identity access management
TRANSCRIPT
CONTRACT LAW IN IT Identity & access management
JacquesFolonwww.folon.com
PartnerEdgeConsulting
MaîtredeconférencesUniversitédeLiègeChargédecoursICHECBrusselsManagementSchoolProfesseurinvitéUniversitédeLorraine(Metz)ESCRennes
http://www.nyls.edu/institute_for_information_law_and_policy/conferences/visualizing_law_in_the_digital_age/
IAM
1. IAM?2. Presetcontext?3. IAM&cloudcomputing4. Whyisitusefuland
mandatory?5. Todolist6. IAM&privacy7. IAM&control8. e-discovery9. Conclusion
1.IAM????
Provisioning
SingleSignOn
PKIStrong
Authentication
Federation
Directories
Authorization
SecureRemoteAccess
PasswordManagement
WebServicesSecurity
Auditing&
Reporting
RolebasedManagement
DRM
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
5 Questions to ask your CISO
Q: What’s posted on this monitor?
a – password to financial application b – phone messages c – to-do’s
Q: What determines your employee’s access?
a – give Alice whatever Wally has b – roles, attributes, and requests c – whatever her manager says
Q: Who is the most privileged user in your enterprise?
a – security administrator b – CFO c – the summer intern who is now working
for your competitor
Q: How secure is youridentity data?
a – It is in 18 different secured stores b – We protect the admin passwords c – Privacy? We don’t hold credit card
numbers
Q: How much are manual compliance controls costing your organization?
a – nothing, no new headcount b – don’t ask c – don’t know
Today’s IT Challenges
More Agile Business • More accessibility for employees, customers and partners • Higher level of B2B integrations • Faster reaction to changing requirements
More Secured Business • Organized crime • Identity theft • Intellectual property theft • Constant global threats
More Compliant Business • Increasing regulatory demands • Increasing privacy concerns • Business viability concerns
State Of Security In Enterprise
• Incomplete • Multiple point solutions from many vendors • Disparate technologies that don’t work together
• Complex • Repeated point-to-point integrations • Mostly manual operations
• ‘Non-compliant’ • Difficult to enforce consistent set of policies • Difficult to measure compliance with those policies
Identity Management Values
• Trusted and reliable security
• Efficient regulatory compliance
• Lower administrative and development costs
• Enable online business networks
• Better end-user experience
15
IAMMEANSMANAGINGTHEEMPLOYEESLIFECYCLE(HIRING,RECRUITING,PROMOTION,CHANGE,LEAVING)ANDTHE
IMPACTSONTHEINFORMATIONMANAGEMENTSYSTEM
sourceclusif
IAMisalegalobligation!
• IAMISDEFINEDBYTHEBUSINESS(RH,SCM,ETC.)
• AND • FOLLOWING THE LEGAL
FRAMEWORK • AND • TECHNICALLY IMPLEMENTED
16
IAMISBUSINESS&ICT+LEGAL
sourceclusif
17
IAM INCLUDES
• DATABASE OF ALL AND EVERY USER •DATABASE OF ALL TYPE OF PROFILES & ROLES •DEFINITION BEFOREHAND •DEFINE WICH ROLE FOR WICH EMPLOYEE •DEFINITION OF LOGIN & PASSWORDS •AUDIT •REPORTING •ACCESS CONTROL
sourceclusif
• WhatisIdentityManagement? “Identitymanagementisthesetofbusinessprocesses,andasupportinginfrastructure,forthecreation,maintenance,anduseofdigitalidentities.”TheBurtonGroup(aresearchfirmspecializinginITinfrastructurefortheenterprise)
• IdentityManagementinthissenseissometimescalled“IdentityandAccessManagement”(IAM)
Définition
19
Identity and Access Management is the process for managing the lifecycle of digital identities and access for people, systems and services. This includes:
User Management – management of large, changing user populations along with delegated- and self-service administration.
Access Management – allows applications to authenticate users and allow access to resources based upon policy.
Provisioning and De-Provisioning – automates account propagation across applications and systems.
Audit and Reporting – review access privileges, validate changes, and manage accountability.
CA
IAM : J. Tony Goulding CISSP, ITIL CA t [email protected]
IAMINESC…
• “MYNAMEISJULIEANDIAMASTUDENT.”(Identity)
• “thisismypassword.” (Authentification)• “Iwantanaccesstomyaccount” (Authorizationok)• “Iwanttoadaptmygrade.” (Autorizationrejected)
Whatarethequestions?
• isthispersontheoneshesaidsheis?
• Issheamemberofourgroup?• Didshereceivethenecessaryauthorization?
• IsdataprivacyOK?
