SlideShare a Scribd company logo

IDSA Agenda, Drivers & Security Controls

Download as PPTX, PDF
Identity Defined Security Alliance
Identity Defined Security Alliance

The document provides an agenda for an Identity-Defined Security Alliance (IDSA) presentation. The agenda includes an introduction to IDSA, a demo of IDSA security controls, and time for questions. It also discusses market drivers like increasing data breaches and security complexity. Additional sections describe IDSA's goals of developing best practices, fostering vendor collaboration, and community validation of technologies. The document outlines several IDSA security controls and their capabilities. It concludes with a demo of adaptive access management and an adaptive access management architecture diagram.

Technology
1 of 26
AGENDA • Introduction to the IDSA • Identity-defined security components, capabilities, controls and reference architectures • Demo of IDSA Security Controls • Questions and discussion encouraged throughout!
MARKET DRIVER: BREACH GROWTH 1,579US breaches in 2017 Medical/ Healthcare Business Government/ Military Education Bank/ Credit/ Financial
MARKET DRIVER: SECURITY COMPLEXITY • Enterprises are bulging with complex security technologies • Identity has not been a foundational element of most security architectures
Customer Advisory Board: MEMBERSHIP Executive Board Member
IDENTITY-DEFINED SECURITY ALLIANCE We are an industry community helping to reduce enterprise risk through identity-defined security… 1. Develop best practices and practical guidance 2. Foster vendor collaboration 3. Community validation of technology integrations
IMPROVIN G SECURITY THROUGH IDENTITY PAM Service Management DLP Data Access Governance GRC Access Management Network Security Identity Administration UEBA CASB EMM SIEM Fraud + Risk Identity Governance Identity
HOW WE WORK / WHAT WE DO Security Components Security Capabilities Identity-Defined Security Controls Access Management Identity Governance PAM EMM … Certified Integrations 1. Categorize Technology 2. Specify Controls 3. Certify Products That Fit
IDENTITY-DEFINED SECURITY FRAMEWORK Identity Hygiene Tips Identity-Defined Security Controls Identity-Defined Security Use Cases Reference Architectures Adopting Zero Trust Security Posture Securing Office365 Others?
HYGIENE TIPS Hygiene Tip Description Implement a directory group structure that fits the scope of your IAM program. Assign access and permissions via group memberships to support authentication and authorization events, allowing for a programmatic approach to managing access and entitlements. Implement automated feeds of your employee and non-employee users into your identity store on a daily basis, if not more frequently, as needed. An automated feed of user changes allows you to react to changes in the user life cycle at a frequency that strengthens your security posture. Ensure uniqueness of every human and non-human identity in your directory. This is the DNA of your IAM program for every service or function you will support (provisioning, certs, privileged access, physical access, etc.) For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPPA, money moving, etc. Perform an assessment and prioritize applications, allowing focus for implementation efforts related to the applications that will provide the most benefit. A role model framework should be implemented to support assignment and revocation of access for users to receive core (birthright), enterprise and job-based entitlements and applications. This framework allows you to quickly assign and revoke access for users during the expected user lifecycle changes (Add, Change, Terminate). Deprovisioning of access should be tied to HR events (term, transfer) and typically never require approval. Whenever you are thinking about provisioning, always think about deprovisioning with it. Separation events should be included in your user lifecycle management processes as it will ensure that unnecessary access no longer exists and minimizes the security risks associated with orphaned accounts and entitlements. Basic transfer access should be reviewed by the old and new manager. Initially, provide a report of access to both and ask them to review what is no longer needed and agree on a time to remove Implementing a transitional rights model into the role framework will allow you to provide a smooth change of responsibilities and mitigate the impact of the organization transfer.
