e-id: are you (proven) in control?

e-ID: are you (proven) in control?

INFORMATION RISK MANAGEMENT

DENNIS VAN HAM

2© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.

Introduction and setting the scene Identity: who are you? And how can we be sure it’s you?

Access: what are you allowed to do?

Business: protection of information is important but please don’t bother me;

Technology: lots of it available but how reliable is it really?

Audit and compliance management: proven in control?

http://www.unc.edu/courses/jomc050/idog.jpg


Impact on people – changing threats and fast

Man-in-the-Middle Attacks

Pharming

And More …Trojan Horses

Botnets

Spyware

Malware

Keylogging

“Classic” Phishing

2006200520042003

http://www.3mfuture.com/network_security/voip-arp-spoofing.htm


People are different and have many e-ID’s

Hip, 20-something male Thinks he’s immune to

online fraud Freely gives away his

personal information Has a firewall and

antivirus Clicks on any link His motto: I grew up

with the Internet. I’m not afraid of it.

Tentative mother of grown children

Learning to navigate the Net

Considering banking online, but hasn’t taken the leap yet

Afraid of hackers from news story about ID theft victims

Her motto: The Web is complicated! Better to be safe than sorry.

Young, traveling businessman with a family

Juggles 30 passwords Uses two-factor

authentication at work Wonders if its available

for his personal accounts

His motto: Internet security is key, but I can’t carry one more thing

Source: RSA Security


Impact on business

ComplianceSOX, HIPAA, Privacy, BASEL II, FDIC, etc

Corporate or IT GovernanceLack of clear strategy;Timely implementation of policies or resolutions;Policy enforcement and reporting;

SecurityProtection of intellectual property;Rising administration and helpdesk costs;Complex technologies and application infrastructure.


IT-security survey: six important signals Technology remains very dynamic, proper

risk analysis is key but not applied on a large-scale;

Insufficient expertise most important motive for outsourcing IT-security;

Hacking, viruses and worms significant threats, companies have little insight into the quality of their protection;

Authorisation management is structured ineffectively and inefficiently;

Continuity management is often organised on paper but it is usually not certain whether it also works well in practice;

The growing use of mobile devices requires attention.


Compliance – but not a goal in itself


Complex and getting management attention is difficult


Reality bites – ‘identity and access’ information everywhere


How does an auditor think?


Identity & Access Management – in a nutshell

Significant Integration Effort Required

APIs and protocolsFrameworks

OS and infrastructure

Proc

essin

g

Netw

orkin

g

Stor

age

Secu

rity

J2SE/J2EE



Proc

essin

g

Netw

orkin

g

Stor

age

Secu

rity

Windows/.NET



Proc

essin

g

Netw

orkin

g

Stor

age

Secu

rity

UNIX/LAMP

Authentication Authorization Provisioning

AuditManagement

Meta-Directory

Cross Platform

Federation


More information?

Dennis van Ham Consultant

KPMG Information Risk Management Burgemeester Rijnderslaan 20, 1185 MC Amstelveen Postbus 74105, 1070 BC Amsterdam Telefoon +31(0)20 6568103, Telefax +31 (0)20 6568388 E-mail: [email protected] Internet: www.kpmg.nl/irm

KPMG Information Risk Management

e-id: are you (proven) in control?

Documents