digital strategy and information security

JacquesFolon

www.folon.comPartnerEdgeConsulting

ProfesseurICHECMaîtredeconférencesUniversitédeLiègeProfesseurinvitéUniversitéSaintLouis(BXL)UniversitédeLorraineESCRennesSchoolofBusiness

Digital strategy Information security

Identity Access Management

table of content1.Introduction 2.information security definition 3.Risk analysis 4.Myth of cybersecurity 5.Identity access management 6.Cloud computing 7.the weakest link: the employee 8.E-Discovery 9.Conclusion

1.introduction

The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of

information.

In an interconnected world, information and related processes, systems, networks and personnel involved in their operation, handling

and protection are assets that, like other important business assets, are valuable to an organization’s business and consequently deserve or require protection

against various hazards.

ISO/IEC 27002:2013

2. DEFINITION

Source:https://www.britestream.com/difference.html.

www.intertek.com

Information Security Overview

Issue 2 © Intertek QATAR www.intertek.com 9 11

WHAT IS

OF INFORMATION ?

www.intertek.com


Issue 2 © Intertek QATAR www.intertek.com 10

Availability – the property of being accessible and usable upon demand by an authorised entity

The elements of information security

12CQIMC LA PPT 2 Ver 0.2

www.intertek.com


Issue 2 © Intertek QATAR www.intertek.com 11 CQIMC LA PPT 2 Ver 0.2 13

act of informing –

✓what is conveyed or represented by a particular arrangement or sequence of things.

✓data as processed, stored, or transmitted by a computer. ✓ facts provided or learned about something or someone.

www.intertek.com


Issue 2 © Intertek QATAR www.intertek.com 12

Where is information residing .?

14

Information – is of value to the organization, consequently requires adequate protection!

Information needs to be protected !

www.intertek.comIssue 2 © Intertek QATAR www.intertek.com


www.intertek.comIssue 1 © Intertek QATAR www.intertek.com

ISO 27001 : 2013 OVERVIEW

15

ISO 27001 : 2013

3. Risk analysis

Risk analysis

exemple of cyber attack

4. Myths and cybersecurity

5.IdentityAccessManagement(IAM)

Provisioning

SingleSignOn

PKIStrong

Authentication

Federation

Directories

Authorization

SecureRemoteAccess

PasswordManagement

WebServicesSecurity

Auditing&

Reporting

RolebasedManagement

DRM

Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]

5 Questions to ask your CISO

Q: What’s posted on this monitor?

a – password to financial application b – phone messages c – to-do’s

Q: What determines your employee’s access?

a – give Alice whatever Wally has b – roles, attributes, and requests c – whatever her manager says

Q: Who is the most privileged user in your enterprise?

a – security administrator b – CFO c – the summer intern who is now working

for your competitor

Q: How secure is youridentity data?

a – It is in 18 different secured stores b – We protect the admin passwords c – Privacy? We don’t hold credit card

numbers

Q: How much are manual compliance controls costing your organization?

a – nothing, no new headcount b – don’t ask c – don’t know

Today’s IT Challenges

More Agile Business • More accessibility for employees, customers and partners • Higher level of B2B integrations • Faster reaction to changing requirements

More Secured Business • Organized crime • Identity theft • Intellectual property theft • Constant global threats

More Compliant Business • Increasing regulatory demands • Increasing privacy concerns • Business viability concerns

State Of Security In Enterprise

• Incomplete • Multiple point solutions from many vendors • Disparate technologies that don’t work together

• Complex • Repeated point-to-point integrations • Mostly manual operations

• ‘Non-compliant’ • Difficult to enforce consistent set of policies • Difficult to measure compliance with those policies

Identity Management Values

• Trusted and reliable security

• Efficient regulatory compliance

• Lower administrative and development costs

• Enable online business networks

• Better end-user experience

15

IAMMEANSMANAGINGTHEEMPLOYEESLIFECYCLE(HIRING,

RECRUITING,PROMOTION,CHANGE,LEAVING)ANDTHEIMPACTSONTHE

INFORMATIONMANAGEMENTSYSTEM

sourceclusif

IAMisalegalobligation!

