Upload
trivinow
View
213
Download
0
Embed Size (px)
Citation preview
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
1/33
ACCESS CONTROL FOR IT ASSETS
Mike Thomas
Erie Insurance
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
2/33
CONTENTS
Identity Management
Foundations and
basics
What needs to beprotected
IT Risk perspective
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
3/33
WHAT’S ACCESS CONTROL?
Well it’s pretty obvious……But the moreimportant IT becomes…….as we continue toput our most trusted assets into an IT
context……..as we rely more and more on ITto do critical work and services for us…….asthe RISK of loss or interruption of our ITassets becomes more critical……..Access
Control is part of the foundation of a viable ITinfrastructure…without it you might lose your,time, money, and identity
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
4/33
ACCESS CONTROL BASIC COMPONENTS
Asset Target – Data or Application
User – Person or System Object
Policy – Sets ‘Need to Know’ Principle Reference Monitor -
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
5/33
DETERMINE WHAT NEEEDS TO BE PROTECTED
An Inventory of IT Assets would be a good placeto start
ITIL based inventories are very good if you have
them I like to break them down using Westerman’s
Risk PyramidBusiness Requirements
ApplicationsData
Infrastructure
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
6/33
THE IT RISK PYRAMID (WESTERMAN HUNTER MIT 2007)
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
7/33
BUSINESS STRATEGY (AGILITY)
This is where Policies, Standards, and
Guidelines come from
Laws and Regulations, Public and Private –
GLBA, SOX, PCI
Access controls have to ‘Fit’ what the
organization wants and support its mission
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
8/33
APPLICATIONS
Business and organization processes – programs that sell something, manufacturesomething, offer a service, do something useful
The really important programs that don’tmonitor or manage processes deal with makingand managing data.
Programs often reflect the mission, activities,and major purposes of an organization.
People need program to get things done Programs need to be secured
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
9/33
DATA
Data is the second biggest problem for securityprofessionals today. Complexity is the biggest.
Electronic Data is growing faster than any other aspect ofthe IT Universe. We are making data at a ridiculous pace.
It needs to be managed and secured. People need access to data usually through programs
and applications
‘Need to Know’ is more important than ever.
Data should be able to stand on its own regardless of
what application needs or uses it (James Martin) In the Pyramid Data context should be a prerequisite to
the application.
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
10/33
INFRASTRUCTURE
Infrastructure is at the bottom of the Pyramid
All other things run on it
If it is not done well or not secured andcontrolled properly things will not go well
Poor implementation at the infrastructure
level will ripple through all other layers
Access Control applies to infrastructure
targets as well
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
11/33
THE HUMAN TARGETS
At the end of the day
the majority of the
access control purpose
is focused on people.
People make and use
data to do their work.
This is the hardest partof access controls
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
12/33
IT RISK
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
13/33
THE 4A FRAMEWORK FOR MANAGING IT RISK
Availability – Keep the systems running andrecover from interruptions.
Access – Ensure appropriate access to data
and systems so the right people have accessthey need and the wrong people don’t.
Accuracy – Provide correct, timely, and
complete information. Agility – The capability to change with
managed cost and speed.
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
14/33
IT RISK MECHANICS
Availability
Access
Accuracy
Agility
Assess
Strategic IT
Risks
External
Forces
Strategic
Intitiatives
Executive
Team
Knowledge
IT Risk
Management
Strategies
Assess IT
Risk
Management
Program
IT and
Business
Manager
Knowledge
Risk
GovernancePlans
Foundation
Plans
Awareness
Plans
Process Awareness
Foundation
4A Framework Risk Disciplines
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
15/33
IT RISK DRIVES ACCESS CONTROL
Access control is needed for business assets
that are at the highest risk….of loss, misuse,
exposure
Risk analysis allows you to prioritize the
need for access control….what needs
protected and controlled
Resources are always limited so prioritizationis a good idea (biggest bang for the buck)
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
16/33
THE ACCESS CONTROL PROGRAM
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
17/33
THE IT SECURITY PROGRAM
this is the development, implementation, and maintenanceof all of the components that comprise IT Security at anorganization. It organizes these components into Tactical,Operational, and Strategic activities.