HYGIENE TIPS (CONT’D) Hygiene Tip Description Authorization run-time capabilities should be used to control fine- grained access at the data level. ABAC (attribute based access control) methodology can be employed at run- time and uses policies to authorize or deny access to various data levels. Coupled with coarse grained roles, it is one of the most mature capabilities. Business process review should be performed at the beginning of each phase for the in scope applications. To ensure the effectiveness of the existing business processes and to identify areas of improvement and efficiencies. Automated provisioning / de-provisioning should be implemented after all applicable business processes have been implemented utilizing a simulated provisioning approach. Allows you to realize the full benefit of an IAM program through the automation of provisioning / de-provisioning, reducing the number of manual access requests managed through your Service Management application. Establish governance and policy controls related to the scope and implementation of the IAM Program. Provides for a common understanding, scope and responsibility of the success of your IAM Program. Maintain current application information related to version, priority, business impact, user community, and supported integration methods. This provides the ability to quickly understand your application stack and the priority under which they should be included in an IAM program. Establish an IAM Governance Committee - confirming that IAM policies are followed. Ensures that all IAM policies and controls are adhered to and provides a vehicle to determine overall impact prior to making any IAM program changes. Make your IAM program an integral part of all application onboarding/major change discussions. Considering the IAM implications in these discussions allows for a comprehensive assessment and reduces the risk of delays or violation of security policies
SECURITY CONTROLS Security control Description Capabilities Risk-based authentication Authentication based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query F&R at application for risk posture • Must have the ability to query CASB for risk posture • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Risk-based governance Access enforcement based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to initiate attestation campaign • Must have the ability to call out to F&R to update user status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Compliance access enforcement Actions initiated by governance compliance reviews that indicate that action is needed pertaining to user access and entitlements • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to accept disable workflow events and act upon them • Must have the ability to send password reset notifications • Must have the ability to perform self service password functions Securing private web- enabled applications Providing a seamless authentication experience and platform for users to access both public and private cloud web enabled applications. • Must have the ability to provide cloud and on prem applications in the SSO portal • Must have the ability to provide authorization to application via portal regardless of location • Must have the ability to relay/convert SAML protocol to supported application protocol (e.g Kerberos)
SECURITY CONTROLS (CONT’D) Security control Description Capabilities Risk-based privileged access management Step-up authentication based on risk posture • Must have the ability to query F&R for risk posture • Must have the ability to provide step-up auth for high risk postures • Must have the ability to identify sensitive applications • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Multiple authentication session device management Detection of multiple authentication sessions from different mobile devices • Must have the ability to determine the user has another session • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to send data to F&R based on multiple sessions • Must have the ability to provide managed device status • Must have the ability to query EMM for device status Risk-based EMM management EMM device management based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query CASB for anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) • Must have the ability to define / apply data classifications to identified file types Data protection via data security policies Web application and data access is secured utilizing CASB or DAG enforcement policies • Must have the ability to to work with CASB and send authN for reverse proxy • Must have the ability to work with access management to provide access to web based applications • Must have the ability to detect policy violations and terminate access • Must have the ability to consume file and event data to determine policy violations • Must have the ability to notify manager of policy violations