• IAMISDEFINEDBYTHEBUSINESS(RH,SCM,ETC.)

• AND • FOLLOWING THE LEGAL

FRAMEWORK • AND • TECHNICALLY IMPLEMENTED

16

IAMISBUSINESS&ICT+LEGAL

sourceclusif

17

IAM INCLUDES

• DATABASE OF ALL AND EVERY USER •DATABASE OF ALL TYPE OF PROFILES & ROLES •DEFINITION BEFOREHAND •DEFINE WICH ROLE FOR WICH EMPLOYEE •DEFINITION OF LOGIN & PASSWORDS •AUDIT •REPORTING •ACCESS CONTROL

sourceclusif

• WhatisIdentityManagement?“Identitymanagementisthesetofbusinessprocesses,andasupportinginfrastructure,forthecreation,maintenance,anduseofdigitalidentities.”TheBurtonGroup(aresearchfirmspecializinginITinfrastructurefortheenterprise)

• IdentityManagementinthissenseissometimescalled“IdentityandAccessManagement”(IAM)

Définition

IAMATICHEC…

• “MYNAMEISJULIEANDIAMASTUDENT.”(Identity)

• “thisismypassword.” (Authentification)• “Iwantanaccesstomyaccount” (Authorizationok)• “Iwanttoadaptmygrade.” (Autorizationrejected)

Whatarethequestions?

• isthispersontheoneshesaidsheis?

• Issheamemberofourgroup?• Didshereceivethenecessaryauthorization?

• IsdataprivacyOK?

Typeofquestionsforanewcomer

– Whichkindofpassword?– Whichactivitiesareaccepted?– Whichareforbidden?– Towhichcategorythispersonbelongs?– Whendowehavetogivetheauthorization??– Whatcontroldoweneed?– Couldwedemonstrateincourtourprocedure?

24

IAMtripleA

AuthenticationWHO ARE YOU? Authorization / Access ControlWHAT CAN YOU DO? AuditWHAT HAVE YOU DONE?

24

ComponentsofIAM

• Administration– UserManagement– PasswordManagement– Workflow– Delegation

• AccessManagement– Authentication– Authorization

• IdentityManagement– AccountProvisioning– AccountDeprovisioning– Synchronisation

Reliable Identity Data

Adm

inistr

ation

Aut

horiza

tion

Aut

hent

icat

ion


Contextin2017

28

variousidentityco-exists

29

IRL&virtualidentity

• InternetisbasedonIPidentification• everybodyhasdifferentprofiles• Eachplatformhasadifferentauthentificationsystem

• Usersaretheweakestlink• Cybercrimeincreases• Controlsmeansidentification• Dataprivacyimposescontrols&security• e-discoveryimposesECM

Welcometoadigitalworld

ExplosionofIDs

Pre1980’s 1980’s 1990’s 2000’s

#ofDigitalIDs

Time

Applications

Mainframe

ClientServer

Internet

BusinessAutomation

Company(B2E)

Partners(B2B)

Customers(B2C)

Mobility


TheDisconnectedReality

• “IdentityChaos”– Manyusers– ManyID– Manylogin&passwords– Multiplerepositoriesofidentityinformation– MultipleuserIDs,multiplepasswords

Enterprise Directory

HR

InfraApplication

Office

In-HouseApplication

External app

Finance

employeeApplication

•Authentication•Authorization•Identity Data




•Authorization•Identity Data

•Authentication




YourCOMPANYand yourEMPLOYEES

YourSUPPLIERS

YourPARTNERSYourREMOTEand VIRTUALEMPLOYEES

YourCUSTOMERS

Customersatisfaction&customerintimacyCostcompetitivenessReach,personalization

CollaborationOutsourcingFasterbusinesscycles;processautomationValuechain

M&AMobile/globalworkforceFlexible/tempworkforce

MultipleContexts


TrendsImpactingIdentity

Increasing Threat LandscapeIdentitytheftcostsbanksandcreditcardissuers$1.2billionin1yr

