IBM Security Systems
Threat-aware Identity and Access Management
© 2012 IBM Corporation© 2014 IBM Corporation
IBM Security Systems
Sridhar Muppidi, PhDIBM Distinguished EngineerCTO, Identity and Access [email protected]
IBM Security Systems
More than half a billion records of PII were leaked in 2013
© 2014 IBM Corporation2
IBM Security Systems
Information Security is only as strong as its weakest link – Identity
of scam and phishing incidents
are campaigns enticing users
to click on malicious links55%
Criminals are
selling stolen or
fabricated accounts
Social media is fertile
ground for pre-attack
intelligence gathering
© 2014 IBM Corporation3 Source: IBM X-Force® Research 2013 Trend and Risk Report
Mobile and Cloud breaking down the traditional
perimeter
IAM becomes fist line of defense with Threat and
Context awareness
IBM Security
Information Security will require focus on Identity and Interactions
People
EMPLOYEES ATTACKERS OUTSOURCERS SUPPLIERS
CONSULTANTS PARTNES CONSUMERS
Data STRUCTURED UNSTRUCTURED AT REST IN MOTION
OUTSOURCERS
STRUCTURED
EMPLOYEES
UNSTRUCTURED
CONSUMERS
IN MOTION
© 2014 IBM Corporation4
DATACENTERS PCs LAPTOPS
Infrastructure
ApplicationsSYSTEMS
APPLICATIONSWEB
APPLICATIONSWEB 2.0
MOBILEAPPLICATIONS
PCs
SYSTEMS APPLICATIONS
NON-TRADITIONAL
CLOUDMOBILEMOBILE
WEB 2.0
CLOUD
MOBILEAPPLICATIONS
MOBILE
…and that is driving a new approach
IBM Security Systems
1. Identity is a key security controls for a multi-perimeter world
• Operational management
• Compliance driven
• Static, Trust-based
Today: Administration
© 2014 IBM Corporation5
• Security risk management
• Business driven
• Dynamic, context-based
Tomorrow: Assurance
IBM Security Systems
Online Banking
InvestmentAPI Services
Consume Apps and Services (SaaS)
Trusted Intranet DMZ Untrusted Internet
2. Cloud & Mobile will center around Identity + Protection + Insights
© 2014 IBM Corporation6 IBM Security Systems
Online Banking Application
Employee Application
Build and Deliver Apps, Services (PaaS)
Leverage Public Clouds (IaaS)
Apps, APIsServices
IBM Security Systems
3. IAM Analytics will help control the risks across all security domains
Wave 1 Wave 2 Wave 3
Administration
• Cost savings
• Automation
• User lifecycle
Analytics
• Application usage
• Privileged activity
• Risk-based control
Governance
• Role management
• Access certification
• Extended enterprise –
© 2014 IBM Corporation7 IBM Security Systems
IAM Analytics – Collect and Analyze Identity Data
• User lifecycle
• Key on premise
apps & employees
• Risk-based control
• Baseline normal behavior
• Employees, partners, consumers – anywhere
• Improved visibility into how access being utilized
• Risk-based insights for prioritized compliance actions
• Clear actionable dashboards for better business decision making
• Extended enterprise –
business partners
• On and off-premise
apps
IBM Security Systems
IBM is executing to Threat-aware Identity and Access Management
© 2014 IBM Corporation8 IBM Security Systems
Manage Enterprise Identity Context Across All Security Domains
IBM Security Systems
Safeguardmobile, cloud and
social access
Prevent advanced
insider threats
Simplify cloud integrations and identity silos
Deliver actionable identity
intelligence
IBM Threat-aware Identity and Access Management
• Validate “who is • Manage and • Provide federated • Streamline identity management
© 2014 IBM Corporation9
• Validate “who is who” especially when users connect from outside the enterprise
• Proactively enforce access policies on cloud, social and mobile collaboration channels
• Manage and monitor privileged access across the enterprise
• Defend applications and data against unauthorized access
• Provide federated access to enable secure online business collaboration
• Unify “Universe of Identities” for efficient directory management
management across all security domains
• Manage and monitor user entitlements and activities with security intelligence
Key focus areas to address the security’s weakest links
IBM Security Systems
Helping achieve secure transactions and risk-based enforcement
Safeguard mobile, cloudand social access
Access Management
© 2014 IBM Corporation10
Identity-aware application access on the mobile device
Strong Authentication, mobile SSO, session management for secure user interactions
