cis14: identity therapy: surviving the explosion of users, access and identities
DESCRIPTION
Kurt Johnson, Courion A discussion of how identity management needs to move to the next generation of intelligent IAM, combining traditional elements of provisioning and governance with continuous monitoring and rich analytics to identify risk, threats, and vulnerabilities to access.TRANSCRIPT
Identity Therapy: Surviving the Explosion of Users, Access, and Identities
Kurt Johnson VP Strategy & Corporate Development
Courion Corporation @kurtvjohnson
2
Courion Mission
Help customers succeed in a world of open access and increasing threats.
3
Customer Need
Mobile Apps Cloud Systems & Apps
Data
Resources
Assets
Systems & Apps
ACCESS
Ensure the Right People
have the Right Access
to the Right Resources
and are doing the Right Things
4
5
6
7
8
9
Reputation Risk
10
Financial Risk
11
12
13
14
15
Source: 2014 Verizon Data Breach Investigations Report
Number of breaches per threat action category
16
Hacking breaches by type
0%
10%
20%
30%
40%
50%
60%
2009 2010 2011 2012 2013
Source: 2014 Verizon Data Breach Investigations Report
Use of stolen credentials
Brute force
Backdoor or C2
SQL
Footprinting
17
Identity and Access Management Controls
Provisioning
Governance
18
19
2013 may be remembered as the
“year of the retailer breach”, but
a comprehensive assessment
suggests it was a year of
transition from geopolitical
attacks to large-scale attacks on
payment card systems
20
Verizon 2014 PCI Compliance Report
21
PCI DSS Requirement 8: Identify and authenticate access to system components
“Only 24.2% of organizations that suffered a security breach were
compliant with Requirement 8 at the time of the breach”
“64.4% of organizations failed to
restrict each account with access to cardholder data to
just one user” “More than half of insiders committing
IT sabotage were former employees who regained access via backdoors or
corporate accounts that were never disabled”
Source: Verizon 2014 PCI Compliance Report
22
Top Audit Findings
0% 5% 10% 15% 20% 25% 30% 35% 40%
Lack of sufficient segregation of duties
Removal of access following a transfer or termination
Excessive developers' access to production systems and data
Excessive acess rights
30%
18%
22%
31%
31%
27%
31%
38%
28%
29%
29%
36%
2012 2010 2009 Source: Deloitte Global Financial Services Security Survey
23
24
Identity and Access Management Controls
Provisioning
Governance
25
26
27
28
29
30
31
32
Identity of the Internet of Things (ID) (IoT)
33
ID IoT
34
35
Source: PWC Global State of Information Security Survey, 2014
36
Percent of breaches where time was days or less
Source: 2014 Verizon Data Breach Investigations Report
37
POS Intrusions Discovery Method
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Internal
External 99%
1%
Source: 2014 Verizon Data Breach Investigations Report
38
“Shift your security mindset from incident response to continuous response, wherein
systems are assumed to be compromised and require continuous monitoring and
remediation.”
“Designing an Adaptive Security Architecture for Protection From Advanced Attacks” Peter Firstbrook and Neil MacDonald, 2014.
39
40
41
42
43
44
45
46
47
48
Multi-dimensional analysis
Trillions of access relationships
100’s of policies & regulations
POLICIES
1000’s of applications, file shares & resources
RESOURCES
Millions of actions
ACTIVITY
100’s of thousands of access rights &
roles
RIGHTS
100,000’s of people, millions
of identities
IDENTITY
49
50
51
52
53
Intelligent Governance • New account created outside provisioning system
• High risk application • High risk set of entitlements • Employee not in HR system
…another
…and another
54
Provisioning Today
Provisioning
Request
Policy
Evaluation
Approval
Fulfillment
Reject
Request
55
Intelligent Provisioning
Provisioning
Request
Policy
Evaluation
Fulfillment
Risk
Scoring
56
Intelligent Provisioning
Provisioning
Request
Approval
Fulfillment
Reject
Request
Policy
Evaluation
Risk
Scoring
57
Intelligent Provisioning
Provisioning
Request
Policy
Evaluation
Approval
Fulfillment
Additional Approval
Reject
Request
Risk
Scoring
58
59
60
61
“By year-end 2020, identity analytics and intelligence (IAI) tools will deliver
direct business value in 60% of enterprises, up from <5% today.”
Intelligent IAM
62
Continuous Monitoring & Analytics
Governance Provisioning
Intelligent IAM
Policy