SECURITY CONTROLS (CONT’D) Security control Description Capabilities Profile-based authentication Authentication based on identity profile attribute to determine a higher level of identity assurance • Must have the ability to determine if MFA is required based on user profile data • Must have the ability to provide user data Profile-based data security Data access based on an identity profile attribute • Must have the ability to get user profile data from identity administration • Must have the ability to provide access to attribute data based on profile data and AuthN • Must have the ability to provide user data Data security through classification policies Controlling data encryption via security policy enforcement and / or risk posture • Must have the ability to encrypt documents for administrative analysis • Must have the ability to identify data classifications within a DLP product • Must have the ability to get user profile data from identity administration • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Privileged access management governance Provide compliance overview of accounts designated as privileged • Must have the ability to provide account status information to PAM app • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to provide account information to identity governance app
DEMO
ADAPTIVE ACCESS MANAGEMENT FOR ENTERPRISES • Problem – Access Management systems also need to be able to respond to changing threats, while working more closely with other security layers, to prevent data loss.
ADAPTIVE ACCESS MANAGEMENT FOR ENTERPRISES Security Control Capabilities Risk-based authentication • Must have the ability to query F&R at application for risk posture • Must have the ability to query CASB for risk posture • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Risk-based governance • Must have the ability to initiate attestation campaign • Must have the ability to call out to F&R to update user status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Data Protection via Data Security Policies • Must have the ability to to work with CASB and send authN for reverse proxy • Must have the ability to work with access management to provide access to web based applications • Must have the ability to detect policy violations and terminate access • Must have the ability to consume file and event data to determine policy violations • Must have the ability to notify manager of policy violations
ADAPTIVE ACCESS MANAGEMENT FOR ENTERPRISES Hygiene tips Implement a directory group structure that fits the scope of your IAM program For Certifications, when using entitlements only, consider direct manager capability such that a manager reviews all of his/her subordinates at once, for the period of the cert. Highly restricted apps, privileged access, etc may require 90 day reviews, whereas all other access could be yearly. For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPPA, money moving, etc. A role model framework should be implemented to support assignment and revocation of access for users to receive core (birthright), enterprise and job-based entitlements and applications. Deprovisioning of access should be tied to HR events (term, transfer) Authorization run-time capabilities should be used to control fine-grained access at the data level. Business process review should be performed at the beginning of each phase for the in scope applications.
IMPROVIN G SECURITY THROUGH IDENTITY PAM Service Management DLP Data Access Governance GRC Access Management Network Security Identity Administration UEBA CASB EMM SIEM Fraud + Risk Identity Governance Identity
ARCHITECTURE INFRASTRUCTURE On-Premise Managed Devices SANCTIONED CLOUD APPS AD Connector Netskope Cloud Tenant 1. Netskope consumes AD group info for RBAC 2. SecureAuth consume AD users and groups for AAA. 3. LogRhythm consumes Netskope log data for analytics 4. SecureAuth consumes and creates risk data 5. LogRhythm API call to update risk and user groups with SecureAuth 6. Managed devices have Netskope client installed for traffic steering 7. SecureAuth provides SSO for sanctioned cloud applications SecureAuth NON-SANCTIONED CLOUD APPS 11 12 13 14 17 15 SecureAuth Risk Data 15 16
ARCHITECTURE USER TRAFFIC On-Premise Managed Devices SANCTIONED CLOUD APPS AD Connector 1. User logs into SecureAuth 2. SecureAuth authorizes access based on risk criteria 3. Netskope enforces role based access controls 4. Allowed Traffic is sent to sanctioned or unsanctioned apps SecureAuth NON-SANCTIONED CLOUD APPS 11 12 13 14 14 Netskope Cloud Tenant
Questions?
GET INVOLVED! Become a part of our community https://forum.idsalliance.org/
APPENDIX 24
WHAT DRIVES US Traditional security investments are providing solutions to specific problems And yet, Identity has become the context for becoming more secure Enterprises are still struggling with IAM best practices and maturity is inconsistent Practitioners are hungry for independent guidance on leveraging existing investments to reduce risk of a breach
IDSA Resources  IAM Good Hygiene Tips  IDSA Security Controls  Use Case Blueprints  IDS Framework for Business Initiative  Maturity Journey  IDSA Validated Integrations  Customer Success Stories  Collaboration Forum for vendors, solution providers, practitioners  More…. New Revenue Sources for Technology Vendor and Solution Providers Confidence in Vendor Integrations through Peer Reviews and References Community Developed Best Practices and Implementation Approaches From thought leadership to practical guidance

