20120510 università
DESCRIPTION
Presentazione tenuta in occasione della visita di studenti frall'università di Trento - Dipartimento IT - in occasione dello scambio nell'ambito del ""Master Students SchoolTRANSCRIPT
Digital Identities Management Protect your information from zombie
Pierluigi SartoriCISSP – CISM – CRISC – CGEIT - MBCI
Erise 2012
Trento 09 May 2012
About me
Pierluigi Sartoriemail: [email protected]
9 years in Italian Air Force (Intelligence and Operations)
10+ years in Security Architecture & Management
ISACA Venice Chapter Leader, CISM Coordinator & Research Director
ISC2 CISSP
ISACA CISM, CRISC & CGEIT
Business Continuity Institute MBCI
CompTIA Security+
About me
Strengths TCP/IP and networking technologies
Technical and Logical Security
Physical Security
Security Management
Business Continuity
Forensics
Privacy
Processes and Procedures
Weaknesses Too many to list them all in an hour
Provincia autonoma di Trento , 47.7683%
Tecnofin Trentina Spa , 39.7101%
Regione Autonoma Trentino-Alto Adige
, 1.7199%
Comune di Trento , 1.2433%
Camera di Commercio Industria Artigianato e Agricoltura , 1.2433%
Comune di Rovereto , 0.7063%
11 Comunità di Valle complessivamente
, 4.8519% 1 Comprensorio , 0.3931%
Altri 170 Comuni, 2.3639%
4
About Informatica Trentina
Informatica Trentina was founded in 1983 on the initiative of the Autonomous Province of Trento and other Trentino entities
Shareolders:
Company Data (31/12/2011):
• Turnover: Euro 59 milions
• Human Resources: 312
5
Mission
The company operates more and more as an “instrument of economic policy”for the development and the growth of the local economic system in the context ofInformation and Communication Technologies:
an internal instrument to modernize Trentino's Public Administration and toencourage development in the local socio-economic context, in compliance withprovincial directives;
a collaborative partner for ICT companies, allowing the various actors to takepart in the realization of the projects concerning the modernization anddigitization of Trentino’s Public Administration;
a driver for innovation, to promote innovation in Trentino's PublicAdministration while supporting the innovation role of public entities throughinnovative projects that have to be put in place working in synergy andcooperating with local ICT businesses with the support of the advanced trainingand research institutes established in the region.
6
Services
Customer Service Desk
More than 181.000 contacts managed
Desktop/Fleet Management
about 12.500 workstations managed
Data Center
The company's Data Center owns 730 servers in order to provide support for advanced management and application solutions in the web world
Training department prepares tailored training programs
In 2011 the company provided 3.600 person/days in training activities with 1.500 participants
Services for the integration of systems and technologies – in 2011 equipped:
21 premises with advanced videoconferencing equipment
65 premises with unified cooperation and communication services
22 multimedia rooms
Definitions (from wikipedia)
7
Digital Identity: is a psychological identity that prevailsin the domains of cyberspace, and is defined as a set ofdata that uniquely describes a person or a thing(sometimes referred to as subject or entity) and containsinformation about the subject's relationships to otherentities.
(Digital) Identity Management: (IdM) describes themanagement of individual identities, their authentication,authorization, and privileges/permissions within or acrosssystem and enterprise boundaries with the goal ofincreasing security and productivity while decreasing cost,downtime, and repetitive tasks. "Identity Management"and "Access and Identity Management" (or AIM) are termsthat are used interchangeably under the title of Identitymanagement while Identity management itself falls theumbrella of IT Security.
A (Simplified) Definition of IAM
A set of processes and
technologies to manage:
Users' digital identities The relationship to civil identity Users' access to systems and the information
they contain
8
Identity Management Has Many Questions to Answer
9
Who approvedthat access?
Who reviewedthat access?
How can you answer all these questions
withoutIAM?
Whoare your users?
Who has accessto what?
(Why do
they need it?)
Who did what?
User provisioning
10
Identity Audit & Reporting
provides "who has access to
what" and "who approved and
reviewed what" reports for
compliance and regulatory
purposes.
Workflow
Resource Access
Administration
Policies
Identities
Identity Administration
provides delegation and
self-service capabilities
for
password, credential, re
source access and role
management.
Role Management
User
Provisioning
Workflow
Access
Identity
Create
Identity
Change
Identity
Retire
Identity
User Provisioning plays a
key role in delivering the
identity process in
enterprises through a
functional model of
administration and auditing.
