The document provides an agenda for an Identity-Defined Security Alliance (IDSA) presentation. The agenda includes an introduction to IDSA, a demo of IDSA security controls, and time for questions. It also discusses market drivers like increasing data breaches and security complexity. Additional sections describe IDSA's goals of developing best practices, fostering vendor collaboration, and community validation of technologies. The document outlines several IDSA security controls and their capabilities. It concludes with a demo of adaptive access management and an adaptive access management architecture diagram.
4. MARKET DRIVER:
SECURITY COMPLEXITY
• Enterprises are bulging with complex
security technologies
• Identity has not been a foundational
element of most security architectures
6. IDENTITY-DEFINED SECURITY
ALLIANCE
We are an industry community helping to
reduce enterprise risk through identity-defined
security…
1. Develop best practices and practical
guidance
2. Foster vendor collaboration
3. Community validation of technology
integrations
8. HOW WE WORK / WHAT WE DO
Security
Components
Security
Capabilities
Identity-Defined
Security
Controls
Access
Management
Identity
Governance
PAM EMM …
Certified
Integrations
1. Categorize
Technology
2. Specify
Controls
3. Certify
Products
That Fit
10. HYGIENE TIPS
Hygiene Tip Description
Implement a directory group structure that fits the scope of your IAM
program.
Assign access and permissions via group memberships to support
authentication and authorization events, allowing for a programmatic approach
to managing access and entitlements.
Implement automated feeds of your employee and non-employee
users into your identity store on a daily basis, if not more frequently,
as needed.
An automated feed of user changes allows you to react to changes in the user
life cycle at a frequency that strengthens your security posture.
Ensure uniqueness of every human and non-human identity in your
directory.
This is the DNA of your IAM program for every service or function you will
support (provisioning, certs, privileged access, physical access, etc.)
For provisioning of access, start with building workflows based on
your most critical applications, such as SOX, PCI, HIPPA, money
moving, etc.
Perform an assessment and prioritize applications, allowing focus for
implementation efforts related to the applications that will provide the most
benefit.
A role model framework should be implemented to support
assignment and revocation of access for users to receive core
(birthright), enterprise and job-based entitlements and applications.
This framework allows you to quickly assign and revoke access for users during
the expected user lifecycle changes (Add, Change, Terminate).
Deprovisioning of access should be tied to HR events (term,
transfer) and typically never require approval. Whenever you are
thinking about provisioning, always think about deprovisioning with
it.
Separation events should be included in your user lifecycle management
processes as it will ensure that unnecessary access no longer exists and
minimizes the security risks associated with orphaned accounts and
entitlements.
Basic transfer access should be reviewed by the old and new
manager. Initially, provide a report of access to both and ask them
to review what is no longer needed and agree on a time to remove
Implementing a transitional rights model into the role framework will allow you to
provide a smooth change of responsibilities and mitigate the impact of the
organization transfer.
11. HYGIENE TIPS (CONT’D)
Hygiene Tip Description
Authorization run-time capabilities should be used to control fine-
grained access at the data level.
ABAC (attribute based access control) methodology can be employed at run-
time and uses policies to authorize or deny access to various data levels.
Coupled with coarse grained roles, it is one of the most mature capabilities.
Business process review should be performed at the beginning of
each phase for the in scope applications.
To ensure the effectiveness of the existing business processes and to identify
areas of improvement and efficiencies.
Automated provisioning / de-provisioning should be implemented
after all applicable business processes have been implemented
utilizing a simulated provisioning approach.
Allows you to realize the full benefit of an IAM program through the automation
of provisioning / de-provisioning, reducing the number of manual access
requests managed through your Service Management application.
Establish governance and policy controls related to the scope and
implementation of the IAM Program.
Provides for a common understanding, scope and responsibility of the success
of your IAM Program.
Maintain current application information related to version, priority,
business impact, user community, and supported integration
methods.
This provides the ability to quickly understand your application stack and the
priority under which they should be included in an IAM program.
Establish an IAM Governance Committee - confirming that IAM
policies are followed.
Ensures that all IAM policies and controls are adhered to and provides a vehicle
to determine overall impact prior to making any IAM program changes.
Make your IAM program an integral part of all application
onboarding/major change discussions.