The IT Security Program document details all of the ITSecurity related activates. It shows management or atrusted third party how the organization conducts its ITSecurity programs and activities.
The IT Security Program will operate a life cycle thatincludes planning and organization, implementation,
operations and maintenance, and Monitoring andevaluation.
It includes Access Control and IT Risk
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
18/33
IT PROGRAM OBJECTIVES
The Information Security Program (ISP) is
designed to:
Ensure the security and confidentiality of
confidential information and IT resources, Protect against any anticipated threats or hazards to
the security or integrity of the information or IT
infrastructure; and
Protect against unauthorized access to or use of theinformation or IT infrastructure that could result in
substantial harm or inconvenience to any customer.
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
19/33
ACCESS CONTROL ARCHITECTURE
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
20/33
IT ARCHITECURE
If you are going to build an IT organization
that fits the business mission and all of the
associated complexities you will need
architecture
Plan and design before you build
IT Security is an integral component of IT
Architecture
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
21/33
THE ARCHITECTURE PROCESS
Business PlatformArchitects
EnterpriseArchitectureBusiness Model
IT Governance
Technical
StandardsProcess
Standards
Bricks &Patterns
Bricks &Patterns
Business
Drivers
EA ProjectApproval
Process
Guidelinesand Checklists
EnterpriseArchitects
Infrastructure
Architects
Business formulates
it’s needs. Engages EA
for fit and feasibility.
EA ensures that IT Architecture requirementswill be applied. If changes are in order due to
project requirements EA will manage any
modifications to the Architecture.
Architecture Principle – Organization and Process
IT Guiding
Principles
Technical Feedback
Architecture Fit Based on PrinciplesArchitecturePrinciples
ApprovedProjects
ArchitecturePatterns
ArchitectureStandards
New Technology
Approval Process
Business Architecture
Application Architecture
Data Architecture
Technology Architecture
Architectural FitAssessment
New System
Infrastructure
Implementation
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
22/33
IT SECURITY ARCHITECTURE
Security Service
Map
IT Security
Roadmap
EA Risk
Program
IT Risk
Program
IT Security
Governance
IT SecurityProgram
Risk Position
Total Security
Cost
Current State
Security
Effectiveness
Risk
Measure
Risk
Assessment
Risk
Assessment
Risk
Measure
Risk
Measure
Total Risk
Cost
Annual Loss
Rate
Annual Risk
Forecast
Risk Position
EA Principle
IT
Risk
Principles
IT Security
Processes
IT Security
Life Cycle
IT Security
Architecture
Business
Drivers
Policy
Standards
Procesdures
Security
Strategy
Enterprise IT Security Architecture Program
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
23/33
ACCESS CONTROL ARCHITECTURE
Security
Administration
Windows Unix / Linux ZOS
Programming Interfaces
eTrust Site
Minder
High Level
Programming
Project
Supplier
LDAPMeta
Directory
SubProject
Cycle
Security
Models
Model
Admin
Security
DATA
Role
Based
Security
Other
Security Project
IT Security IT Security IT Security
Company
Customers
User
Provisioning
Smart
Cards
Public
CA
Private
CA
CA-RCM
SSO
People
Soft
Kerberos
Sign
Data
Calsssification
Security
Dictionary
GovernanceCompliance
Privacy
SOX PCI States
Audit
Quarterly Tests
Annual Compliance
SecureCode
Quarterly Tests
Non-Public Info
ApplicationScan
ProdIsolation
SecureEMail
Key Management
SecureNetwork
Account Mgmt
Firewall Mgmt
LDAPMeta
Directory
3rd PartyAudits
VendorAcces
FieldCrypto
HIPS
Wireless
TwoFactor
PCI
Physical
Access
User
Models
SecurityPolicy
Automated
Provisioning
SOX
Company
Company
CompanyCompany Company
IT Security
CompanyIT Security
Company
Company
Company Company
ID Request
WEB
Company
IT Security
LDAPMeta
Directory
Company
Centrify
Control
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
24/33
IAM CASE STUDY
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
25/33
IAM CASE STUDY POINTS
This shows the complexity of the problem There are a lot of components in this case study
The components cover all layers from the network up
This is a large organization with tens of thousands of users and millions ofcustomers
It is dispersed over a continent
You must have an architecture to get a handle on this This also applies to smaller companies and less complex infrastructures