Typeofquestionsforanewcomer
– Whichkindofpassword?– Whichactivitiesareaccepted?– Whichareforbidden?– Towhichcategorythispersonbelongs?– Whendowehavetogivetheauthorization??– Whatcontroldoweneed?– Couldwedemonstrateincourtourprocedure?
24
IAMtripleA
AuthenticationWHO ARE YOU? Authorization / Access ControlWHAT CAN YOU DO? AuditWHAT HAVE YOU DONE?
24
ComponentsofIAM
• Administration– UserManagement– PasswordManagement– Workflow– Delegation
• AccessManagement– Authentication– Authorization
• IdentityManagement– AccountProvisioning– AccountDeprovisioning– Synchronisation
Reliable Identity Data
Adm
inistr
ation
Aut
horiza
tion
Aut
hent
icat
ion
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
2.Contextin2016
28
variousidentityco-exists
29
IRL&virtualidentity
• InternetisbasedonIPidentification• everybodyhasdifferentprofiles• Eachplatformhasadifferentauthentificationsystem
• Usersaretheweakestlink• Cybercrimeincreases• Controlsmeansidentification• Dataprivacyimposescontrols&security• e-discoveryimposesECM
Welcometoadigitalworld
ExplosionofIDs
Pre1980’s 1980’s 1990’s 2000’s
#ofDigitalIDs
Time
Applications
Mainframe
ClientServer
Internet
BusinessAutomation
Company(B2E)
Partners(B2B)
Customers(B2C)
Mobility
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
TheDisconnectedReality
• “IdentityChaos”– Manyusers– ManyID– Manylogin&passwords– Multiplerepositoriesofidentityinformation– MultipleuserIDs,multiplepasswords
Enterprise Directory
HR
InfraApplication
Office
In-HouseApplication
External app
Finance
employeeApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
YourCOMPANYand yourEMPLOYEES
YourSUPPLIERS
YourPARTNERSYourREMOTEand VIRTUALEMPLOYEES
YourCUSTOMERS
Customersatisfaction&customerintimacyCostcompetitivenessReach,personalization
CollaborationOutsourcingFasterbusinesscycles;processautomationValuechain
M&AMobile/globalworkforceFlexible/tempworkforce
MultipleContexts
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
TrendsImpactingIdentity
Increasing Threat LandscapeIdentitytheftcostsbanksandcreditcardissuers$1.2billionin1yr
•$250 billion lost from exposure of confidential info
Maintenance Costs Dominate IT BudgetOn average employees need access to 16 apps and systems
•Companies spend $20-30 per user per year for PW resets
Deeper Line of Business Automation and IntegrationOne half of all enterprises have SOA under development
•Web services spending growing 45%
Rising Tide of Regulation and ComplianceSOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …
•$15.5 billion spend on compliance (analyst estimate)
DataSources:Gartner,AMRResearch,IDC,eMarketer,U.S.Department.ofJustice
37
Business OwnerEndUserITAdmin Developer Security/Compliance
Tooexpensivetoreachnewpartners,channelsNeedforcontrol
ToomanypasswordsLongwaitsforaccesstoapps,resources
ToomanyuserstoresandaccountadminrequestsUnsafesyncscripts
PainPoints
RedundantcodeineachappReworkcodetoooften
ToomanyorphanedaccountsLimitedauditingability
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
3.IAM&Cloudcomputing
First, What the heck is Cloud Computing
First, what the heck is Cloud Computing?…in simple, plain English please!
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s use a simple analogy Say you just moved to a city, and you’re looking for a nice
place to live
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
You can either
Build a house or Rent an apartment
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
If you build a house, there are a fewimportant decisions you have to make…
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
How big is the house? are you planning to grow a large
family? Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Remodel, addition typically cost a lot more once the house is built
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
But, you get a chance to
customize itRoof
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Once the house is built, you’re responsible for maintenance
Hire Landscaper
ElectricianPlumberPay property tax
ElectricityWater
Gutter CleaningHeating and Cooling House Keeping
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
How about renting?
Consider a builder in your city builds a Huge
number of apartment units Andy Harjanto I’m cloud confused http://www.andyharjanto.com
A unit can easily be converted into a 2,3,4 or more units
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
You make a fewer,
simpler decisions
You can start with one unit and grow later, or
downsize
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
But…You do not
havea lot of
options to customize your unit Andy Harjanto I’m cloud confuse
d http://www.andyharjanto.com
However, builders provide you with very high quality infrastructure
high speed Internet
high capacity electricity
triple pane windows
green materials
No need to worry about maintenance
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Just pay your
rentand utilities
Pay as You Go
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s translate to Cloud Computing?