Considering the IAM implications in these discussions allows for a
comprehensive assessment and reduces the risk of delays or violation of
security policies
12. SECURITY CONTROLS
Security control Description Capabilities
Risk-based authentication Authentication based on risk
posture derived from at least one
risk engine. (CASB, F&R, UEBA,
SIEM)
• Must have the ability to query F&R at application for risk posture
• Must have the ability to query CASB for risk posture
• Must have the ability to provide MFA based on response of user anomaly
• Must have the ability to return anomaly status
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
Risk-based governance Access enforcement based on
risk posture derived from at least
one risk engine. (CASB, F&R,
UEBA, SIEM)
• Must have the ability to initiate attestation campaign
• Must have the ability to call out to F&R to update user status
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
Compliance access
enforcement
Actions initiated by governance
compliance reviews that indicate
that action is needed pertaining
to user access and entitlements
• Must have the ability to initiate IA workflow for disable/delete
• Must have the ability to accept disable workflow events and act upon them
• Must have the ability to send password reset notifications
• Must have the ability to perform self service password functions
Securing private web-
enabled applications
Providing a seamless
authentication experience and
platform for users to access both
public and private cloud web
enabled applications.
• Must have the ability to provide cloud and on prem applications in the SSO
portal
• Must have the ability to provide authorization to application via portal
regardless of location
• Must have the ability to relay/convert SAML protocol to supported
application protocol (e.g Kerberos)
13. SECURITY CONTROLS (CONT’D)
Security control Description Capabilities
Risk-based privileged
access management
Step-up authentication based on
risk posture
• Must have the ability to query F&R for risk posture
• Must have the ability to provide step-up auth for high risk postures
• Must have the ability to identify sensitive applications
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
Multiple authentication
session device
management
Detection of multiple
authentication sessions from
different mobile devices
• Must have the ability to determine the user has another session
• Must have the ability to provide MFA based on response of user anomaly
• Must have the ability to send data to F&R based on multiple sessions
• Must have the ability to provide managed device status
• Must have the ability to query EMM for device status
Risk-based EMM
management
EMM device management based
on risk posture derived from at
least one risk engine. (CASB,
F&R, UEBA, SIEM)
• Must have the ability to query CASB for anomaly
• Must have the ability to return anomaly status
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
• Must have the ability to define / apply data classifications to identified file types
Data protection via data
security policies
Web application and data access
is secured utilizing CASB or DAG
enforcement policies
• Must have the ability to to work with CASB and send authN for reverse proxy
• Must have the ability to work with access management to provide access to
web based applications
• Must have the ability to detect policy violations and terminate access
• Must have the ability to consume file and event data to determine policy
violations
• Must have the ability to notify manager of policy violations
14. SECURITY CONTROLS (CONT’D)
Security control Description Capabilities
Profile-based
authentication
Authentication based on identity
profile attribute to determine a
higher level of identity assurance
• Must have the ability to determine if MFA is required based on user profile
data
• Must have the ability to provide user data
Profile-based data
security
Data access based on an
identity profile attribute
• Must have the ability to get user profile data from identity administration
• Must have the ability to provide access to attribute data based on profile
data and AuthN
• Must have the ability to provide user data
Data security through
classification policies
Controlling data encryption via
security policy enforcement and /
or risk posture
• Must have the ability to encrypt documents for administrative analysis
• Must have the ability to identify data classifications within a DLP product
• Must have the ability to get user profile data from identity administration
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
Privileged access
management governance
Provide compliance overview of
accounts designated as
privileged
• Must have the ability to provide account status information to PAM app
• Must have the ability to initiate IA workflow for disable/delete
• Must have the ability to provide account information to identity governance
app
16. ADAPTIVE ACCESS MANAGEMENT FOR
ENTERPRISES
• Problem
– Access Management systems also need to be able to respond
to changing threats, while working more closely with other
security layers, to prevent data loss.
17. ADAPTIVE ACCESS MANAGEMENT FOR
ENTERPRISES
Security Control Capabilities
Risk-based
authentication
• Must have the ability to query F&R at application for risk posture
• Must have the ability to query CASB for risk posture
• Must have the ability to provide MFA based on response of user anomaly
• Must have the ability to return anomaly status
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
Risk-based
governance
• Must have the ability to initiate attestation campaign
• Must have the ability to call out to F&R to update user status
• Must have the ability to send risk status to requesting tool as a defined value
(Low, Moderate, High, Extreme)
Data Protection via
Data Security Policies
• Must have the ability to to work with CASB and send authN for reverse proxy
• Must have the ability to work with access management to provide access to web
based applications
• Must have the ability to detect policy violations and terminate access
• Must have the ability to consume file and event data to determine policy
violations
• Must have the ability to notify manager of policy violations
18. ADAPTIVE ACCESS MANAGEMENT FOR
ENTERPRISES
Hygiene tips
Implement a directory group structure that fits the scope of your IAM program
For Certifications, when using entitlements only, consider direct manager capability such that a manager reviews all
of his/her subordinates at once, for the period of the cert. Highly restricted apps, privileged access, etc may require
90 day reviews, whereas all other access could be yearly.