Recommended

Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Identity Defined Security Alliance
 
IDSA at Charlotte IAM Meetup
IDSA at Charlotte IAM MeetupIDSA at Charlotte IAM Meetup
IDSA at Charlotte IAM MeetupIdentity Defined Security Alliance
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...IBM Security
 
Gallagher Systems Catalogue
Gallagher Systems CatalogueGallagher Systems Catalogue
Gallagher Systems CatalogueClaudiu Sandor
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesHitachi ID Systems, Inc.
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlAidy Tificate
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 

Recommended

Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Identity Defined Security Alliance
 
IDSA at Charlotte IAM Meetup
IDSA at Charlotte IAM MeetupIDSA at Charlotte IAM Meetup
IDSA at Charlotte IAM MeetupIdentity Defined Security Alliance
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...IBM Security
 
Gallagher Systems Catalogue
Gallagher Systems CatalogueGallagher Systems Catalogue
Gallagher Systems CatalogueClaudiu Sandor
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesHitachi ID Systems, Inc.
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlAidy Tificate
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Developing an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your BusinessDeveloping an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your BusinessForgeRock
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&AHitachi ID Systems, Inc.
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyNetwork Intelligence India
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Sverige
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management OverviewSAP Technology
 
GLOPORE IMS RIMS Presentation
GLOPORE IMS RIMS PresentationGLOPORE IMS RIMS Presentation
GLOPORE IMS RIMS PresentationGLOPORE IMS
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will failIBM Security
 
Chris siteminder
Chris siteminderChris siteminder
Chris siteminderJoseph Christie
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged PasswordsHitachi ID Systems, Inc.
 
