View
227
Download
2
Tags:
Embed Size (px)
Citation preview
Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM).
Reed HarrisonCTO, Security & Compliance [email protected]
© Novell Inc. All rights reserved
2
Compliance Defined
Compliance:
“In management, the actof adhering to, and demonstrating adherence to laws, regulations or policies”
source: www.wikipedia.org
© Novell Inc. All rights reserved
3
Sarbanes Oxley Act (SOX)
• Section 404:
• Annual Reports are required to contain an internal control report, which shall—
• (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
• (2) contain an assessment ... of the effectiveness of the internal control structure and procedures.
© Novell Inc. All rights reserved
4
PCI-DSS
– PCI Executive Committee: Amex, Visa, Mastercard, JCB, Discover
– A set of comprehensive requirements for enhancing payment account data security
Payment Card Industry – Data Security Standard
© Novell Inc. All rights reserved
5
The Organizational Problem: Multitude of Regulations (Extract)
Privacy Act
HIPAA FERC
SEC Regulation SP
Network Advising Initiative
European DataProtection Directive
Family Educational Rights and Privacy Act
Cyber Security Research and Development Act
constant changes, new regulations, high overlap and/or contradictions.
Gramm-Leach-Bliley
Children's Internet Protection Act
Government InformationSecurity Reform Act
Insurance Information and Privacy Protection Model Act
Homeland Security Act
The Organizational Relief
© Novell Inc. All rights reserved
7
Pareto Principle: 80% Overlaps, 20% Specific
SOX
European Data Protection Directive
PCI-DSS
EURO-SOX
BASEL II
...
© Novell Inc. All rights reserved
8
IT General Controls and Identity & Security Management
• program change
• IT control environment
• access to programs and data
• program development
• computer operations
by authorized staff only
monitoring and reporting
access to productive system
user provisioning, security administration
data processing, backup problem management
IT general controls typically address the following domains
which relate to Identity and Access Management
© Novell Inc. All rights reserved
9
IT General Controls and Identity & Security Management
• program development
• program change
• IT control environment
• access to programs and data
• computer operations
access to productive system
by authorized staff only
monitoring and reporting
user provisioning, security administration
data processing, backup problem management
IT general controls typically address the following domains
which relate to Identity and Access Management
© Novell Inc. All rights reserved
10
PCI-DSS and Identity & Security Management
1. Install and maintain a firewall configuration to protect card-holder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict Access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10.Track and monitor all access to network resources and cardholder data
11.Regularly test security systems and processes
12.Maintain a policy that addresses information security for employees and contractors
The Technology Problem
© Novell Inc. All rights reserved
13
Silos of Data, Manual Processes, So Little Insight
© Novell Inc. All rights reserved
14
Automation is KeyAutomate IT Controls Monitoring and Reporting
• RACF • ACF 2• Top Secret
© Novell Inc. All rights reserved
15
ActionAction
KnowledgeKnowledge
InformationInformation
DataData
Aggregation increases Manageability
Collection Filtering Normalization
Correlation Consolidation Pattern Discovery
Threat Assessment Situation Assessment
Incident
Alerting
Remediation
Reporting
Bringing it All Together
© Novell Inc. All rights reserved
17
Plan:Security Policy
Check:Monitor Control
Points
Do:IT-Security
Control Points
Check:Remediation
Check:Compliance-
Reporting
Organisational Framework ISMS (ISO 27001)
Act:Continuous
Improvement
IT Policy & Controls
© Novell Inc. All rights reserved
18
Plan:Security Policy
Check:Monitor Control
Points
Do:IT-Security
Control Points
Check:Remediation
Check:Compliance-
Reporting
Organisational Framework
Act:Continuous
Improvement
IT Policy & Controls
© Novell Inc. All rights reserved
19
Enabling Compliance Through Common Policy
User accesses a resource
Relevant events are collected by
Sentinel
Policy engine determines if
the access was in compliance with policy
If the access was out of compliance with policy an incident is generated and the
remediation process begins
Remediation process is triggered in Identity Management System,
which consults the policy engine
Identity Manager modifies the user's access to systems to bring the system
into compliance with policy
PolicyEngine
Compliance Benefits
© Novell Inc. All rights reserved
22
Centralisation
Processes
Tools
Automation Cost of Compliance
Extern
al
Req
uirem
ents
Achievement of Compliance Drivers
Compliance
Consultants / Auditors
Inte
rnal
Requi
rem
ents
Drivers for Compliance Initiatives*University of Erlangen-Nuremberg
© Novell Inc. All rights reserved
28
Compliance generates Business Benefits
Imp
lem
enta
tion C
om
ple
xit
y
Business Benefit
Sarbanes-Oxley
Section 302:CEO and CFO must personally certify their financial statements
Section 404:Auditors must certify internal controls and processes
Section 409:Real-time disclosure of material business events
Driver: I
nsufficie
nt Risk
Controls
Driver: I
nsufficie
nt Busin
ess Contro
ls
Basel II (Standardized Approach)Enforces Basel I guidelines
Capitol Accord (Basel I)Sets Standards For Credit Risk Management
Basel II (Foundation IRB)Provides Capital Relief for Advanced Risk Management
Basel II (Advanced IRB)Maximum Capital Relief for Advanced Risk Management
New Capital Accord
(Basel II)
Benefit: Reduce
d Capital A
lloca
tions
Benefit: Improved Busin
ess Proce
sses
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of
Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or
market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.