For provisioning of access, start with building workflows based on your most critical applications, such as SOX,
PCI, HIPPA, money moving, etc.
A role model framework should be implemented to support assignment and revocation of access for users to
receive core (birthright), enterprise and job-based entitlements and applications.
Deprovisioning of access should be tied to HR events (term, transfer)
Authorization run-time capabilities should be used to control fine-grained access at the data level.
Business process review should be performed at the beginning of each phase for the in scope applications.
20. ARCHITECTURE
INFRASTRUCTURE
On-Premise
Managed Devices
SANCTIONED CLOUD
APPS
AD
Connector
Netskope Cloud Tenant
1. Netskope consumes
AD group info for
RBAC
2. SecureAuth consume
AD users and groups
for AAA.
3. LogRhythm consumes
Netskope log data for
analytics
4. SecureAuth consumes
and creates risk data
5. LogRhythm API call to
update risk and user
groups with
SecureAuth
6. Managed devices
have Netskope client
installed for traffic
steering
7. SecureAuth provides
SSO for sanctioned
cloud applications
SecureAuth
NON-SANCTIONED
CLOUD APPS
11
12
13
14
17
15
SecureAuth
Risk Data
15
16
21. ARCHITECTURE
USER TRAFFIC
On-Premise
Managed Devices
SANCTIONED CLOUD
APPS
AD
Connector
1. User logs into
SecureAuth
2. SecureAuth
authorizes access
based on risk
criteria
3. Netskope
enforces role
based access
controls
4. Allowed Traffic is
sent to sanctioned
or unsanctioned
apps
SecureAuth
NON-SANCTIONED
CLOUD APPS
11
12
13
14
14
Netskope Cloud Tenant
25. WHAT DRIVES US
Traditional security
investments are providing
solutions to specific
problems
And yet, Identity has
become the context for
becoming more secure
Enterprises are still
struggling with IAM best
practices and maturity is
inconsistent
Practitioners are hungry for
independent guidance on
leveraging existing
investments to reduce risk
of a breach
26. IDSA Resources
IAM Good Hygiene Tips
IDSA Security Controls
Use Case Blueprints
IDS Framework for Business
Initiative
Maturity Journey
IDSA Validated Integrations
Customer Success Stories
Collaboration Forum for vendors,
solution providers, practitioners
More….
New Revenue Sources for
Technology Vendor and Solution
Providers
Confidence in Vendor
Integrations through Peer
Reviews and References
Community Developed Best
Practices and Implementation
Approaches
From thought leadership
to practical guidance
Editor's Notes
Everyone recognizes that enterprise identities are under attack
In 2016 81% of breaches were related to compromised credentials – lost, stolen or compromised
Further evidence that are that enterprise identities are under attack -
Breaches increased 45% from 2016 – 2107 and the majority are still tied back to credentials that have been compromised.
What’s going on in your organizations – are you concerned about a breach?
What are the key drivers for us –
Security spending is increasing - Worldwide spending on information security products and services will reach more than $114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124 billion.
Organizations are feeling under attack, so they continue to spend, but is it effective?
In most organizations – in yours? - identity as been considered an operational control, a user experience requirement vs a security foundation.
Given the recent threat environment, Identity has finally transitioned from operational and user experience driven to being understood as core to security.
Who we are….
We are 18 vendors across IAM AND Cybersecurity. If not listed, encourage your vendor partners to engage.
While we have 4 customers who are members of the customer advisory board.
These vendors and CAB members are essentially kick starting the IDSA, but ultimately we want to want to become end user driven – our success is measured by the number of organizations who have been successful implementing an identity centric approach to security.
How we are doing it…
Develop best practices and practical guidance – community developed, but practitioner approved. Will talk about the specific deliverables we are creating and get your feedback.