SAP GRC
SAP GRC SAP GRC
SAP GRC Kellton Tech Solutions Ltd
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIBM Security
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure EnterpriseIBM Security
 
Viewfinity Privilege Management
Viewfinity Privilege ManagementViewfinity Privilege Management
Viewfinity Privilege Managementakeophila
 
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...IBM Security
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTGlobal Online Trinings
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptx20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptxAnand Dhouni
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 

More Related Content

What's hot

Developing an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your BusinessDeveloping an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your BusinessForgeRock
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Sverige
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management OverviewSAP Technology
 
GLOPORE IMS RIMS Presentation
GLOPORE IMS RIMS PresentationGLOPORE IMS RIMS Presentation
GLOPORE IMS RIMS PresentationGLOPORE IMS
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will failIBM Security
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIBM Security
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure EnterpriseIBM Security
 
Viewfinity Privilege Management
Viewfinity Privilege ManagementViewfinity Privilege Management
Viewfinity Privilege Managementakeophila
 
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...IBM Security
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTGlobal Online Trinings
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 

What's hot (20)

Developing an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your BusinessDeveloping an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your Business
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management Overview
 
GLOPORE IMS RIMS Presentation
GLOPORE IMS RIMS PresentationGLOPORE IMS RIMS Presentation
GLOPORE IMS RIMS Presentation
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
 
Chris siteminder
Chris siteminderChris siteminder
Chris siteminder
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged Passwords
 
SAP GRC
SAP GRC SAP GRC
SAP GRC
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access Manager
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
 
Viewfinity Privilege Management
Viewfinity Privilege ManagementViewfinity Privilege Management
Viewfinity Privilege Management
 
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 

Similar to IDSA Agenda, Drivers & Security Controls

20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptx20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptxAnand Dhouni
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
Identity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingIdentity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingCiente
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3Abe Newton
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant Saravanan Purushothaman
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
Information Security Governance - 2008 - Brotby - Appendix A SABSA Business ...
Information Security Governance - 2008 - Brotby - Appendix A SABSA Business ...Information Security Governance - 2008 - Brotby - Appendix A SABSA Business ...
Information Security Governance - 2008 - Brotby - Appendix A SABSA Business ...dharmaonline86
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
How to Keep your Atlassian Cloud Secure
How to Keep your Atlassian Cloud SecureHow to Keep your Atlassian Cloud Secure
How to Keep your Atlassian Cloud SecureCprime
 
Modern Architectures
Modern ArchitecturesModern Architectures
Modern ArchitecturesSecureAuth
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessIvan Dwyer
 
Ca siteminder
Ca siteminderCa siteminder
Ca siteminderRoger Xia
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
SailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfSailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfVishnuGone
 

Similar to IDSA Agenda, Drivers & Security Controls (20)

20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptx20170912_Identity_and_Access_Management.pptx
20170912_Identity_and_Access_Management.pptx
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
 
Identity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingIdentity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud Computing
 
Co p
Co pCo p
Co p
 
Co p
Co pCo p
Co p
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
Information Security Governance - 2008 - Brotby - Appendix A SABSA Business ...
Information Security Governance - 2008 - Brotby - Appendix A SABSA Business ...Information Security Governance - 2008 - Brotby - Appendix A SABSA Business ...
Information Security Governance - 2008 - Brotby - Appendix A SABSA Business ...
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
How to Keep your Atlassian Cloud Secure
How to Keep your Atlassian Cloud SecureHow to Keep your Atlassian Cloud Secure
How to Keep your Atlassian Cloud Secure
 
Modern Architectures
Modern ArchitecturesModern Architectures
Modern Architectures
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & Access
 
Ca siteminder
Ca siteminderCa siteminder
Ca siteminder
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
SailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfSailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdf
 
