this sounds very self-serving – very much buy it all from me, but this is not a buying requirement; this is a use cases and data flow requirement. It’s about sharing data and processes and integrating everything together, without the need for integration code. As you might expect, this how we designed our system from day one, and so taking a comprehensive integrated approach, is the first of my 7 IAM best practice tenets.

13 IAM TENET 2: User Experience
User experience, not UI, based on use cases and daily interactions Single sign on catalog Data owner understanding data access paths Compliance manager running certifications Mobile worker resetting password remotely Now when I say "the user experience", I use the word experience very specifically. It's not just about the user interfaces – yes user interfaces are important and ours are great, but it's about a lot more that the layout of the screens – its about how the user experiences the overall IAM process. So whether you’re a marketing executive using the IdentityNow single signon launch pad to get one click access to all the applications you need to get your job done. Or you’re a data owner in a branch office using SecurityIQ to visualize the effective access paths that others have to your sensitive company data. Or you’re a corporate security officer working with IdentityIQ to track the status of a certification campaign or a departmental risk score.

14 IAM TENET 3: Identity Context
Doug MacPherson ActiveDirectory Group=Accounting \\Shares\HR (read) \\Shares\Corp (read write) Group=Users \\Shares\doc3 (read) RACF QT32428 SYSDBA Data Profile1 Data Profile2 SYSOPER Data Profile3 Identity Account Entitlement Data Identity Account Entitlement Data My third best practice tenant is something we at SailPoint call identity context. To explain what that means, we have to first understand the importance of the relationships that exist in all on-line security system. These are the hidden connections that exist between identities and accounts, account and entitlements, and entitlements and data they give access to. Identity context means understanding, cataloging and modeling these relationships. In today’s complex IT environment, we have to understand and model these critical relationships as they represent the real impact and true meaning of access. This is why solutions like ours that collect, document and manage this identity & access context, now play such a critical role in security.

15 IAM TENET 3: Identity Context
Operations Infrastructure Identity Governance & Administration Security Infrastructure Integrated Responsive Ecosystem GRC Data Governance IT Service Management Privileged User Mgmt. Identity Center Mobile Device Management SIEM & DLP Applications & Infrastructure User Behavior Analysis This is where the story really starts to come together and get exciting, leveraging technologies for advanced, automated use cases Because, this identity context now becomes the driver and the enabler for bridging the gap between the operational infrastructure, on the left of this picture, and the security infrastructure on the right. We put IAM at the center and we integrate it to create a more intelligent security ecosystem. Doug working late on RACF, not usual SIEM event gets kicked off SIEM operator? Identity context allows for a risk based response Target – monitor out of band ID’s , especially those with higher privileges

16 IAM TENET 4: Model-based Governance Lifecycle
Role Management Identity Analytics Password Management HR: Joiners Movers Leavers BIZ USER: User Self-service Role Models Change Models Risk Models Control Models Automation Models GOVERNANCE MODLES Compliance Controls IAM Platform Data Governance AUDIT: Compliance & Audit IT : Automation & Controls Single Sign-on Access Request IAM Governance - Automating controls to meet the company’s regulatory and internal audit and risk requirements We now see IAM as a true lifecycle That often starts with the HR system kicking off Joiner Mover Leaver events; it flows through things like business user self-service, IT automation and controls, and includes the compliance and audit actions that wrap around everything we do in IT. Understanding and managing these lifecycle actions is a critical part of IAM governance. And when we say “model-based governance” this refers to the idea that we should define and build models to sit at the center of that IAM lifecycle. These model help to create a stable, repeatable and scalable approach to enterprise identity… Now when someone in identity says the word model, most people think NIST RBAC and the definition of enterprise roles.

17 IAM TENET 5: Risk-based Controls
Low Risk Profile Medium Risk Profile High Risk Profile I hope I got this one right Scope Impact Identity Risk Score Credit Score Another fun capability, when you can effectively implement IAM, you can benefit from these advanced use cases Once your company is greater than a 1,000 users, how do you know who to focus on? Who should I worry about? Especially long term employees that have been accumulating access rights. So we created a risk score, you associate risk to roles, access rights, status (ie un-attested in one year) You can now focus scarce resource on the proper populations and use automation to help – ie feed the SIEM 17

18 IAM TENET 6: Approach to Connectivity
Access Request Password Management Compliance Controls Role Management Identity Analytics Data Access Governance Identity & Access Management Identity & Access Management Identity & Access Management Provisioning Broker Provisioning Broker Integration Module Integration Module Integration Module Connector Framework Mobile Device Mgmt. Platform Service Mgmt. Platform 3rd Party Provisioning Platform Moving onto number 6, my next best practice is the approach to connectivity. In order to be effective in identity Management nowadays, we have to be connected to everything – mobile, on-prem, in the cloud Work with existing infrastructure – PIMs Extend to new capabilities – MDM Service Management – cannot automate everything