Some of the technology components shown help organize and implement Access Control
Some of these components such as operating systems (ZOS ACF2 Top Secret)and AD have to be managed whether you like it or not
I like LDAP I like one copy of the Identity Master that all Access Control components use
I like federated Identity and authorization claims
I like Roles
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
26/33
HOW TO DO ACCESS CONTROL
A process and plan to implement Access
Control (IREC 2007)
Getting the business partners and even
customers involved
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
27/33
ASSESSING RISKS AND ROLES
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
28/33
DEFINING ACCESS RIGHTS
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
29/33
ACCESS CONTROL – BIGGER PICTURE
Do we really have to do this? (outsource it)
The dating game case study
http://www.datehookup.com/http://www.cupid.com/http://www.christianmingle.com/http://www.true.com/http://www.okcupid.com/http://www.singlesnet.com/http://www.eharmony.com/http://www.zoosk.com/http://www.plentyoffish.com/http://www.match.com/
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
30/33
DATING AND SINGLES SITES ARE HAVING BIG PROBLEMS
The growth of social media and sites for singles and dating have growndramatically in the last ten years
There are over 14,000 singles dating sites in the US alone
The top European site has over 17 million active users
‘SCAMS’ are the name given to con artist scenarios where sitecustomers are subjected to a staged ploy on their interests up to andincluding marriage
These are elaborate deceptions designed to elicit money andinformation out of unsuspecting targets
The CONs are far more likely to originate in Eastern Europe where mostof the complaints have been lodged.
The targets are worldwide many of them in North and South America. Complaints from unhappy customers and the theft of PI data including
cash is causing credit card companies to shut down many site operatorsability to take a credit or debit card
They have to solve the Identity and Access Control problem to staysucessful
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
31/33
DATING GAME IDENTITY AND ACESS CONTROL
We approached the problem by looking for a way to assign a trusted value unique to an individual to theiraccount and access control into a site’s services
Account creation was necessary and post validation was required independent of the account set up
But things like fingerprints, voiceprint, and social security numbers were not practical to use as an accesscontrol mechanism
We hit on using the cell phone
People are more attached to their cell phones more than any other thing they carry
Most people under 40 will go home from work to get their cell phones but not their wallets
The cell phone number is not a bad way to assist in identifying a person
The call back validation or an email or a text can be used to confirm the identity and security managementprocess can be tailored for monitoring the owners of the numbers
Cooperation with the service providers is essential
It must be in conjunction with additional factors like E-Mail addresses and other publicly available information
It is not perfect but considering the scale of numbers of users it was deemed viable and several solutions usingthis venue are in the works
The real trick though is wrapping an Access Control process around this particular problem
Mobile devices are becoming very personal to people especially cell phones
Digital certificates and private key systems like PGP are starting to appear for the mobile devices Certificates are not easy to use on mobile devices and the manufacturers have a long way to go
I think it is inevitable
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
32/33
SOLUTIONS
There are a lot of Identity Management and AccessControl solutions available on the market today. A lot ofthe operating security systems vendors IBM andSUN/Oracle and others have decent products thatcompliment their core security products.
I know that a lot of research and study should go intolooking at a solution before you buy.
Getting a solution that works for you is half the work. Theother half is good security governance and userprovisioning. Without that it is not going to sustain itself
over time. It is a big job and your identity and data depend on it
being done well
8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012
33/33
QUESTIONS?