PPT for CEO.pptx
PPT for CEO.pptxPPT for CEO.pptx
PPT for CEO.pptx
 

Recently uploaded

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Recently uploaded (20)

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

IDSA Agenda, Drivers & Security Controls

  • 1.
  • 2. AGENDA • Introduction to the IDSA • Identity-defined security components, capabilities, controls and reference architectures • Demo of IDSA Security Controls • Questions and discussion encouraged throughout!
  • 3. MARKET DRIVER: BREACH GROWTH 1,579US breaches in 2017 Medical/ Healthcare Business Government/ Military Education Bank/ Credit/ Financial
  • 4. MARKET DRIVER: SECURITY COMPLEXITY • Enterprises are bulging with complex security technologies • Identity has not been a foundational element of most security architectures
  • 6. IDENTITY-DEFINED SECURITY ALLIANCE We are an industry community helping to reduce enterprise risk through identity-defined security… 1. Develop best practices and practical guidance 2. Foster vendor collaboration 3. Community validation of technology integrations
  • 8. HOW WE WORK / WHAT WE DO Security Components Security Capabilities Identity-Defined Security Controls Access Management Identity Governance PAM EMM … Certified Integrations 1. Categorize Technology 2. Specify Controls 3. Certify Products That Fit
  • 9. IDENTITY-DEFINED SECURITY FRAMEWORK Identity Hygiene Tips Identity-Defined Security Controls Identity-Defined Security Use Cases Reference Architectures Adopting Zero Trust Security Posture Securing Office365 Others?
  • 10. HYGIENE TIPS Hygiene Tip Description Implement a directory group structure that fits the scope of your IAM program. Assign access and permissions via group memberships to support authentication and authorization events, allowing for a programmatic approach to managing access and entitlements. Implement automated feeds of your employee and non-employee users into your identity store on a daily basis, if not more frequently, as needed. An automated feed of user changes allows you to react to changes in the user life cycle at a frequency that strengthens your security posture. Ensure uniqueness of every human and non-human identity in your directory. This is the DNA of your IAM program for every service or function you will support (provisioning, certs, privileged access, physical access, etc.) For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPPA, money moving, etc. Perform an assessment and prioritize applications, allowing focus for implementation efforts related to the applications that will provide the most benefit. A role model framework should be implemented to support assignment and revocation of access for users to receive core (birthright), enterprise and job-based entitlements and applications. This framework allows you to quickly assign and revoke access for users during the expected user lifecycle changes (Add, Change, Terminate). Deprovisioning of access should be tied to HR events (term, transfer) and typically never require approval. Whenever you are thinking about provisioning, always think about deprovisioning with it. Separation events should be included in your user lifecycle management processes as it will ensure that unnecessary access no longer exists and minimizes the security risks associated with orphaned accounts and entitlements. Basic transfer access should be reviewed by the old and new manager. Initially, provide a report of access to both and ask them to review what is no longer needed and agree on a time to remove Implementing a transitional rights model into the role framework will allow you to provide a smooth change of responsibilities and mitigate the impact of the organization transfer.
  • 11. HYGIENE TIPS (CONT’D) Hygiene Tip Description Authorization run-time capabilities should be used to control fine- grained access at the data level. ABAC (attribute based access control) methodology can be employed at run- time and uses policies to authorize or deny access to various data levels. Coupled with coarse grained roles, it is one of the most mature capabilities. Business process review should be performed at the beginning of each phase for the in scope applications. To ensure the effectiveness of the existing business processes and to identify areas of improvement and efficiencies. Automated provisioning / de-provisioning should be implemented after all applicable business processes have been implemented utilizing a simulated provisioning approach. Allows you to realize the full benefit of an IAM program through the automation of provisioning / de-provisioning, reducing the number of manual access requests managed through your Service Management application. Establish governance and policy controls related to the scope and implementation of the IAM Program. Provides for a common understanding, scope and responsibility of the success of your IAM Program. Maintain current application information related to version, priority, business impact, user community, and supported integration methods. This provides the ability to quickly understand your application stack and the priority under which they should be included in an IAM program. Establish an IAM Governance Committee - confirming that IAM policies are followed. Ensures that all IAM policies and controls are adhered to and provides a vehicle to determine overall impact prior to making any IAM program changes. Make your IAM program an integral part of all application onboarding/major change discussions. Considering the IAM implications in these discussions allows for a comprehensive assessment and reduces the risk of delays or violation of security policies
  • 12. SECURITY CONTROLS Security control Description Capabilities Risk-based authentication Authentication based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query F&R at application for risk posture • Must have the ability to query CASB for risk posture • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Risk-based governance Access enforcement based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to initiate attestation campaign • Must have the ability to call out to F&R to update user status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Compliance access enforcement Actions initiated by governance compliance reviews that indicate that action is needed pertaining to user access and entitlements • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to accept disable workflow events and act upon them • Must have the ability to send password reset notifications • Must have the ability to perform self service password functions Securing private web- enabled applications Providing a seamless authentication experience and platform for users to access both public and private cloud web enabled applications. • Must have the ability to provide cloud and on prem applications in the SSO portal • Must have the ability to provide authorization to application via portal regardless of location • Must have the ability to relay/convert SAML protocol to supported application protocol (e.g Kerberos)