19 IAM TENET 6: Approach to Connectivity
Password Management Compliance Controls Identity Analytics Data Access Governance Access Request Role Management Identity & Access Management Tracking & Monitoring Statistics, Reporting Provisioning Broker Provisioning Broker Relationships & Obligations Fulfillment Dependencies Integration Module Integration Module Integration Module Connector Framework Mobile Device Mgmt. Platform Service Mgmt. Platform 3rd Party Provisioning Platform Complex access request – a Role requires AD account Connection to a 3rd party provisioning system To cut a ticket to support a manual provisioning action

20 IAM TENET 6: Approach to Connectivity
Access Request Role Management Identity & Access Management Provisioning Broker Provisioning Broker Integration Module Integration Module Integration Module Connector Framework Mobile Device Mgmt. Platform Service Mgmt. Platform 3rd Party Provisioning Platform The provisioning broker enables the bridge between business functions – ie Roles and it implementation – connection to systems The broker handles the last mile, the broker maintains the ‘state’ and waits for the ticket to be completed before marking the Request complete

21 IAM TENET 7: Consistency
Self-service Automation Controls Governance Structured & Unstructured Data & Access Convenience Automation Controls Cloud / SaaS / Mobile Enterprise / On-prem we all live in a hybrid IT world. Our applications and data are on-prem, in the cloud and sometimes between the two. I don’t personably think this is transitional “point-in-time” statement. I’m not sure we’ll ever be universally one side or the other of this line. In fact, it’s becoming increasingly irrelevant where code executes… Like I said earlier, just stop for a moment and ask yourself, “where are my apps, and where is my data?” - Do you actually know? Or more importantly do you’re business users really care? And so in many ways, its now the core tenets of Identity that are drawing the new perimeter around our people and our applications; providing user access convenience, provisioning and access automation, and delivering the control and governance that tie everything back together… Because the data we care about is no longer just in enterprise apps like SAP…

22 Tenets of Successful IAM
7 Comprehensive Approach 1 User Experience 2 Identity Context 3 Model-based Governance 4 Risk-based Controls 5 Approach to Connectivity 6 Consistency 7 Recap Questions

23 IDENTITY IS EVERYTHING

24 Questions?

Download ppt "7 The Tenets of IAM Put Identity Management at the Center of Your Security Strategy Doug MacPherson, CISSP ."

Similar presentations

Copyright © 2014 STEALTHbits Technologies, Inc.. All rights reserved. | STEALTHbits Technologies, Inc. The Unstructured Data Challenge 1.

Copyright © 2014 STEALTHbits Technologies, Inc.. All rights reserved. | STEALTHbits Technologies, Inc. The Unstructured Data Challenge 1.
Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Product Manager, Oracle Bob Beach, CIO, Chevron October, 2014.

Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Product Manager, Oracle Bob Beach, CIO, Chevron October, 2014.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Extending IBM Security Identity Manager

Extending IBM Security Identity Manager
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.
Microsoft Identity and Access Solutions Market Trends and Futures

Microsoft Identity and Access Solutions Market Trends and Futures
© 2004-2014. Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.

© Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.
Oracle Confidential – Internal/Restricted/Highly RestrictedCopyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Identity Management.

Oracle Confidential – Internal/Restricted/Highly RestrictedCopyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Identity Management.
Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Empower Enterprise Mobility Jasbir Gill Azure Mobility.
1© Copyright 2014 EMC Corporation. All rights reserved. Kenny Pool Advisory Systems Engineer Third Platform Apps & EMC: Redefining IT & Helping Our Customers.

1© Copyright 2014 EMC Corporation. All rights reserved. Kenny Pool Advisory Systems Engineer Third Platform Apps & EMC: Redefining IT & Helping Our Customers.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Welcome to the Cloud Era Mohammed Owais.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Welcome to the Cloud Era Mohammed Owais.
A Governance-based Approach to Identity Management

A Governance-based Approach to Identity Management
© 2010 Wipro Ltd - Confidential Evolution of Identity As A Service (IDAAS) Oct 2010 Vinod Muniyappa General Manager – Application & Data Security Enterprise.

© 2010 Wipro Ltd - Confidential Evolution of Identity As A Service (IDAAS) Oct 2010 Vinod Muniyappa General Manager – Application & Data Security Enterprise.
© 2009 IBM Corporation Delivering Quality Service with IBM Service Management April 13 th, 2009.

© 2009 IBM Corporation Delivering Quality Service with IBM Service Management April 13 th, 2009.
The Importance of Compliant Identity & Access Management in Insurance Tuncay Küçüktaş - Aksigorta Assistant General Manager, CIO.

The Importance of Compliant Identity & Access Management in Insurance Tuncay Küçüktaş - Aksigorta Assistant General Manager, CIO.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
A Governance-based Approach to Identity Management

A Governance-based Approach to Identity Management
Cloud Computing! Aber sicher ?!? Ralf Schnell Customer Solutions Architect Principal Cloud Strategist

Cloud Computing! Aber sicher ?!? Ralf Schnell Customer Solutions Architect Principal Cloud Strategist
Energy Ecosystem Overview David Miller Chief Security Officer.

Energy Ecosystem Overview David Miller Chief Security Officer.
The CIO’s response to the Global Agenda Daniel Benton, Global Managing Director IT Strategy.

The CIO’s response to the Global Agenda Daniel Benton, Global Managing Director IT Strategy.

Similar presentations

Ads by Google