As an end-consumer, believe it or not
you’ve been using Cloud for long times
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
most of them are
Free
In return, you’re willing to give away
your information for ads and other purposes
But you’ve been enjoying High Reliability Service
Limited Storage
Connecting, Sharing
OK, Now tell that to the business owner
Give up your data, then
you can use this infrastructure for free
Are You crazy?will answer the CEO
My Business Needs…
SecurityPrivacy
ReliabilityHigh Availability
Building EnterpriseSoftware
Stone WallFire-proofMoatArmy Death Hole
is like…. Building Medieval
Castle
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s Hire an Army of IT Engineers
Software Upgrade Support
Backup/Restore
Service Pack
Development
Network issues
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s BuildHuge Data
Center
Capacity Planning
Disaster Plan
Cooling Management
Server Crashes
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Your data is replicated3 or 4 times in their data
center
High Availability
Adding “servers” is a click away. Running in just minutes, not days
Hig
h Tr
affi
c?
It can even load balance your server traffic
Expect your Cloud
Networkis always up
Yes, you can even pick where your data
and “servers” reside
Don’t forget data privacy issues
So we know what Cloud is and the choice we have
CloudComputing:Definition
• NoUniqueDefinitionorGeneralConsensusaboutwhatCloudComputingis…
• DifferentPerspectives&Focuses(Platform,SW,ServiceLevels…)
• Flavours:– ComputingandITResourcesAccessibleOnline– DynamicallyScalableComputingPower– VirtualizationofResources– Accessto(potentially)Composable&InterchangeableServices– AbstractionofITInfrastructure!Noneedtounderstanditsimplementation:useServices&theirAPIs– Somecurrentplayers,attheInfrastructure&ServiceLevel:SalesfoRce.com,GoogleApps,Amazon,Yahoo,Microsoft,IBM,HP,etc.
TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009
CloudComputing:Implications
• Enterprise:ParadigmShiftfrom“Close&Controlled”ITInfrastructuresandServicesto
ExternallyProvidedServicesandITInfrastructures
• PrivateUser:ParadigmShiftfromAccessingStaticSetofServicestoDynamic&Composable
Services
• GeneralIssues:– PotentialLossofControl(onData,Infrastructure,Processes,etc.)– Data&ConfidentialInformationStoredinTheClouds– ManagementofIdentitiesandAccess(IAM)intheCloud– CompliancetoSecurityPracticeandLegislation– PrivacyManagement(Control,Consent,Revocation,etc.)– NewThreatEnvironments– ReliabilityandLongevityofCloud&ServiceProviders
TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009
IdentityintheCloud:EnterpriseCase
Enterprise
DataStorageService
OfficeApps
OnDemandCPUsPrinting
Service
CloudProvider#1
CloudProvider#2
InternalCloud
CRMService
…
Service3
BackupServiceILM
ServiceService
Service
Service
BusinessApps/Service
Employee
……
… TheInternet
Identity&Credentials
Identity&Credentials
Identity&Credentials
Identity&Credentials
Identity&Credentials
Identity&Credentials
Identity&Credentials
AuthenticationAuthorizationAudit
AuthenticationAuthorizationAudit
AuthenticationAuthorizationAudit
AuthenticationAuthorizationAudit
UserAccountProvisioning/De-provisioning
UserAccountProvisioning/De-provisioning
UserAccountProvisioning/De-provisioning
UserAccountProvisioning/De-provisioning
Data&ConfidentialInformation
Data&ConfidentialInformation
Data&ConfidentialInformation
Data&ConfidentialInformation
IAMCapabilitiesandServicesCanbeOutsourcedinTheCloud…
TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009
IdentityintheCloud:EnterpriseCase
IssuesandRisks[1/2]
•PotentialProliferationofRequiredIdentities&CredentialstoAccessServices!Misbehaviourswhenhandlingcredentials(writingdown,reusing,sharing,etc.)
•Complexityincorrectly“enabling”InformationFlowsacrossboundaries!SecurityThreats(Enterprise!Cloud&ServiceProviders,ServiceProvider!ServiceProvider,…_
•PropagationofIdentityandPersonalInformationacrossMultipleClouds/Services!Privacyissues(e.g.compliancetomultipleLegislations,ImportanceofLocation,etc.)!Exposureofbusinesssensitiveinformation(employees’identities,roles,organisationalstructures,enterpriseapps/services,etc.)!HowtoeffectivelyControlthisData?
•DelegationofIAMandDataManagementProcessestoCloudandServiceProviders!HowtogetAssurancethattheseProcessesandSecurityPracticeareConsistentwithEnterprisePolicies?-RecurrentproblemforallStakeholders:Enterprise,CloudandServiceProviders…!ConsistencyandIntegrityofUserAccounts&InformationacrossvariousClouds/Services!HowtodealwithoverallComplianceandGovernanceissues?
TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009
IdentityintheCloud:EnterpriseCase
IssuesandRisks[2/2]
•MigrationofServicesbetweenCloudandServiceProviders
!ManagementofDataLifecycle
•ThreatsandAttacksintheCloudsandCloudServices!CloudandServiceProviderscanbethe“weakestlinks”inSecurity&Privacy!RelianceongoodsecuritypracticeofThirdParties
TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009
4.WhydoweneedIAM?
•Security
•Compliance
•Costcontrol•Auditsupport•Accesscontrol
Source:ftp://ftp.boulder.ibm.com/software/uk/productnews/tv/vh_-_access_and_identity_management.pdf
costreduction• DirectorySynchronization
“Improvedupdatingofuserdata:$185peruser/year”“Improvedlistmanagement:$800perlist”-GigaInformationGroup
• PasswordManagement“Passwordresetcostsrangefrom$51(bestcase)to$147(worstcase)forlaboralone.”–Gartner
• UserProvisioning“ImprovedITefficiency:$70,000peryearper1,000managedusers”“Reducedhelpdeskcosts:$75peruserperyear”-GigaInformationGroup
CanWeJustIgnoreItAll?
• Today,averagecorporateuserspends16minutesadayloggingon
• Atypicalhomeusermaintains12-18identities
• Numberofphishingsitesgrewover1600%overthepastyear
• CorporateITOpsmanageanaverageof73applicationsand46suppliers,oftenwithindividualdirectories
• Regulatorsarebecomingstricteraboutcomplianceandauditing
• Orphanedaccountsandidentitiesleadtosecurityproblems
Source:Microsoft’sinternalresearchandAnti-phishingWorkingGroup
IAMBenefits
Benefits to take you forward (Strategic)
Benefits today(Tactical)
Save money and improve operational efficiency
Improved time to deliver applications and service
Enhance Security
Regulatory Compliance and Audit
New ways of working
Improved time to market
Closer Supplier, Customer, Partner and Employee relationships
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
5.IAMtodolist
• Automaticaccountmanagement
• Archiving• Dataprivacy• Compliance• SecuriryVSRisks• useridentification• E-business• M2M
6.Dataprotection
Source:https://www.britestream.com/difference.html.
needtocheck
legallimits
datacontrollerresponsibility
teleworking
datatheft
87
7.IAM&control
datatransfer
• limitationofcontrol
• Privateemail
• penalties
• whocontrols
• securityismandatory!
• technicalsecurity– Riskanalysis– Back-up– desasterrecovery– identitymanagement– Stronglogin&passwords
• legalsecurity– informationintheemploymentcontracts
– Contractswithsubcontractors
– Codeofconduct
– Compliance
– Controloftheemployees
Control?
8.E-discovery
Definitionofe-discovery
• Electronicdiscovery(ore-discovery)referstodiscoveryincivillitigationwhichdealswithinformationinelectronicformatalsoreferredtoasElectronicallyStoredInformation(ESI).
• Itmeansthecollection,preparation,reviewandproductionofelectronicdocumentsinlitigationdiscovery.
• Anyprocessinwhichelectronicdataissought,located,secured,andsearchedwiththeintentofusingitasevidenceinacivilorcriminallegalcase
• Thisincludese-mail,attachments,andotherdatastoredonacomputer,network,backuporotherstoragemedia.e-Discoveryincludesmetadata.
Recommandations
Organizationsshouldupdateand/orcreateinformationmanagementpoliciesandproceduresthatinclude:– e-mailretentionpolicies,Onanindividuallevel,employeestendto
keepinformationontheirharddrives“justincase”theymightneedit.
– Workwithuserstorationalizetheirstoragerequirementsanddecreasetheirstoragebudget.
– off-lineandoff-sitedatastorageretentionpolicies,– controlsdefiningwhichusershaveaccesstowhichsystemsandunder
whatcircumstances,– instructionsforhowandwhereuserscanstoredata,and•backup
andrecoveryprocedures.– Assessmentsorsurveysshouldbedonetoidentifybusinessfunctions,
datarepositories,andthesystemsthatsupportthem.– Legalmustbeconsulted.Organizationsandtheirlegalteamsshould
worktogethertocreateand/orupdatetheirdataretentionpoliciesandproceduresformanaginglitigationholds.
9.Conclusion
• IAMisalegalquestion,notonlybusiness&IT
• complianceisimportant
• Moresecuritydueto
– Cloudcomputing
– Virtualisation
– Dataprivacy
– archiving
• Transparency
• E-discovery
IAMcouldbeanopportunity
• Rethinksecurity
• risksreduction
• costsreduction
• preciseroles&responsibilities
Any question?
Jacques [email protected]