Foster vendor collaboration - vendors come together organically, but also a place for customers to go to advocate for collaboration amongst the vendors and provide some guidelines for how vendors integrate – what are best practices for the vendors, that give enterprises a sense of security/confidence.
Community validation of technology integrations – working toward providing an online community that can share vendor integration experiences, best practices, scoring, on-line Q&A.
Practice, discuss and evolve as a community – work together to continue to share best practices/expertise, provide case studies – see the adobe ZEN story (webcast) on our website.
Work for the community, on behalf of the community – at the end let’s talk about what else we can do?
This intersection of identity and security is why we exist. We believe that organizations can reduce their risk by l
We believe that leveraging identity context throughout a security infrastructure makes you more secure.
It’s not a new concept – identity organizations have been talking about the role of IAM (and identity) in a security strategy for a few years. As a community, we’ve taken the next step and are collaborated with security companies to start driving that message at a higher level and as a community, as well as provide organizations with resources to be successful – with IAM as a foundation and extending it to security infrastructures.
Nirvana for an identity centric approach to security is to have every one of these components implemented
More specifics in what we are creating…
Back to the graphic –
We’ve categorized technology across identity and security in to discrete components – and defined the minimum capabilities we think an organization should have.
We’ve defined security controls – which are the intersection of components and capabilities to address a specific requirement, for example, risk-based authentication. Which we will see in action during the demo.
Mapped integrations to those security controls and capabilities. What vendors (mostly likely vendors you have) support integrations for that particular control. If you have that requirement and your vendors don’t integrate, come to the IDSA and we can help bring them together.
Over time, we will certify those integrations and provide a place to share best practices and recommendations, as described before. This gives you confidence in the integration and a place to ask questions of other practitioners.
All of these are elements that contribute to the framework.
The IDSA framework provide the building blocks needed to implement an identity-centric approach to security.
It starts with hygiene tips – these are foundational best practices, capabilities and security controls that the IDSA recommends and that will provide a solid foundation to build upon.
Identity Defined security controls – we talked about before are the intersection of components to address a specific requirement, for example, risk-based authentication (Denver). Privileged access governance (Charlotte). Which we will see in action during the demo.
Use cases are an interim building block of security controls – combine security controls to achieve a specific goal – 16 of them are defined on our website today.
Reference architectures – combine all of these things – and provide guidance on implementing an identity centric approach to security for a specific business initiative.
We’ll start with Office365, but what are others that should be included?
Now let’s look at examples of hygiene tips and security controls, specific to the demo we will see. We’ll come back and brainstorm, too.
Stephen set stage, intro others.
IDSA Security Controls
Risk-based authentication
Risk-based governance
Data Protection via Data Security Policies
Join us in our mission. We are vendors today, but we want to make sure that we incorporate the voice of the customer and help building tools, resources and best practices that help you stay secure and reduce risk in your organizations.
Join us in our mission. We are vendors today, but we want to make sure that we incorporate the voice of the customer and help building tools, resources and best practices that help you stay secure and reduce risk in your organizations.
Get validation that all of these assumptions are true – if not, then why would we exist? Engage the audience, ideally practitioners, but vendors, as well…
Identity is core to security: Yes? No, why not?
There is overwhelming evidence of identity’s role in security – identity is the leading cause of breaches, vendors are introducing “identity aware” solutions, but what is happening in the customer community?
Majority of organizations are not leading with this premise: We don’t believe that organizations are there – does anyone in the audience have evidence to the contrary?
Organizations are across the spectrum of maturity for implementing this approach: We believe that even still, organizations are all across the board in terms of implementing an IAM strategy – tactical/project based, implemented solutions but not tied in to all aspects of people, process and technology, and few are at a mature level (see last bullet)
Organizations are hungry for guidance on how to approach implementing an identity centric approach to security: We believe that there is a gap in guidance – vendors, peers, analysts – no one is looking at it holistically. We want to be the 4th pillar in your places to go for help.
Those on the far end of the spectrum (20%) can help educate those that are just getting started (80%): If we make a group of organizations successful, we can then use those organizations as advocates and educators for the rest of the customer community.
IDSA Maturity Journey (working title) that provide best practices for good IAM hygiene and the processes and security controls that support them.
Security and identity leaders and implementers – IDSA Security Controls are identity centric security patterns which combine identity and security capabilities that help organizations improve their security posture by leveraging an identity context.
Implementers – implementation best practices that provide blueprints for combining Security Controls to meet the common security challenges organizations are facing. (revamp of use cases)