Context-based access and stronger assurance for
transactions
Transparently enforce security policies for mobile applications
Enforce security polices without modifying the applications
DataApplications
On/Off-premiseResources
Cloud Mobile
Access Management
Internet
IBM Security Systems
SaaS: Secure usage of business applications
Bluemix
Enable employees to connect securely to SaaS
• Identity federation
• SaaS access governance
Integrate identity into services and applications
Safeguard mobile, cloudand social access
Cloud Scenarios for managing identities & govern user access
© 2014 IBM Corporation11
IaaS: Securing infrastructure and workloads
PaaS: Secure service composition and apps
Bluemix Integrate identity into services and applications
• DevOps access management
• Authentication and authorization APIs
Manage cloud administration and workload access
• Privileged admin management
• Access management of web workloads
IBM Security Systems
Prevent advanced insider threat
Address insider risks with Privileged Identity Management
Credential Vault
Administrative ID
Session Recording
IAM
Analytic
s &
Security In
tellig
ence
Governance
© 2014 IBM Corporation12
Strong authentication controls and SSO for high-risk account access
Audit privileged user activity and sensitive data access
Address compliance, regulatory and privacy requirements
Secure user access and content against targeted attacks
Eliminate the need to share passwords for privileged users and shared accounts with automated privileged identity management
Ensure compliance and audit support with session recording and replay support
Leverage common Identity management and support for applications and resources
Target Systems
IAM
Analytic
s &
Security In
tellig
ence
IBM Security Systems
“Untangle” identity silos to support secure business expansion
Simplify identity silosand cloud integrations
Search
Directories, Databases, Files,
SAP, Web Services,
Applications
Directory Services
© 2014 IBM Corporation13
Universal directory to transform identity silos to support disparate identity sources
Scalable directory backbone leveraging existing infrastructure for enterprise-wide Identity and Access
Management
Sourcing of identities and attributes for enterprise applications, Cloud/SaaS integrations leveraging open standards.
In-depth user insight with reporting and SIEM integration
Directory Integration
Access
IBM Security Systems
Deliver intelligent identitymanagement
Driving business driven compliance with Identity Management
On/Off-premiseResources
© 2014 IBM Corporation14
Empower Line of Business to manage and define the user access for governance, risk and compliance
Reduce cost of enterprise identity management with centralized policy, integrated role and identity lifecycle
management
Improve user assurance with strong authentication integration and closed-loop user activity monitoring
Effective and actionable compliance with centralized identity and access management across the enterprise
HR Systems/Identity Stores
DataApplications
Cloud Mobile
Risk Based
Access
Devices
AccountsUpdated
Access Certification
Access Policy
Identity Change
Detect and Correct Local Privilege Settings
Identity Management
IBM Security Systems
Optimized
Security Intelligence:User activity monitoring, Anomaly detection, Identity Analytics & Reporting
IAM Integration with GRC
Fine-grained entitlements
Integrated Web & Mobile Access
Gateway
Risk / Context based Access
Governance of SaaS applications
IAM as a SaaS
IAM integration with GRC
Risk/ Context-based IAM Governance
Risk / Context-based Privileged
Identity Mgmt
Organizations using a maturity model to use IAM to support security
© 2014 IBM Corporation15
Proficient
Closed-loop Identity & Access
Mgmt
Strong Authentication
Strong Authentication (e.g. device based)
Web Application Protection
Bring your own ID
Integrated IAM for IaaS, PaaS & SaaS
(Enterprise)
Closed-loop Identity and Access Mgmt
Access Certification & fulfillment (Enterprise)
Closed-loop Privileged Identity
Mgmt
Basic
Request based Identity Mgmt
Web Access Management
Federated SSO
Mobile User Access Management
Federated access to SaaS (LoB)
User Provisioning for Cloud/SaaS
Access Certification(LoB)
Request based Identity Mgmt.
