Jacoba Sieders - Head of IAM ABNAMRO

Identity- & Access ManagementTrends & innovation

http://map.norsecorp.com/#/

IAM challenges are growing incomplexity and volume

3

• “7 Any”• De-perimeterisation• Web 2 App consistency• “API economy”• Cloud, Shadow IT• 24/7 cybercrime profs• Growing privacy concerns• Increasing regulatory pressure

(GDPR, PSD II)• IAM becomes relevant for almost all

aspects of life

IAM trends

IAM awareness grows as digitisation reaches boardrooms of ancient institutions

4

IAM trends

• Chief Digital Officer• Chief Innovation Officer• Experiments lab• Hackatons• Start-up partners• Innovation Boards• Startup Friday• Design Thinking• Tribes and clans

Identity of Things,CIAM. “Branded identities” User accounts expandinto full user profiles

Smart dustNetworked sensorsDrone deliverySmart citiesMobilityChaining across domainsBig data

Identity

Flexible real time entitlement granting: ABAC

Attribute Based Access Control

Resource

Type: FinancialDepartment ZAuthor XNot yet approvedObsoletePublicEtcetera

Subject

Name xRole YDepartment ZCost Centre 123Manager AEtcetera

Action

Check outReviewEditAlter contentsCheck inPhysical actionsEtcetera

Environment

Night timeLocationHome networkOffice wifiRegistered deviceEtcetera

Authorisation

at 3:00 amSubject ObjectEnvironment

Preferred at a bar in Utrechtlogged on via PIN5

50 euro

Retailfrom current account

can

trans

fer

via an iPhone iOS 7.1

to Rabobank Accountof Facebook friend

Netherlands

Daa

n Ko

ning

Client

at home

Subject ObjectEnvironment

manager on new year’s dayPrivate Banking while using a tablet Private Banking

customer dataregion Utrecht

Nieuwegeincan

upda

te

Ale

x Pr

ins

…..

Subject ObjectPrivate Banking Manager

can updatecustomer dataAlex Prins can view

…..…..

ABAC

RBAC

AuthorisationRBAC versus ABAC

Object approach / attributes

Content Classes (client data, employee data, payment data, etc.)

Sensitivity (customer critical, business operation, near-public, etc.)

Confidentiality & Integrity rating

Time (creation, last access)

Data Ownership (e.g. BU)

Creator

Type (spreadsheet, Powerpoint, textdocument, e-mail, etc.)

Content-Based Approach Query-Based Approach

Content Classes (client data, employee data, payment data, etc.)

Sensitivity (customer critical, business operation, near-public, etc.)

Confidentiality & Integrity rating

Time (creation, last access)

Data Ownership

Is Golden Source or Copy?

Limit (Number of query results)

Analytics-Based Approach

Content Classes (client data, employee data, payment data, etc.)

Sensitivity (customer critical, business operation, near-public, etc.)

Confidentiality & Integrity rating

Maximum Usage Period (how long is it allowed to use the data)

Sources (from which systems does the data originate)

From Golden Source or Copy? (quality)

Inherited attributes (from sources)

Authorisation

framework for interaction and governance of rulesets

Finegrained context aware access mmnt - building blocks

Identity federation

Profile repository Trust level framework

Rulesets in rule engines

ABAC building blocks

PDP Policy Decision PointsPAP Policy Administration PointsPIP Policy Information PointsPEP Policy Enforcement PointsXACML

Attributes:Data qualityData managementRules: Ownership in the business

session integrator

connectors, interfacestoken management

data classifier

Attribute Based Access Control - Summary

• Context Based, Rule Based• Step-up authentication• Adjusted trust-level per context, per transaction• Trustlevel on dataset or transaction, fine-grained, datacentric• More flexible than Role Based Acces Control (RBAC)• Configuration within IAM tools instead of coding within applications• Trustlevel on transaction request context• Trustlevel framework enables immediate intervention when compromised• Migrate from RBAC to ABAC as a strategy (a role is also a rule!)

Focus on governance and business involvement

Authorisation

Authentication @ work

identity+

properties authentication

AuthorisationEntitlements

for the ID

PasswordTokenPINMultifactor

pre-linkedto

authenticationclaim ID

Biometrics

access to

Data & transactions

Transaction request

Authentication

“New” methods of authentication

14

• Biometrics, voice, fingerprint, facial• Behaviour patterns • From “knowing” to “being”• Rule based authentication• Artificial Intelligence & data analysis recognize you• Out-of-Band technologies across registered devices

• Challenge: How to use non-PII data and still ensure the right trust level?• “Undentification”

Continuous enrolment Continuous authenticationContinuous identity proofing

Authentication

Transactionrequest

Identity +

properties

Authentication & Identity converging

AuthorisationEntitlements

for the ID

PasswordTokenPINMultifactorOut Of Band (OOB)

Device typingContextEndpoint info

pre-linkedto Data &

transactions

access to

NetworkMeta dataNavigationUse patternsBiometrics

Authentication

Continuous ID proofing,AuthenticationEnrollment

Transaction request

Machine learningFraud blacklistSOC data

Authentication

“Un”dentification

Preventative, Detective, Reactive controls converging

start Wish Instruction / Request Transaction (Payment

settlement)

SecurityOperationsCentre

IAM Fraud Detection

Infra:Device, network, etc.

..

BCM

jacoba.sieders@nl.abnamro.com