•$250 billion lost from exposure of confidential info

Maintenance Costs Dominate IT BudgetOn average employees need access to 16 apps and systems

•Companies spend $20-30 per user per year for PW resets

Deeper Line of Business Automation and IntegrationOne half of all enterprises have SOA under development

•Web services spending growing 45%

Rising Tide of Regulation and ComplianceSOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …

•$15.5 billion spend on compliance (analyst estimate)

DataSources:Gartner,AMRResearch,IDC,eMarketer,U.S.Department.ofJustice

37

Business Owner

EndUserITAdmin Developer Security/Compliance

Tooexpensivetoreachnewpartners,channelsNeedforcontrol

ToomanypasswordsLongwaitsforaccesstoapps,resources

ToomanyuserstoresandaccountadminrequestsUnsafesyncscripts

PainPoints

RedundantcodeineachappReworkcodetoooften

ToomanyorphanedaccountsLimitedauditingability


WhydoweneedIAM?

•Security

•Compliance

•Costcontrol•Auditsupport•Accesscontrol

Source:ftp://ftp.boulder.ibm.com/software/uk/productnews/tv/vh_-_access_and_identity_management.pdf

costreduction• DirectorySynchronization

“Improvedupdatingofuserdata:$185peruser/year”“Improvedlistmanagement:$800perlist”-GigaInformationGroup

• PasswordManagement“Passwordresetcostsrangefrom$51(bestcase)to$147(worstcase)forlaboralone.”–Gartner

• UserProvisioning“ImprovedITefficiency:$70,000peryearper1,000managedusers”“Reducedhelpdeskcosts:$75peruserperyear”-GigaInformationGroup

CanWeJustIgnoreItAll?

• Today,averagecorporateuserspends16minutesadayloggingon

• Atypicalhomeusermaintains12-18identities

• Numberofphishingsitesgrewover1600%overthepastyear

• CorporateITOpsmanageanaverageof73applicationsand46suppliers,oftenwithindividualdirectories

• Regulatorsarebecomingstricteraboutcomplianceandauditing

• Orphanedaccountsandidentitiesleadtosecurityproblems

Source:Microsoft’sinternalresearchandAnti-phishingWorkingGroup

IAMBenefits

Benefits to take you forward (Strategic)

Benefits today(Tactical)

Save money and improve operational efficiency

Improved time to deliver applications and service

Enhance Security

Regulatory Compliance and Audit

New ways of working

Improved time to market

Closer Supplier, Customer, Partner and Employee relationships


IAMtodolist

• Automaticaccountmanagement

• Archiving• Dataprivacy• Compliance• SecuriryVSRisks• useridentification• E-business• M2M

6.Cloudcomputing

First, What the heck is Cloud Computing

First, what the heck is Cloud Computing?…in simple, plain English please!

Andy Harjanto I’m cloud confused http://www.andyharjanto.com

Let’s use a simple analogy Say you just moved to a city, and you’re looking for a nice

place to live


You can either

Build a house or Rent an apartment


If you build a house, there are a fewimportant decisions you have to make…


How big is the house? are you planning to grow a large

family? Andy Harjanto I’m cloud confused http://www.andyharjanto.com

Remodel, addition typically cost a lot more once the house is built


But, you get a chance to

customize itRoof


Once the house is built, you’re responsible for maintenance

Hire Landscaper

ElectricianPlumberPay property tax

ElectricityWater

Gutter CleaningHeating and Cooling

House Keeping


How about renting?

Consider a builder in your city builds a Huge

number of apartment units Andy Harjanto I’m cloud confused http://www.andyharjanto.com

A unit can easily be converted into a 2,3,4 or more units


You make a fewer,

simpler decisions

You can start with one unit and grow later, or

downsize


But…You do not

havea lot of

options to customize your unit


However, builders provide you with very high quality infrastructure

high speed Internet

high capacity electricity

triple pane windows

green materials

No need to worry about maintenance


Just pay your

rentand utilities

Pay as You Go


Let’s translate to Cloud Computing?

