View
117
Download
0
Embed Size (px)
Citation preview
JacquesFolon
www.folon.comPartnerEdgeConsulting
ProfesseurICHECMaîtredeconférencesUniversitédeLiègeProfesseurinvitéUniversitéSaintLouis(BXL)UniversitédeLorraineESCRennesSchoolofBusiness
Digital strategy Information security
Identity Access Management
table of content1.Introduction 2.information security definition 3.Risk analysis 4.Myth of cybersecurity 5.Identity access management 6.Cloud computing 7.the weakest link: the employee 8.E-Discovery 9.Conclusion
The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of
information.
In an interconnected world, information and related processes, systems, networks and personnel involved in their operation, handling
and protection are assets that, like other important business assets, are valuable to an organization’s business and consequently deserve or require protection
against various hazards.
ISO/IEC 27002:2013
2. DEFINITION
www.intertek.com
Information Security Overview
Issue 2 © Intertek QATAR www.intertek.com 9 11
WHAT IS
OF INFORMATION ?
www.intertek.com
Information Security Overview
Issue 2 © Intertek QATAR www.intertek.com 10
Availability – the property of being accessible and usable upon demand by an authorised entity
The elements of information security
12CQIMC LA PPT 2 Ver 0.2
www.intertek.com
Information Security Overview
Issue 2 © Intertek QATAR www.intertek.com 11 CQIMC LA PPT 2 Ver 0.2 13
act of informing –
✓what is conveyed or represented by a particular arrangement or sequence of things.
✓data as processed, stored, or transmitted by a computer. ✓ facts provided or learned about something or someone.
www.intertek.com
Information Security Overview
Issue 2 © Intertek QATAR www.intertek.com 12
Where is information residing .?
14
Information – is of value to the organization, consequently requires adequate protection!
Information needs to be protected !
www.intertek.comIssue 2 © Intertek QATAR www.intertek.com
Information Security Overview
www.intertek.comIssue 1 © Intertek QATAR www.intertek.com
ISO 27001 : 2013 OVERVIEW
15
ISO 27001 : 2013
Provisioning
SingleSignOn
PKIStrong
Authentication
Federation
Directories
Authorization
SecureRemoteAccess
PasswordManagement
WebServicesSecurity
Auditing&
Reporting
RolebasedManagement
DRM
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
Q: What’s posted on this monitor?
a – password to financial application b – phone messages c – to-do’s
Q: What determines your employee’s access?
a – give Alice whatever Wally has b – roles, attributes, and requests c – whatever her manager says
Q: Who is the most privileged user in your enterprise?
a – security administrator b – CFO c – the summer intern who is now working
for your competitor
Q: How secure is youridentity data?
a – It is in 18 different secured stores b – We protect the admin passwords c – Privacy? We don’t hold credit card
numbers
Q: How much are manual compliance controls costing your organization?
a – nothing, no new headcount b – don’t ask c – don’t know
Today’s IT Challenges
More Agile Business • More accessibility for employees, customers and partners • Higher level of B2B integrations • Faster reaction to changing requirements
More Secured Business • Organized crime • Identity theft • Intellectual property theft • Constant global threats
More Compliant Business • Increasing regulatory demands • Increasing privacy concerns • Business viability concerns
State Of Security In Enterprise
• Incomplete • Multiple point solutions from many vendors • Disparate technologies that don’t work together
• Complex • Repeated point-to-point integrations • Mostly manual operations
• ‘Non-compliant’ • Difficult to enforce consistent set of policies • Difficult to measure compliance with those policies
Identity Management Values
• Trusted and reliable security
• Efficient regulatory compliance
• Lower administrative and development costs
• Enable online business networks
• Better end-user experience
15
IAMMEANSMANAGINGTHEEMPLOYEESLIFECYCLE(HIRING,
RECRUITING,PROMOTION,CHANGE,LEAVING)ANDTHEIMPACTSONTHE
INFORMATIONMANAGEMENTSYSTEM
sourceclusif
IAMisalegalobligation!
• IAMISDEFINEDBYTHEBUSINESS(RH,SCM,ETC.)