Roles
Report
IdentityMonitor
Identity
Digital Identites and Zombies?
11
Zombie Accounts
12
Employees can accumulate an average of 15 to 20 useraccounts over the course of employment
it typically takes an enterprise three to five minutes tomanually turn off each account upon termination
Organizations faced with having to terminate hundredsof thousands, or even millions of accounts, may thinkthat simply terminating an employee's network access issufficient protection.
(Source “Companies open to "Zombie attacks" following mass layoffs” by Dave Porter)
A Zombie Account, also known as orphan account, is aformer employee account, a Digital Identity, not disabledand/or deleted after he’s gone.
Security Treath
13
How we managed this challenge
14
1. Determined the categories of standarduser
2. Identified the features of each category
3. Developed a process for each category
4. Established controls
5. Continuous processes review
Informatica Trentina “Standard Users”
15
1. Employeesa. Managed entirely by HRb. Standard authorization based on organizational chartc. Termination date unknownd. Trust relationship with the company
2. Outsourcera. Managed by different business rolesb. Authorization defined on contractual basisc. Termination date known (contract)d. Contract (no trust) with the company
3. Nomadica. Managed by any employeeb. Limited authorization (just Internet access)c. Termination date known (just one business day)d. potentially no formal relationship
“Employees” – Assignment process
16
StartPrepare new
DI request
Check and
approve request
Check
Request
Compliant
with Policy? Send it back
Approve
HR
Em
plo
ye
e
Ow
ne
rIn
form
ation S
ecu
rity
Dep
art
men
t
Yes
NO
Assign
Role
Records user’s
authorization
Com
pa
ny
IDM
Syste
m
Generates and sends
tickets to operators
Com
pa
ny
Tic
keting
Syste
m
OperatorConfigure
new DI
Communicate
DI to userEnd
InternalControl
InternalControl
“Employees” – Revocation process
17
StartPrepare DI deletetion
request
Check
Request
HR
Info
rma
tion
Se
cu
rity
Dep
art
men
t
Employee
leave
List user’s
authorizationCo
mp
any
IDM
Syste
m
Generates and sends
tickets to operators
Com
pa
ny
Tic
keting
Syste
m
OperatorDelete
DI
Notify
deletetionEnd
InternalControl
“Outsourcer” - Assignment process
18
StartPrepare new
DI request
Set “end of
contract” date
Check
Request
Compliant
with Policy? Send it back
Approve
Co
ntr
act
Ow
ne
rIn
form
ation S
ecu
rity
Dep
art
men
t
Yes
NO
Records user’s
authorization and
termination date
Com
pa
ny
IDM
Syste
m
Generates and sends
tickets to operators
Com
pa
ny
Tic
keting
Syste
m
OperatorConfigure
new DI
Communicate
DI to userEnd
InternalControl
“Outsourcer” – Revocation process
19
StartPrepare DI deletetion
requestCon
tract
Inte
rna
l
refe
ren
t
Employee
leave
List user’s
authorizationCom
pa
ny
IDM
Syste
m
Generates and sends
tickets to operators
Co
mp
any
Tic
ke
tin
g
Syste
m
OperatorDelete
DI
Notify
deletetionEnd
Co
mp
any ID
M
Syste
m StartCheck “end of
contract” date
Expired
contract?
Yes
NO
InternalControl
“Nomadic” users process
20
StartPrepare new Internet
access request
Formal check
and approval
Con
tract
Ow
ne
r
Info
rma
tion
Se
cu
rity
Dep
art
men
t
Records
termination date
Com
pa
ny
IDM
Syste
m
Generates and sends
tickets to operators
Com
pa
ny
Tic
keting
Syste
m
OperatorConfigure
new DI
Communicate
DI to userEnd
InternalControl(formal)
Co
mp
any ID
M
Syste
m StartCheck
expiration dateExpired?
Yes
NO
InternalControl
Disable
accessEnd
21
Informatica Trentina SpaVia G. Gilli, 2 - 38121 Trento
www.infotn.it
Vrae?Afrikaans
Questions?English
¿Preguntas?Spanish
Domande?Italian
Вопросы?Russian
Ερωτήσεις;Greek
tupoQghachmey?Klingon
質問?Japanese
Arabic
問題呢?Chinese
Jewish
Questions?French
Fragen?German
Hindi
Quaestio?Latino