As an end-consumer, believe it or not

you’ve been using Cloud for long times


most of them are

Free

In return, you’re willing to give away

your information for ads and other purposes

But you’ve been enjoying High Reliability Service

Limited Storage

Connecting, Sharing

OK, Now tell that to the business owner

Give up your data, then

you can use this infrastructure for free

Are You crazy?will answer the CEO

My Business Needs…

SecurityPrivacy

ReliabilityHigh Availability

Building EnterpriseSoftware

Stone WallFire-proofMoatArmy Death Hole

is like…. Medieval

Castle


Let’s Hire an Army of IT Engineers

Software Upgrade Support

Backup/Restore

Service Pack

Development

Network issues


Let’s BuildHuge Data

Center

Capacity Planning

Disaster Plan

Cooling Management

Server Crashes


Your data is replicated3 or 4 times in their data

center

High Availability

Adding “servers” is a click away. Running in just minutes, not days

Hig

h Tr

affi

c?

It can even load balance your server traffic

Expect your Cloud

Networkis always up

Yes, you can even pick where your data

and “servers” reside

Don’t forget data privacy issues

So we know what Cloud is and the choice we have

CloudComputing:Definition

• NoUniqueDefinitionorGeneralConsensusaboutwhatCloudComputingis…

• DifferentPerspectives&Focuses(Platform,SW,ServiceLevels…)

• Flavours:

✦ComputingandITResourcesAccessibleOnline✦DynamicallyScalableComputingPower✦VirtualizationofResources✦AbstractionofITInfrastructure✦!Noneedtounderstanditsimplementation:useServices&their

APIs✦Somecurrentplayers,attheInfrastructure&ServiceLevel:✦SalesfoRce.com,GoogleApps,Amazon,Yahoo,Microsoft,IBM,HP,etc.

TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009

CloudComputing:Implications

• Enterprise:ParadigmShiftfrom“Close&Controlled”ITInfrastructuresandServicestoExternallyProvidedServicesandITInfrastructures

• PrivateUser:ParadigmShiftfromAccessingStaticSetofServicestoDynamic&ComposableServices

• GeneralIssues:– PotentialLossofControl(onData,Infrastructure,Processes,etc.)– Data&ConfidentialInformationStoredinTheClouds– ManagementofIdentitiesandAccess(IAM)intheCloud– CompliancetoSecurityPracticeandLegislation– PrivacyManagement(Control,Consent,Revocation,etc.)– NewThreatEnvironments– ReliabilityandLongevityofCloud&ServiceProviders


IdentityintheCloud:EnterpriseCaseIssuesandRisks[1/2]

•PotentialProliferationofRequiredIdentities&CredentialstoAccessServices!Misbehaviourswhenhandlingcredentials(writingdown,reusing,sharing,etc.)

•PropagationofIdentityandPersonalInformationacrossMultipleClouds/Services!Privacyissues(e.g.compliancetomultipleLegislations,ImportanceofLocation,etc.)!Exposureofbusinesssensitiveinformation(employees’identities,roles,organisationalstructures,enterpriseapps/services,etc.)!HowtoeffectivelyControlthisData?

•DelegationofIAMandDataManagementProcessestoCloudandServiceProviders!HowtogetAssurancethattheseProcessesandSecurityPracticeareConsistentwithEnterprisePolicies?!HowtodealwithoverallComplianceandGovernanceissues?


IdentityintheCloud:EnterpriseCase

IssuesandRisks[2/2]

•MigrationofServicesbetweenCloudandServiceProviders

!ManagementofDataLifecycle

•ThreatsandAttacksintheCloudsandCloudServices!CloudandServiceProviderscanbethe“weakestlinks”inSecurity&Privacy!RelianceongoodsecuritypracticeofThirdParties


7.theweakestlink:theemployee

needtocheck

legallimits

datacontrollerresponsibility

teleworking

datatheft

124

datatransfer

• limitationofcontrol

• Privateemail

• penalties

• whocontrols

• securityismandatory!