  • 13. SECURITY CONTROLS (CONT’D) Security control Description Capabilities Risk-based privileged access management Step-up authentication based on risk posture • Must have the ability to query F&R for risk posture • Must have the ability to provide step-up auth for high risk postures • Must have the ability to identify sensitive applications • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Multiple authentication session device management Detection of multiple authentication sessions from different mobile devices • Must have the ability to determine the user has another session • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to send data to F&R based on multiple sessions • Must have the ability to provide managed device status • Must have the ability to query EMM for device status Risk-based EMM management EMM device management based on risk posture derived from at least one risk engine. (CASB, F&R, UEBA, SIEM) • Must have the ability to query CASB for anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) • Must have the ability to define / apply data classifications to identified file types Data protection via data security policies Web application and data access is secured utilizing CASB or DAG enforcement policies • Must have the ability to to work with CASB and send authN for reverse proxy • Must have the ability to work with access management to provide access to web based applications • Must have the ability to detect policy violations and terminate access • Must have the ability to consume file and event data to determine policy violations • Must have the ability to notify manager of policy violations
  • 14. SECURITY CONTROLS (CONT’D) Security control Description Capabilities Profile-based authentication Authentication based on identity profile attribute to determine a higher level of identity assurance • Must have the ability to determine if MFA is required based on user profile data • Must have the ability to provide user data Profile-based data security Data access based on an identity profile attribute • Must have the ability to get user profile data from identity administration • Must have the ability to provide access to attribute data based on profile data and AuthN • Must have the ability to provide user data Data security through classification policies Controlling data encryption via security policy enforcement and / or risk posture • Must have the ability to encrypt documents for administrative analysis • Must have the ability to identify data classifications within a DLP product • Must have the ability to get user profile data from identity administration • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Privileged access management governance Provide compliance overview of accounts designated as privileged • Must have the ability to provide account status information to PAM app • Must have the ability to initiate IA workflow for disable/delete • Must have the ability to provide account information to identity governance app
  • 15. DEMO
  • 16. ADAPTIVE ACCESS MANAGEMENT FOR ENTERPRISES • Problem – Access Management systems also need to be able to respond to changing threats, while working more closely with other security layers, to prevent data loss.
  • 17. ADAPTIVE ACCESS MANAGEMENT FOR ENTERPRISES Security Control Capabilities Risk-based authentication • Must have the ability to query F&R at application for risk posture • Must have the ability to query CASB for risk posture • Must have the ability to provide MFA based on response of user anomaly • Must have the ability to return anomaly status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Risk-based governance • Must have the ability to initiate attestation campaign • Must have the ability to call out to F&R to update user status • Must have the ability to send risk status to requesting tool as a defined value (Low, Moderate, High, Extreme) Data Protection via Data Security Policies • Must have the ability to to work with CASB and send authN for reverse proxy • Must have the ability to work with access management to provide access to web based applications • Must have the ability to detect policy violations and terminate access • Must have the ability to consume file and event data to determine policy violations • Must have the ability to notify manager of policy violations
  • 18. ADAPTIVE ACCESS MANAGEMENT FOR ENTERPRISES Hygiene tips Implement a directory group structure that fits the scope of your IAM program For Certifications, when using entitlements only, consider direct manager capability such that a manager reviews all of his/her subordinates at once, for the period of the cert. Highly restricted apps, privileged access, etc may require 90 day reviews, whereas all other access could be yearly. For provisioning of access, start with building workflows based on your most critical applications, such as SOX, PCI, HIPPA, money moving, etc. A role model framework should be implemented to support assignment and revocation of access for users to receive core (birthright), enterprise and job-based entitlements and applications. Deprovisioning of access should be tied to HR events (term, transfer) Authorization run-time capabilities should be used to control fine-grained access at the data level. Business process review should be performed at the beginning of each phase for the in scope applications.
  • 20. ARCHITECTURE INFRASTRUCTURE On-Premise Managed Devices SANCTIONED CLOUD APPS AD Connector Netskope Cloud Tenant 1. Netskope consumes AD group info for RBAC 2. SecureAuth consume AD users and groups for AAA. 3. LogRhythm consumes Netskope log data for analytics 4. SecureAuth consumes and creates risk data 5. LogRhythm API call to update risk and user groups with SecureAuth 6. Managed devices have Netskope client installed for traffic steering 7. SecureAuth provides SSO for sanctioned cloud applications SecureAuth NON-SANCTIONED CLOUD APPS 11 12 13 14 17 15 SecureAuth Risk Data 15 16
  • 21. ARCHITECTURE USER TRAFFIC On-Premise Managed Devices SANCTIONED CLOUD APPS AD Connector 1. User logs into SecureAuth 2. SecureAuth authorizes access based on risk criteria 3. Netskope enforces role based access controls 4. Allowed Traffic is sent to sanctioned or unsanctioned apps SecureAuth NON-SANCTIONED CLOUD APPS 11 12 13 14 14 Netskope Cloud Tenant
  • 23. GET INVOLVED! Become a part of our community https://forum.idsalliance.org/
  • 25. WHAT DRIVES US Traditional security investments are providing solutions to specific problems And yet, Identity has become the context for becoming more secure Enterprises are still struggling with IAM best practices and maturity is inconsistent Practitioners are hungry for independent guidance on leveraging existing investments to reduce risk of a breach
  • 26. IDSA Resources  IAM Good Hygiene Tips  IDSA Security Controls  Use Case Blueprints  IDS Framework for Business Initiative  Maturity Journey  IDSA Validated Integrations  Customer Success Stories  Collaboration Forum for vendors, solution providers, practitioners  More…. New Revenue Sources for Technology Vendor and Solution Providers Confidence in Vendor Integrations through Peer Reviews and References Community Developed Best Practices and Implementation Approaches From thought leadership to practical guidance