• AND • FOLLOWING THE LEGAL
FRAMEWORK • AND • TECHNICALLY IMPLEMENTED
16
IAMISBUSINESS&ICT+LEGAL
sourceclusif
17
IAM INCLUDES
• DATABASE OF ALL AND EVERY USER •DATABASE OF ALL TYPE OF PROFILES & ROLES •DEFINITION BEFOREHAND •DEFINE WICH ROLE FOR WICH EMPLOYEE •DEFINITION OF LOGIN & PASSWORDS •AUDIT •REPORTING •ACCESS CONTROL
sourceclusif
• WhatisIdentityManagement?“Identitymanagementisthesetofbusinessprocesses,andasupportinginfrastructure,forthecreation,maintenance,anduseofdigitalidentities.”TheBurtonGroup(aresearchfirmspecializinginITinfrastructurefortheenterprise)
• IdentityManagementinthissenseissometimescalled“IdentityandAccessManagement”(IAM)
Définition
IAMATICHEC…
• “MYNAMEISJULIEANDIAMASTUDENT.”(Identity)
• “thisismypassword.” (Authentification)• “Iwantanaccesstomyaccount” (Authorizationok)• “Iwanttoadaptmygrade.” (Autorizationrejected)
Whatarethequestions?
• isthispersontheoneshesaidsheis?
• Issheamemberofourgroup?• Didshereceivethenecessaryauthorization?
• IsdataprivacyOK?
Typeofquestionsforanewcomer
– Whichkindofpassword?– Whichactivitiesareaccepted?– Whichareforbidden?– Towhichcategorythispersonbelongs?– Whendowehavetogivetheauthorization??– Whatcontroldoweneed?– Couldwedemonstrateincourtourprocedure?
24
IAMtripleA
AuthenticationWHO ARE YOU? Authorization / Access ControlWHAT CAN YOU DO? AuditWHAT HAVE YOU DONE?
24
ComponentsofIAM
• Administration– UserManagement– PasswordManagement– Workflow– Delegation
• AccessManagement– Authentication– Authorization
• IdentityManagement– AccountProvisioning– AccountDeprovisioning– Synchronisation
Reliable Identity Data
Adm
inistr
ation
Aut
horiza
tion
Aut
hent
icat
ion
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
• InternetisbasedonIPidentification• everybodyhasdifferentprofiles• Eachplatformhasadifferentauthentificationsystem
• Usersaretheweakestlink• Cybercrimeincreases• Controlsmeansidentification• Dataprivacyimposescontrols&security• e-discoveryimposesECM
Welcometoadigitalworld
ExplosionofIDs
Pre1980’s 1980’s 1990’s 2000’s
#ofDigitalIDs
Time
Applications
Mainframe
ClientServer
Internet
BusinessAutomation
Company(B2E)
Partners(B2B)
Customers(B2C)
Mobility
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
TheDisconnectedReality
• “IdentityChaos”– Manyusers– ManyID– Manylogin&passwords– Multiplerepositoriesofidentityinformation– MultipleuserIDs,multiplepasswords
Enterprise Directory
HR
InfraApplication
Office
In-HouseApplication
External app
Finance
employeeApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
YourCOMPANYand yourEMPLOYEES
YourSUPPLIERS
YourPARTNERSYourREMOTEand VIRTUALEMPLOYEES
YourCUSTOMERS
Customersatisfaction&customerintimacyCostcompetitivenessReach,personalization
CollaborationOutsourcingFasterbusinesscycles;processautomationValuechain
M&AMobile/globalworkforceFlexible/tempworkforce
MultipleContexts
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
TrendsImpactingIdentity
Increasing Threat LandscapeIdentitytheftcostsbanksandcreditcardissuers$1.2billionin1yr
•$250 billion lost from exposure of confidential info
Maintenance Costs Dominate IT BudgetOn average employees need access to 16 apps and systems
•Companies spend $20-30 per user per year for PW resets
Deeper Line of Business Automation and IntegrationOne half of all enterprises have SOA under development
•Web services spending growing 45%
Rising Tide of Regulation and ComplianceSOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …
•$15.5 billion spend on compliance (analyst estimate)
DataSources:Gartner,AMRResearch,IDC,eMarketer,U.S.Department.ofJustice
Business Owner
EndUserITAdmin Developer Security/Compliance
Tooexpensivetoreachnewpartners,channelsNeedforcontrol
ToomanypasswordsLongwaitsforaccesstoapps,resources
ToomanyuserstoresandaccountadminrequestsUnsafesyncscripts
PainPoints
RedundantcodeineachappReworkcodetoooften
ToomanyorphanedaccountsLimitedauditingability
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
costreduction• DirectorySynchronization
“Improvedupdatingofuserdata:$185peruser/year”“Improvedlistmanagement:$800perlist”-GigaInformationGroup
• PasswordManagement“Passwordresetcostsrangefrom$51(bestcase)to$147(worstcase)forlaboralone.”–Gartner
• UserProvisioning“ImprovedITefficiency:$70,000peryearper1,000managedusers”“Reducedhelpdeskcosts:$75peruserperyear”-GigaInformationGroup
CanWeJustIgnoreItAll?
