Embed Size (px)
DESCRIPTION
Recent security breaches by trusted insiders have propelled Identity and Access Management (IAM) to the top security priority of many organizations. After all, it’s clear security is only as strong as its weakest link – people – and the press is full of articles documenting the damage people can do. So it’s natural for security managers to want to shore up their IAM infrastructure to avoid similar embarrassment. But IAM needs to be approached with an eye towards the full extended environment and by taking associated risks into account. In other words, whether you are starting from scratch or taking on new IAM challenges such as cloud security, there are certain IAM tenets you should follow to build a successful, effective IAM solution. Don’t join the Hall of Shame by having a security breach at your organization. Attend this webcast to learn five ways a typical IAM solution can fail, so you don’t make the same mistakes. View the full on-demand webcast: https://www2.gotomeeting.com/register/410951466
1 © 2013 IBM Corporation
IBM Security Systems
Chris PoulinIBM Security Systems
July, 2014
5 Reasons your IAM Solution Will Fail
© 2014 IBM Corporation
IBM Security Systems
2
In this era of Mobile, Cloud, & Social, security is a major concern
IBM Confidential
Mobile
Cloud
Social
50%of the employers will require BYOD
for work by 2017
55% of CIOs to source all their critical
applications in Cloud by 2020
54% of CIOs cited Social Media as one of the most disruptive technologies
90%of the top mobile apps have been
hacked
72%of organizations saw unauthorized access to cloud in past 12 months
75%of enterprises cited social media as
the top information security risk
Source: 1. Gartner – May 2013
© 2014 IBM Corporation
IBM Security Systems
3
more than
half a billion recordsof personally identifiable information (PII) were leaked in 2013
© 2013 IBM Corporation
IBM Security Systems
4
Enterprise Security is only as strong as its weakest link – Identity
of scam and phishing incidents are campaigns enticing users to click on malicious links
55%
Criminals are selling stolen or
fabricated accounts
Social media is fertileground for pre-attack intelligence gathering
Source: IBM X-Force® Research 2013 Trend and Risk Report
Mobile and Cloud breaking down the traditional
perimeter
IAM becomes fist line of defense with Threat and
Context awareness
© 2014 IBM Corporation
IBM Security Systems
5
Reason #1: Human Factors—User Behavior
Users will try to get around strict policies
Invest minimum effort in creating passwords
Lack of strength and variety
Across multiple authentication domains
Not enable out-of-band / multi-factor auth
Use 3rd party cloud services over enterprise provided ones
Store passwords in Evernote
….plus strong passwords can sometimes jeopardize safety
© 2014 IBM Corporation
IBM Security Systems
6
Reason #2: Identity Sprawl
Multiple internal authentication sources Microsoft Active Directory Legacy systems and directories Custom applications
…and external directories Cloud services Social media networks
Directories, Databases, Files, SAP, Web Services, Applications
© 2014 IBM Corporation
IBM Security Systems
7
Reason #3: Losing Control
Device ownership model is changing Mobile devices (smart phones & tablets) BYOD, including employee-owned laptops Not all devices have the concept of identity:
the holder is the owner
© 2014 IBM Corporation
IBM Security Systems
8
Reason #4: Rogue Privileged Insiders
Those with administrative privileges can abuse that trust for
Profit Revenge Convenience
“$348B a year in corporate losses can be tied directly to privileged user fraud.” – Raytheon, “Privileged Users” whitepaper, 2014
© 2014 IBM Corporation
IBM Security Systems
9
Reason #5: Lack of Visibility—If You Can’t See It...
...is it really a threat?
What are your users up to?
How do you know?
How do you prove it?