Editor's Notes

  1. Everyone recognizes that enterprise identities are under attack In 2016 81% of breaches were related to compromised credentials – lost, stolen or compromised Further evidence that are that enterprise identities are under attack - Breaches increased 45% from 2016 – 2107 and the majority are still tied back to credentials that have been compromised. What’s going on in your organizations – are you concerned about a breach?
  2. What are the key drivers for us – Security spending is increasing - Worldwide spending on information security products and services will reach more than $114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124 billion. Organizations are feeling under attack, so they continue to spend, but is it effective? In most organizations – in yours? - identity as been considered an operational control, a user experience requirement vs a security foundation. Given the recent threat environment, Identity has finally transitioned from operational and user experience driven to being understood as core to security.
  3. Who we are…. We are 18 vendors across IAM AND Cybersecurity. If not listed, encourage your vendor partners to engage. While we have 4 customers who are members of the customer advisory board. These vendors and CAB members are essentially kick starting the IDSA, but ultimately we want to want to become end user driven – our success is measured by the number of organizations who have been successful implementing an identity centric approach to security.
  4. How we are doing it… Develop best practices and practical guidance – community developed, but practitioner approved. Will talk about the specific deliverables we are creating and get your feedback. Foster vendor collaboration - vendors come together organically, but also a place for customers to go to advocate for collaboration amongst the vendors and provide some guidelines for how vendors integrate – what are best practices for the vendors, that give enterprises a sense of security/confidence. Community validation of technology integrations – working toward providing an online community that can share vendor integration experiences, best practices, scoring, on-line Q&A. Practice, discuss and evolve as a community – work together to continue to share best practices/expertise, provide case studies – see the adobe ZEN story (webcast) on our website. Work for the community, on behalf of the community – at the end let’s talk about what else we can do?
  5. This intersection of identity and security is why we exist. We believe that organizations can reduce their risk by l We believe that leveraging identity context throughout a security infrastructure makes you more secure. It’s not a new concept – identity organizations have been talking about the role of IAM (and identity) in a security strategy for a few years. As a community, we’ve taken the next step and are collaborated with security companies to start driving that message at a higher level and as a community, as well as provide organizations with resources to be successful – with IAM as a foundation and extending it to security infrastructures. Nirvana for an identity centric approach to security is to have every one of these components implemented
  6. More specifics in what we are creating… Back to the graphic – We’ve categorized technology across identity and security in to discrete components – and defined the minimum capabilities we think an organization should have. We’ve defined security controls – which are the intersection of components and capabilities to address a specific requirement, for example, risk-based authentication. Which we will see in action during the demo. Mapped integrations to those security controls and capabilities. What vendors (mostly likely vendors you have) support integrations for that particular control. If you have that requirement and your vendors don’t integrate, come to the IDSA and we can help bring them together. Over time, we will certify those integrations and provide a place to share best practices and recommendations, as described before. This gives you confidence in the integration and a place to ask questions of other practitioners. All of these are elements that contribute to the framework.
  7. The IDSA framework provide the building blocks needed to implement an identity-centric approach to security. It starts with hygiene tips – these are foundational best practices, capabilities and security controls that the IDSA recommends and that will provide a solid foundation to build upon. Identity Defined security controls – we talked about before are the intersection of components to address a specific requirement, for example, risk-based authentication (Denver). Privileged access governance (Charlotte). Which we will see in action during the demo. Use cases are an interim building block of security controls – combine security controls to achieve a specific goal – 16 of them are defined on our website today. Reference architectures – combine all of these things – and provide guidance on implementing an identity centric approach to security for a specific business initiative. We’ll start with Office365, but what are others that should be included? Now let’s look at examples of hygiene tips and security controls, specific to the demo we will see. We’ll come back and brainstorm, too.
  8. Stephen set stage, intro others. IDSA Security Controls Risk-based authentication Risk-based governance Data Protection via Data Security Policies
  9. Join us in our mission. We are vendors today, but we want to make sure that we incorporate the voice of the customer and help building tools, resources and best practices that help you stay secure and reduce risk in your organizations.
  10. Join us in our mission. We are vendors today, but we want to make sure that we incorporate the voice of the customer and help building tools, resources and best practices that help you stay secure and reduce risk in your organizations.
  11. Get validation that all of these assumptions are true – if not, then why would we exist? Engage the audience, ideally practitioners, but vendors, as well… Identity is core to security: Yes? No, why not? There is overwhelming evidence of identity’s role in security – identity is the leading cause of breaches, vendors are introducing “identity aware” solutions, but what is happening in the customer community? Majority of organizations are not leading with this premise: We don’t believe that organizations are there – does anyone in the audience have evidence to the contrary? Organizations are across the spectrum of maturity for implementing this approach: We believe that even still, organizations are all across the board in terms of implementing an IAM strategy – tactical/project based, implemented solutions but not tied in to all aspects of people, process and technology, and few are at a mature level (see last bullet) Organizations are hungry for guidance on how to approach implementing an identity centric approach to security: We believe that there is a gap in guidance – vendors, peers, analysts – no one is looking at it holistically. We want to be the 4th pillar in your places to go for help. Those on the far end of the spectrum (20%) can help educate those that are just getting started (80%): If we make a group of organizations successful, we can then use those organizations as advocates and educators for the rest of the customer community.
  12. IDSA Maturity Journey (working title) that provide best practices for good IAM hygiene and the processes and security controls that support them. Security and identity leaders and implementers – IDSA Security Controls are identity centric security patterns which combine identity and security capabilities that help organizations improve their security posture by leveraging an identity context. Implementers – implementation best practices that provide blueprints for combining Security Controls to meet the common security challenges organizations are facing. (revamp of use cases)