• Today,averagecorporateuserspends16minutesadayloggingon
• Atypicalhomeusermaintains12-18identities
• Numberofphishingsitesgrewover1600%overthepastyear
• CorporateITOpsmanageanaverageof73applicationsand46suppliers,oftenwithindividualdirectories
• Regulatorsarebecomingstricteraboutcomplianceandauditing
• Orphanedaccountsandidentitiesleadtosecurityproblems
Source:Microsoft’sinternalresearchandAnti-phishingWorkingGroup
IAMBenefits
Benefits to take you forward (Strategic)
Benefits today(Tactical)
Save money and improve operational efficiency
Improved time to deliver applications and service
Enhance Security
Regulatory Compliance and Audit
New ways of working
Improved time to market
Closer Supplier, Customer, Partner and Employee relationships
Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]
IAMtodolist
• Automaticaccountmanagement
• Archiving• Dataprivacy• Compliance• SecuriryVSRisks• useridentification• E-business• M2M
First, What the heck is Cloud Computing
First, what the heck is Cloud Computing?…in simple, plain English please!
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s use a simple analogy Say you just moved to a city, and you’re looking for a nice
place to live
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
You can either
Build a house or Rent an apartment
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
If you build a house, there are a fewimportant decisions you have to make…
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
How big is the house? are you planning to grow a large
family? Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Remodel, addition typically cost a lot more once the house is built
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
But, you get a chance to
customize itRoof
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Once the house is built, you’re responsible for maintenance
Hire Landscaper
ElectricianPlumberPay property tax
ElectricityWater
Gutter CleaningHeating and Cooling
House Keeping
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Consider a builder in your city builds a Huge
number of apartment units Andy Harjanto I’m cloud confused http://www.andyharjanto.com
A unit can easily be converted into a 2,3,4 or more units
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
You make a fewer,
simpler decisions
You can start with one unit and grow later, or
downsize
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
But…You do not
havea lot of
options to customize your unit
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
However, builders provide you with very high quality infrastructure
high speed Internet
high capacity electricity
triple pane windows
green materials
Just pay your
rentand utilities
Pay as You Go
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
As an end-consumer, believe it or not
you’ve been using Cloud for long times
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
OK, Now tell that to the business owner
Give up your data, then
you can use this infrastructure for free
Building EnterpriseSoftware
Stone WallFire-proofMoatArmy Death Hole
is like…. Medieval
Castle
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s Hire an Army of IT Engineers
Software Upgrade Support
Backup/Restore
Service Pack
Development
Network issues
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s BuildHuge Data
Center
Capacity Planning
Disaster Plan
Cooling Management
Server Crashes
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
CloudComputing:Definition
• NoUniqueDefinitionorGeneralConsensusaboutwhatCloudComputingis…
• DifferentPerspectives&Focuses(Platform,SW,ServiceLevels…)
• Flavours:
✦ComputingandITResourcesAccessibleOnline✦DynamicallyScalableComputingPower✦VirtualizationofResources✦AbstractionofITInfrastructure✦!Noneedtounderstanditsimplementation:useServices&their
APIs✦Somecurrentplayers,attheInfrastructure&ServiceLevel:✦SalesfoRce.com,GoogleApps,Amazon,Yahoo,Microsoft,IBM,HP,etc.
TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009
CloudComputing:Implications
• Enterprise:ParadigmShiftfrom“Close&Controlled”ITInfrastructuresandServicestoExternallyProvidedServicesandITInfrastructures
• PrivateUser:ParadigmShiftfromAccessingStaticSetofServicestoDynamic&ComposableServices
• GeneralIssues:– PotentialLossofControl(onData,Infrastructure,Processes,etc.)– Data&ConfidentialInformationStoredinTheClouds– ManagementofIdentitiesandAccess(IAM)intheCloud– CompliancetoSecurityPracticeandLegislation– PrivacyManagement(Control,Consent,Revocation,etc.)– NewThreatEnvironments– ReliabilityandLongevityofCloud&ServiceProviders
TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009
IdentityintheCloud:EnterpriseCaseIssuesandRisks[1/2]
•PotentialProliferationofRequiredIdentities&CredentialstoAccessServices!Misbehaviourswhenhandlingcredentials(writingdown,reusing,sharing,etc.)
•PropagationofIdentityandPersonalInformationacrossMultipleClouds/Services!Privacyissues(e.g.compliancetomultipleLegislations,ImportanceofLocation,etc.)!Exposureofbusinesssensitiveinformation(employees’identities,roles,organisationalstructures,enterpriseapps/services,etc.)!HowtoeffectivelyControlthisData?
