Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM). Reed Harrison CTO, Security & Compliance Solutions

Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM).

Reed HarrisonCTO, Security & Compliance [email protected]

© Novell Inc. All rights reserved

2

Compliance Defined

Compliance:

“In management, the actof adhering to, and demonstrating adherence to laws, regulations or policies”

source: www.wikipedia.org


3

Sarbanes Oxley Act (SOX)

• Section 404:

• Annual Reports are required to contain an internal control report, which shall—

• (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

• (2) contain an assessment ... of the effectiveness of the internal control structure and procedures.


4

PCI-DSS

– PCI Executive Committee: Amex, Visa, Mastercard, JCB, Discover

– A set of comprehensive requirements for enhancing payment account data security

Payment Card Industry – Data Security Standard


5

The Organizational Problem: Multitude of Regulations (Extract)

Privacy Act

HIPAA FERC

SEC Regulation SP

Network Advising Initiative

European DataProtection Directive

Family Educational Rights and Privacy Act

Cyber Security Research and Development Act

constant changes, new regulations, high overlap and/or contradictions.

Gramm-Leach-Bliley

Children's Internet Protection Act

Government InformationSecurity Reform Act

Insurance Information and Privacy Protection Model Act

Homeland Security Act

The Organizational Relief


7

Pareto Principle: 80% Overlaps, 20% Specific

SOX

European Data Protection Directive

PCI-DSS

EURO-SOX

BASEL II

...


8

IT General Controls and Identity & Security Management

• program change

• IT control environment

• access to programs and data

• program development

• computer operations

by authorized staff only

monitoring and reporting

access to productive system

user provisioning, security administration

data processing, backup problem management

IT general controls typically address the following domains

which relate to Identity and Access Management


9

IT General Controls and Identity & Security Management

• program development

• program change

• IT control environment

• access to programs and data

• computer operations

access to productive system

by authorized staff only

monitoring and reporting

user provisioning, security administration

data processing, backup problem management

IT general controls typically address the following domains

which relate to Identity and Access Management


10

PCI-DSS and Identity & Security Management

1. Install and maintain a firewall configuration to protect card-holder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

7. Restrict Access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10.Track and monitor all access to network resources and cardholder data

11.Regularly test security systems and processes

12.Maintain a policy that addresses information security for employees and contractors

The Technology Problem


13

Silos of Data, Manual Processes, So Little Insight


14

Automation is KeyAutomate IT Controls Monitoring and Reporting

• RACF • ACF 2• Top Secret


15

ActionAction

KnowledgeKnowledge

InformationInformation

DataData

Aggregation increases Manageability

Collection Filtering Normalization

Correlation Consolidation Pattern Discovery

Threat Assessment Situation Assessment

Incident

Alerting

Remediation

Reporting

Bringing it All Together


17

Plan:Security Policy

Check:Monitor Control

Points

Do:IT-Security

Control Points

Check:Remediation

Check:Compliance-

Reporting

Organisational Framework ISMS (ISO 27001)

Act:Continuous

Improvement

IT Policy & Controls


18

Plan:Security Policy

Check:Monitor Control

Points

Do:IT-Security

Control Points

Check:Remediation

Check:Compliance-

Reporting

Organisational Framework

Act:Continuous

Improvement

IT Policy & Controls


19

Enabling Compliance Through Common Policy

User accesses a resource

Relevant events are collected by

Sentinel

Policy engine determines if

the access was in compliance with policy

If the access was out of compliance with policy an incident is generated and the

remediation process begins

Remediation process is triggered in Identity Management System,

which consults the policy engine

Identity Manager modifies the user's access to systems to bring the system

into compliance with policy

PolicyEngine

Compliance Benefits


22

Centralisation

Processes

Tools

Automation Cost of Compliance

Extern

al

Req

uirem

ents

Achievement of Compliance Drivers

Compliance

Consultants / Auditors

Inte

rnal

Requi

rem

ents

Drivers for Compliance Initiatives*University of Erlangen-Nuremberg


28

Compliance generates Business Benefits

Imp

lem

enta

tion C

om

ple

xit

y

Business Benefit

Sarbanes-Oxley

Section 302:CEO and CFO must personally certify their financial statements

Section 404:Auditors must certify internal controls and processes

Section 409:Real-time disclosure of material business events

Driver: I

nsufficie

nt Risk

Controls

Driver: I

nsufficie

nt Busin

ess Contro

ls

Basel II (Standardized Approach)Enforces Basel I guidelines

Capitol Accord (Basel I)Sets Standards For Credit Risk Management

Basel II (Foundation IRB)Provides Capital Relief for Advanced Risk Management

Basel II (Advanced IRB)Maximum Capital Relief for Advanced Risk Management

New Capital Accord

(Basel II)

Benefit: Reduce

d Capital A

lloca

tions

Benefit: Improved Busin

ess Proce

sses

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of

Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or

market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Documents

Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM). Reed Harrison CTO, Security & Compliance Solutions