Shared Access and Password
Management
Compliance Mobile Security Cloud Security IAM Governance Privileged IdM
New from IBM
© 2014 IBM Corporation16
New from IBM
IBM Security Systems
Launched IBM Threat-aware Identity and Access Management
Prevent
advanced
insider threats
Simplify
cloud integrations
and identity silos
Safeguard
mobile, cloud and
social access
Deliver
actionable identity
intelligence
© 2014 IBM Corporation17
Access Manager for Mobile
Access Manager for ESSO
Access Manager for Web
Privileged Identity Manager
Federated Identity Manager
Directory Integrator & Server
Identity Manager
Identity and Access Assurance
� Integrated capabilities to secure identity as a new perimeter
IBM Security Systems
� Enable secure access to web and mobile applications with SSO, session management and built-in support for IBM Worklight
� Protect web and mobile applications against common attack vectors including the OWASP Top 10 web application risks with integrated X-Force
Web Access Management
IBM Security Access
Manager
IBM Security Access Manager 8.0“All-in-one” access management powered by X-Force, Trusteer and QRadar
Safeguarding mobile, cloud, and social accessNEW
© 2014 IBM Corporation18
10 web application risks with integrated X-Forcethreat protection
� Enforce context-aware access with mobile device fingerprinting, geo-location awareness, IP Reputation and integration with Trusteer Mobile SDK
� Enhance security intelligence and compliance through integration with QRadar Security Intelligence
� Reduce TCO and time to value with an “all-in-one” access appliance that allows flexible deployment of web and mobile capabilities as needed
Web Application Protection
Mobile Identity Assurance
IBM Security Systems
Application Security: Centralized Policy Enforcement forContext-Aware Access, Threat Protection, and Fraud DetectionOut-of-the-box and seamless integration delivers unmatched end-to-end security
IBM Security Access Manager
11Enforce identity- and context-aware application access on
the mobile device
© 2014 IBM Corporation19
22Protect web facing
apps from risks associated with the
OWASP Top 10
33 Create risk-based access policies to protect
enterprise from fraud & malware without modifying
apps
IBM Security Systems
New Cloud SSO Service on IBM BlueMix Cloud Platform
BETA
Easily add user authentication and single sign into applications
Allows developers to add access security for web and mobile apps
using “SSO with IBM ID”
Safeguarding mobile, cloud, and social access
© 2014 IBM Corporation20
Policy-based authentication service provides easy-to-use SSO capability
Lightweight identity proofing adds identity assurance for IBM ID
Flexible SSO options based on industry standards such as OpenID and OAuth
Cloud SSO
Service
IBM ID
(ibm.com)
Social ID
IBM Security Systems
� Eliminate the need to share passwords for privileged users and shared accounts with an automated privileged identity management
� Ensure compliance and audit support with
IBM Security Privileged Identity Manager and Enterprise SSO
IBM Security Privileged
Identity Manager
Prevent insider threatand identity fraud
NEW
© 2014 IBM Corporation21
� Ensure compliance and audit support with session recording and replay support
� Improve ROI using common Identity management and support for applications and resources
� Strong authentication controls and SSO for high-risk account access
� Reduce TCO and time to value with a scalable virtual appliance deployment
IBM Security Systems
Detect Anomalies - Privileged User Activity and Threat Intelligence
© 2014 IBM Corporation22
� Consolidated view of User/System Activities of a Typical Privileged User Logon via Privileged Identity Management
IBM Security Systems
Simplify identity silosand cloud integrations
� Universal directory to transform identity silos and to support “virtual directory”-like deployments
� Scalable directory backbone leveraging existing infrastructure for enterprise-wide Identity and Access Management
White
Federated Directory
Services*
User
IBM Security
Directory Server and Integrator
IBM Security Directory Server and Integrator
NEW
© 2014 IBM Corporation23
� Simplified sourcing of identities and attributes for enterprise applications, Cloud/SaaS integrations
� Intelligent White Pages search with social networking feature to enable intuitive identity store browsing
� In-depth user insight with out of the box reports and IBM SIEM QRadar integration
White
Pages
Search
User
Management
in CloudFederate
Cache
Virtualize
IBM Security Systems
IBM Security Identity
Manager
IBM Security Identity Manager
� Empower Line of Business to manage and define the user access for governance, risk and compliance
� Reduce cost of enterprise identity management with centralized policy, integrated role and identity lifecycle management
Deliver intelligent identityand access assurance
NEW
© 2014 IBM Corporation24
Re-designed, business friendly
user interface
Identity analytics
IAM integration with
Security Intelligence
lifecycle management
� Improve user assurance with strong authentication integration and closed-loop user activity monitoring
� Effective and actionable compliance with centralized identity and access management across the enterprise
� Real-time insider fraud detection with integrated IAM and Security Intelligence
IBM Security Systems
New ISIM UI (Identity Service Center): Ability to select users and request access
© 2014 IBM Corporation25
IBM Security Systems
Leading industry analysts recognized IBM IAM vision and strategy
� Recognizes IBM as market share leader in 2013
– WW Identity and Access Management
– Federation Identity Management and SSO MarketScape leader in 2014
� Recognizes IBM as a visionary in the new 2013 IAG MQ
� Recognizes IBM as a Leader in Mobile Identity and
Access Management Solutions in 2014
© 2014 IBM Corporation26
� Recognizes IBM as strong performer in their 2013 Wave report
– WW Identity and Access Management
� Recognizes IBM as a visionary in the new 2013 IAG MQ
– New ISIM 6.0 service center UI
– 2014 Roadmap focus on IAM Analytics, beyond today’s Governance solutions
� Recognizes IBM as leaders in key leadership compass reports
– Identity Provisioning, Privileged Identity Management
– Access Management & Federation, Enterprise SSO
IBM Security SystemsStatement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
© 2014 IBM Corporation27
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.