•DelegationofIAMandDataManagementProcessestoCloudandServiceProviders!HowtogetAssurancethattheseProcessesandSecurityPracticeareConsistentwithEnterprisePolicies?!HowtodealwithoverallComplianceandGovernanceissues?
TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009
IdentityintheCloud:EnterpriseCase
IssuesandRisks[2/2]
•MigrationofServicesbetweenCloudandServiceProviders
!ManagementofDataLifecycle
•ThreatsandAttacksintheCloudsandCloudServices!CloudandServiceProviderscanbethe“weakestlinks”inSecurity&Privacy!RelianceongoodsecuritypracticeofThirdParties
TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009
• technicalsecurity– Riskanalysis– Back-up– desasterrecovery– identitymanagement– Stronglogin&passwords
• legalsecurity– informationintheemploymentcontracts
– Contractswithsubcontractors
– Codeofconduct
– Compliance
– Controloftheemployees
Definitionofe-discovery
• Electronicdiscovery(ore-discovery)referstodiscoveryincivillitigationwhichdealswithinformationinelectronicformatalsoreferredtoasElectronicallyStoredInformation(ESI).
• Itmeansthecollection,preparation,reviewandproductionofelectronicdocumentsinlitigationdiscovery.
• Anyprocessinwhichelectronicdataissought,located,secured,andsearchedwiththeintentofusingitasevidenceinacivilorcriminallegalcase
• Thisincludese-mail,attachments,andotherdatastoredonacomputer,network,backuporotherstoragemedia.e-Discoveryincludesmetadata.
Recommandations
Organizationsshouldupdateand/orcreateinformationmanagementpoliciesandproceduresthatinclude:
– e-mailretentionpolicies,Onanindividuallevel,employeestendtokeepinformationontheirharddrives“justincase”theymightneedit.
– Workwithuserstorationalizetheirstoragerequirementsanddecreasetheirstoragebudget.
– off-lineandoff-sitedatastorageretentionpolicies,– controlsdefiningwhichusershaveaccesstowhichsystemsandunder
whatcircumstances,– instructionsforhowandwhereuserscanstoredata,and•backupand
recoveryprocedures.– Assessmentsorsurveysshouldbedonetoidentifybusinessfunctions,
datarepositories,andthesystemsthatsupportthem.– Legalmustbeconsulted.Organizationsandtheirlegalteamsshould
worktogethertocreateand/orupdatetheirdataretentionpoliciesandproceduresformanaginglitigationholds.
• Informationsecurityisalegalquestion,notonlybusiness&IT
• complianceisimportant
• Moresecuritydueto
– Cloudcomputing
– Virtualisation
– Dataprivacy
– archiving
• Transparency
• E-discovery
IAMcouldbeanopportunity
• Rethinksecurity
• risksreduction
• costsreduction
• preciseroles&responsibilities
Jacques [email protected]
creditsM. Martins: https://fr.slideshare.net/MarceloMartinsCISSPC/information-security-strategic-management?
qid=17d48b57-2499-4fc4-9801-b6e96a036ddc&v=&b=&from_search=2 Business continuity institute : https://fr.slideshare.net/TheBCEye/risk-based-cyber-security?
qid=8057ce87-091d-4364-a0f3-ff24e44bb913&v=&b=&from_search=4 W. Brown: https://fr.slideshare.net/whbrown5/how-secure-is-your-business-fraud-risk-analysis-and-
security-management?qid=59280de3-32f9-4260-94e4-38989615b7f4&v=&b=&from_search=8 PECB : https://fr.slideshare.net/PECBCERTIFICATION/check-if-you-are-ready-for-isms-implementation?
qid=cfac8544-a584-4fe4-b752-0d5cacabd8ea&v=&b=&from_search=14 N.Rao: https://fr.slideshare.net/NareshRao3/iso-27001-2013-isms-final-overview?
qid=7c622233-05ea-489b-88e5-30751c3ee08b&v=&b=&from_search=8 VERIZON: https://fr.slideshare.net/VerizonEnterpriseSolutions/2016-data-breach-investigations-report-
dbir-cybersecurity-on-slideshare?qid=1f9f7d1a-7a0e-431e-b7fb-98bcb94c935b&v=&b=&from_search=2 ACCENTURE: https://fr.slideshare.net/AccentureOperations/the-state-of-cybersecurity-and-digital-
trust-2016?qid=1f9a736f-882d-4b3b-82b1-87b447f9b2ea&v=&b=&from_search=11