identity & access management - securing your data in the 21st century enterprise
TRANSCRIPT
Identity & Access Management (IAM)Securing Your Data in the 21st Century Enterprise
Lance Peterman
A little about me… In & around Identity &
Access Management for 22 years
Currently IAM (insert hat here) at Merck & Co.
Volunteer High School Speech & Debate Coach
Opinions are my own Twitter: @lpeterman
2
Agenda Why Identity?
Center of Everything Identity is the New Perimeter
In the News Recent Data Loss / Breaches
IAM Programs to Reduce Risk Help is On the Way…Eventually
A word on federal initiatives & standards
Adoption Approach/Keys to Success A Note on Security vs. Opportunity…
Why Identity?
Does this look familiar?
Identity is not the New Perimeter(hint: the perimeter is gone)
Identity is still a top security control today that can determine what you are authorized to do, regardless of your location
Old Model New Reality
Breaches, old and new…
Inherent weakness in Knowledge Based Authentication (KBA) led to theft of over 100,000 taxpayer filings
1 complete tax filing = easy identity theft
Irony…Best way to prevent was to create an account at launch. Race condition?
Anthem Largest PII breach in history (78.8M
insured records) or 1 in 4 adult Americans
Phished into front door Exfiltrated records using compromised
database administrator credentials There is good news…attack info shared
with HITRUST & NH-ISAC
OPM…WTF Largest employer in the US had
their personnel records breached (4.1 million current & former employees)
PII not encrypted at rest…WHY? SF-86 database breached…for the
SECOND TIME OPM didn’t have security
department until 2013 No MFA for VPN…AYFKM? Wired article on breach is a must
read Breach discovered during a vendor
demo…(ka-ching)
What does that tell us?The threat landscape is changing…DAILY “The compromise of privileged access is a key
stage in 100% of all advanced attacks.” – CyberSheath Report 4/13 3
This is the critical attack vector for internal and external threats
Verizon DBIR – 100% of data breaches involve the use of compromised credentials
A few definitions – IdM and IAM Gartner defines IdM as "Identity management is the set of
business processes, and a supporting infrastructure for the creation, maintenance, and use of digital identities.“
Access Management leverages IdM and attributes surrounding those digital identities to control access to resources*
Identity is about context User Time Device Location
*Deliberately broad
** List not exhaustive
IAM Programs to Reduce Risk User management / Provisioning Entitlement Management Privileged Access Management Federation A note about authentication
Provisioning Most common to what people think IdM is Involves CRUD operations to identity store(s) Data/Attribute sources are many:
HRIS Contract Management Systems Policy Management Directory Systems (Active Directory, LDAP, DB, etc) Other providers (Cloud, IoT, Credit Bureaus, DMV, etc)
Processes drives events (technology is lowest factor) Key protocols & standards – LDAP, SPML, SCIM (emerging),
WS*
Entitlement Management Sometimes referred to as access control or access
management Often the ‘next phase’ of maturity for IdM installations in the
Enterprise Focus is on tying digital identities and related attributes to a
resource target* Key Protocols & Standards – SAML (JIT profile), SPML,
WS*, XACML, LDAP
Privileged Access Management Name kinda says most of it Focuses on identities that have elevated privileges within a
given system or resource Focus is on auditing, compliance, and controls to ensure
(ideally) that the principle of least privilege is enforced Key use cases are password vaulting & session
management/recording Critical area for modern enterprises. Nearly all breaches
involved compromise of privileged identities (Verizon DBIR) Most mature vendors still struggling with cloud management
Federation Broad term, not related to Star Trek in this context Common use simply means creation of contracts with external
parties surrounding IAM and IdM transactions Use cases:
Single or Simplified Sign On – SaaS, Office365, Partner Software Provisioning (push, pull, JIT, cruD is hard) Access or Entitlement Management PAM
Cloud emergence has made this both harder and easier Using old protocols & standards = hard Emerging protocols & standards may help (OAuth 2.0, SCIM, OpenID
Connect)
19
A note about authentication…As long as passwords are the primary
authentication factor, we are at riskLook at other factors, mobile is a huge resource in
this space If MFA is available to you, USE IT
Help is on the way! Eventually…
OAuth 2 “Auth” stands for Authorization, NOT Authentication Gained maturity with 2.0 release More a framework than a protocol Has its own threat model, challenge developers & vendors to
implement securely This is THE vector for leveraging API security Great development still ongoing http://oauth.net/2/
System for Cross-Domain Identity Management Simplified provisioning/management of federated identities Answer to the pain of SPML Emerging standard, still low adoption rate Adoption will be key to success, press your vendors on this! 2.0 specification in particular will aid enterprises, ratified
soon http://www.simplecloud.info/
Profile of OAuth 2.0 Provides an Identity Layer Replacement for SAML Better Mobile Use Cases Now has a certification model for vendors and implementers! Get this on your internal development roadmap Vendors…you get the idea http://openid.net/connect/
Federal Help National Strategy for Trusted Identities in Cyberspace
(NSTIC) IDESG=Identity Ecosystem Steering Group NOT a National ID Program, Public/Private Partnership 501c3 Some really amazing pilots (ex. NC SNAP Enrollment) Needs volunteers…see me if you want learn more https://www.idecosystem.org/
Keys to Success Adoption MUST have senior leadership support & driven by policy People & Process First Approach, THEN focus on tooling Be creative, one size does not fit all When selecting a vendor, strongly consider cloud implications &
capabilities, be picky! Eat your own dog food first Don’t think you’re too small for this…
26
A Note on Security vs. OpportunityThe value proposition of IAM has changedYes, protection & risk management are still primary drivers
But…identity can now be disruptiveEnable your customersEnable your employeesEnable your partners
Questions?
Contact Twitter: @lpeterman LinkedIn: Lance Peterman Slides will be available on SlideShare