• technicalsecurity– Riskanalysis– Back-up– desasterrecovery– identitymanagement– Stronglogin&passwords

• legalsecurity– informationintheemploymentcontracts

– Contractswithsubcontractors

– Codeofconduct

– Compliance

– Controloftheemployees

Control?

8.E-discovery

Definitionofe-discovery

• Electronicdiscovery(ore-discovery)referstodiscoveryincivillitigationwhichdealswithinformationinelectronicformatalsoreferredtoasElectronicallyStoredInformation(ESI).

• Itmeansthecollection,preparation,reviewandproductionofelectronicdocumentsinlitigationdiscovery.

• Anyprocessinwhichelectronicdataissought,located,secured,andsearchedwiththeintentofusingitasevidenceinacivilorcriminallegalcase

• Thisincludese-mail,attachments,andotherdatastoredonacomputer,network,backuporotherstoragemedia.e-Discoveryincludesmetadata.

Recommandations

Organizationsshouldupdateand/orcreateinformationmanagementpoliciesandproceduresthatinclude:

– e-mailretentionpolicies,Onanindividuallevel,employeestendtokeepinformationontheirharddrives“justincase”theymightneedit.

– Workwithuserstorationalizetheirstoragerequirementsanddecreasetheirstoragebudget.

– off-lineandoff-sitedatastorageretentionpolicies,– controlsdefiningwhichusershaveaccesstowhichsystemsandunder

whatcircumstances,– instructionsforhowandwhereuserscanstoredata,and•backupand

recoveryprocedures.– Assessmentsorsurveysshouldbedonetoidentifybusinessfunctions,

datarepositories,andthesystemsthatsupportthem.– Legalmustbeconsulted.Organizationsandtheirlegalteamsshould

worktogethertocreateand/orupdatetheirdataretentionpoliciesandproceduresformanaginglitigationholds.

• Informationsecurityisalegalquestion,notonlybusiness&IT

• complianceisimportant

• Moresecuritydueto

– Cloudcomputing

– Virtualisation

– Dataprivacy

– archiving

• Transparency

• E-discovery

IAMcouldbeanopportunity

• Rethinksecurity

• risksreduction

• costsreduction

• preciseroles&responsibilities

conclusion

Any question?

Jacques [email protected]

creditsM. Martins: https://fr.slideshare.net/MarceloMartinsCISSPC/information-security-strategic-management?

qid=17d48b57-2499-4fc4-9801-b6e96a036ddc&v=&b=&from_search=2 Business continuity institute : https://fr.slideshare.net/TheBCEye/risk-based-cyber-security?

qid=8057ce87-091d-4364-a0f3-ff24e44bb913&v=&b=&from_search=4 W. Brown: https://fr.slideshare.net/whbrown5/how-secure-is-your-business-fraud-risk-analysis-and-

security-management?qid=59280de3-32f9-4260-94e4-38989615b7f4&v=&b=&from_search=8 PECB : https://fr.slideshare.net/PECBCERTIFICATION/check-if-you-are-ready-for-isms-implementation?

qid=cfac8544-a584-4fe4-b752-0d5cacabd8ea&v=&b=&from_search=14 N.Rao: https://fr.slideshare.net/NareshRao3/iso-27001-2013-isms-final-overview?

qid=7c622233-05ea-489b-88e5-30751c3ee08b&v=&b=&from_search=8 VERIZON: https://fr.slideshare.net/VerizonEnterpriseSolutions/2016-data-breach-investigations-report-

dbir-cybersecurity-on-slideshare?qid=1f9f7d1a-7a0e-431e-b7fb-98bcb94c935b&v=&b=&from_search=2 ACCENTURE: https://fr.slideshare.net/AccentureOperations/the-state-of-cybersecurity-and-digital-

trust-2016?qid=1f9a736f-882d-4b3b-82b1-87b447f9b2ea&v=&b=&from_search=11

Education

digital strategy and information security