When you turn on the lights
the cockroaches skitter
under the fridge
=> Visibility, monitoring, auditing
© 2014 IBM Corporation
IBM Security Systems
10
Avoiding the 5 pitfalls of identity and access management
User Behavior
Identity Sprawl
Control / BYOD
Privileged ID
Visibility
Single Sign-on Context-based authentication Risk-based transaction context Directory integration Federated identity (inc SCIM) One-time registration Device fingerprinting Eliminate shared passwords Audit super users Record sessions Security intelligence Follow user activity Detect & report anomalous behavior
How to enable security through IAM
11
simplify their experience through context-based authentication
connect your directory stores, in-house, in the cloud, on the web
trust the device, trust the application, trust the transaction
Inventory, control, and track administrative users & credentials
User behavior
Identity sprawl
Mobile & BYOD
Privileged Users
Lack of visibility Security Intelligence
© 2014 IBM Corporation
IBM Security Systems
12
Single Sign-On to web based applications on mobile devices
Single sign-on & elimination of password entry using ESSO
Results: Users don’t need to remember multiple passwords,
improving access security
© 2013 IBM Corporation
IBM Security Systems
13
SSO
Enterprise Applications/Data
User accesses data from inside the corporate network1
User is only asked for User Id and Password to authenticate2
Corporate Network
User accesses confidential data from outside the corporate network3
User is asked for User Id /Password and OTP based on risk score4
Outside the Corporate Network
Audit Log
Strong Authentication
Security gateway for user access based on risk-level (e.g. permit, deny, step-up authenticate)
Risk scoring using user attributes and real-time context (e.g. device registration, geolocation, IP reputation, etc)
Supports built-in One-Time Password (OTP) and ability to integrate with 3 rd party strong authentication vendors
Software Development Kit (SDK) for 3rd integration and extensibility
Context-based authentication & access, based on risk
IBM Security Access Manager
© 2013 IBM Corporation
IBM Security Systems
14
Access Operations Grant/Deny
An authorized user requests access to the portal and SSO Grant
Password is stolen, session is hijacked and HTTP content is compromised Deny
HTTP content contains common vulnerabilities such as SQL Injection, Cross site scripting, Cross-site request forgery Deny
IP Address has a low IP Reputation score and Geo Location allowed Deny
Enforce step-up authentication or context-based access to restore authorized user access Grant
Portal, Web Applications (e.g. Java, .NET, more)
B2B Partners, Citizens, Mobile
users
Supply Chain
Secure access and protect content against targeted attacks
IBM Security Access Manager
© 2013 IBM Corporation
IBM Security Systems
15
Identity-aware application access on mobile devices
BeforeName/Password for
every app launchOne-time registration
codeIdentity-aware
application launch
After
Application Server IBM Security Access Manager
Eliminate user id and password based login on mobile apps
Assurance through one time registration code to link device with application and user identity
Identity and Device “Fingerprinting” - silent and consent based device registration
Self-service user interface for device registration and access revocation
© 2013 IBM Corporation
IBM Security Systems
16
Risk-based access and stronger authentication for transactions
User attempts high-value transaction
Strong authentication challenge Transaction completes
Reduce risk associated with mobile user and service transactionsExample: transactions less than $100 are allowed with no additional authenticationUser attempts transfer of amount greater than $100 – requires an OTP for strong authentication
© 2013 IBM Corporation
IBM Security Systems
17
Migrate or co-exist
Join multiple directories
Enrich withdata from
other sources
Federate authentication back to original source
Selective“writes” of
changes to theoriginal source
Create a single source of truth for identity information using Federated Directory Services
SCIM REST interface for LDAP server
“Untangle” identity silos with directory integration and federation
© 2013 IBM Corporation
IBM Security Systems
18
Privileged User Activity Monitoring:• Recording and logging of user activity in sessions accessed through a shared ID• Discourage users with privilege from abusing their rights
Find, control, and track privileged & shared identity activity
© 2013 IBM Corporation
IBM Security Systems
19
Full visibility and accountability with closed-loop IAM analytics
IAM Analytics & Security Intelligence
AccountsUpdated
Access Certification
Access Policy
Identity Change
Detect and Correct Local Privilege Settings
HR Systems/Identity StoresDataApplications
On/Off-premiseResources
Cloud Mobile
Identity Management
Real-time insider fraud detection with integrated IAM Analytics and Security Intelligence
Risk BasedAccess
© 2013 IBM Corporation
IBM Security Systems
20
Detect threats, monitor user activity and detect anomalies
• Identity and Access Manager event logs offers rich insights into actual users and their roles
• IAM integration with QRadar SIEM provides detection of break-ins tied to actual users & roles
IBM Security Systems
© 2013 IBM Corporation21 IBM Security Systems
Manage Enterprise Identity Context Across All Security Domains
Compete Threat-aware Identity and Access Management
© 2014 IBM Corporation
IBM Security Systems
22
Identity is a key security control for a multi-perimeter world
• Operational management
• Compliance driven
• Static, Trust-based
• Security risk management
• Business driven
• Dynamic, context-based
Today: Administration
Tomorrow: Assurance
IAM is centralized and internal
Enterprise IAM
Cloud IAM
BYO-IDs
SaaS
Device-IDs
App IDs
IAM is decentralized and external
Enterprise IAM
IaaS, PaaS
© 2014 IBM Corporation
IBM Security Systems
23
Optimized
Security Intelligence:User activity monitoring, Anomaly detection, Identity Analytics & Reporting
IAM Integration with GRC
Fine-grained entitlements
Integrated Web & Mobile Access
GatewayRisk / Context based
Access
Governance of SaaS applications
IAM as a SaaS
IAM integration with GRC
Risk/ Context-based IAM Governance
Risk / Context-based Privileged
Identity Mgmt
Proficient
Closed-loop Identity & Access
MgmtStrong
Authentication
Strong Authentication (e.g. device based)
Web Application Protection
Bring your own IDIntegrated IAM for
IaaS, PaaS & SaaS (Enterprise)
Closed-loop Identity and Access Mgmt
Access Certification & fulfillment (Enterprise)
Closed-loop Privileged Identity
Mgmt
BasicRequest based Identity MgmtWeb Access Management
Federated SSO Mobile User Access
Management
Federated access to SaaS (LoB)
User Provisioning for Cloud/SaaS
Access Certification(LoB)
Request based Identity Mgmt.
Shared Access and Password
Management
Compliance Mobile Security Cloud Security IAM Governance Privileged IdM
Organizations use a maturity model for IAM to support security
© 2014 IBM Corporation
IBM Security Systems
24
Landscape of Identity & Access Management market is evolving
By 2020,
70% of enterprises will use attribute-based access control as the dominant mechanism to protect critical assets ...
... and
80% of user access will be shaped by new mobile and non-PC architectures that service all identity types regardless of origin.1
With the growing adoption of
mobile, adaptive authentication &
fine-grained authorization, traditional
Web Access Managementis being replaced by a
broader “access management.”1
A clear need exists in the market for a
converged solution2 that is able to provide or
integrate with MDM, authentication, federation, and fraud detection solutions.3
1 Gartner, Predicts 2014: Identity and Access Management, November 26, 20132 Gartner, MarketScope for Web Access Management, November 15, 20133 Forrester, Predictions 2014: Identity and Access Management, January 7, 2014
© 2013 IBM Corporation
IBM Security Systems
25
Deliver actionable identity
intelligence
Safeguardmobile, cloud and social
access
Simplify cloud integrations and
identity silos
Prevent advanced
insider threats
• Validate “who is who” especially when users connect from outside the enterprise
• Proactively enforce access policies on web, social and mobile collaboration channels
• Manage and audit privileged access across the enterprise
• Defend applications and data against unauthorized access
• Provide federated access to enable secure online business collaboration
• Unify “Universe of Identities” for efficient directory management
• Streamline identity management across all security domains
• Manage and monitor user entitlements and activities with security intelligence
Threat-aware Identity and Access Management becomes the first line of defense for securing multi perimeter world
© 2014 IBM Corporation
IBM Security Systems
26
Connect with IBM Security
IBM Security Insights blog at . .www SecurityIntelligence com
. . / -www ibm com Identity Ac-cess Management
Follow us at @ibmsecurity
© 2013 IBM Corporation
IBM Security Systems
IBM Security Systems
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
