IDENTITY ACCESS MANAGEMENT

CONTRACT LAW IN IT Identity & access management

JacquesFolonwww.folon.com

PartnerEdgeConsulting

MaîtredeconférencesUniversitédeLiègeChargédecoursICHECBrusselsManagementSchoolProfesseurinvitéUniversitédeLorraine(Metz)ESCRennes

http://www.nyls.edu/institute_for_information_law_and_policy/conferences/visualizing_law_in_the_digital_age/

IAM

1. IAM?2. Presetcontext?3. IAM&cloudcomputing4. Whyisitusefuland

mandatory?5. Todolist6. IAM&privacy7. IAM&control8. e-discovery9. Conclusion

1.IAM????

Provisioning

SingleSignOn

PKIStrong

Authentication

Federation

Directories

Authorization

SecureRemoteAccess

PasswordManagement

WebServicesSecurity

Auditing&

Reporting

RolebasedManagement

DRM

Source:IdentityandAccessManagement:OverviewRafalLukawiecki-StrategicConsultant,[email protected]

5 Questions to ask your CISO

Q: What’s posted on this monitor?

a – password to financial application b – phone messages c – to-do’s

Q: What determines your employee’s access?

a – give Alice whatever Wally has b – roles, attributes, and requests c – whatever her manager says

Q: Who is the most privileged user in your enterprise?

a – security administrator b – CFO c – the summer intern who is now working

for your competitor

Q: How secure is youridentity data?

a – It is in 18 different secured stores b – We protect the admin passwords c – Privacy? We don’t hold credit card

numbers

Q: How much are manual compliance controls costing your organization?

a – nothing, no new headcount b – don’t ask c – don’t know

Today’s IT Challenges

More Agile Business • More accessibility for employees, customers and partners • Higher level of B2B integrations • Faster reaction to changing requirements

More Secured Business • Organized crime • Identity theft • Intellectual property theft • Constant global threats

More Compliant Business • Increasing regulatory demands • Increasing privacy concerns • Business viability concerns

State Of Security In Enterprise

• Incomplete • Multiple point solutions from many vendors • Disparate technologies that don’t work together

• Complex • Repeated point-to-point integrations • Mostly manual operations

• ‘Non-compliant’ • Difficult to enforce consistent set of policies • Difficult to measure compliance with those policies

Identity Management Values

• Trusted and reliable security

• Efficient regulatory compliance

• Lower administrative and development costs

• Enable online business networks

• Better end-user experience

15

IAMMEANSMANAGINGTHEEMPLOYEESLIFECYCLE(HIRING,RECRUITING,PROMOTION,CHANGE,LEAVING)ANDTHE

IMPACTSONTHEINFORMATIONMANAGEMENTSYSTEM

sourceclusif

IAMisalegalobligation!

• IAMISDEFINEDBYTHEBUSINESS(RH,SCM,ETC.)

• AND • FOLLOWING THE LEGAL

FRAMEWORK • AND • TECHNICALLY IMPLEMENTED

16

IAMISBUSINESS&ICT+LEGAL

sourceclusif

17

IAM INCLUDES

• DATABASE OF ALL AND EVERY USER •DATABASE OF ALL TYPE OF PROFILES & ROLES •DEFINITION BEFOREHAND •DEFINE WICH ROLE FOR WICH EMPLOYEE •DEFINITION OF LOGIN & PASSWORDS •AUDIT •REPORTING •ACCESS CONTROL

sourceclusif

• WhatisIdentityManagement? “Identitymanagementisthesetofbusinessprocesses,andasupportinginfrastructure,forthecreation,maintenance,anduseofdigitalidentities.”TheBurtonGroup(aresearchfirmspecializinginITinfrastructurefortheenterprise)

• IdentityManagementinthissenseissometimescalled“IdentityandAccessManagement”(IAM)

Définition

19

Identity and Access Management is the process for managing the lifecycle of digital identities and access for people, systems and services. This includes:

User Management – management of large, changing user populations along with delegated- and self-service administration.

Access Management – allows applications to authenticate users and allow access to resources based upon policy.

Provisioning and De-Provisioning – automates account propagation across applications and systems.

Audit and Reporting – review access privileges, validate changes, and manage accountability.

CA

IAM : J. Tony Goulding CISSP, ITIL CA t [email protected]

IAMINESC…

• “MYNAMEISJULIEANDIAMASTUDENT.”(Identity)

• “thisismypassword.” (Authentification)• “Iwantanaccesstomyaccount” (Authorizationok)• “Iwanttoadaptmygrade.” (Autorizationrejected)

Whatarethequestions?

• isthispersontheoneshesaidsheis?

• Issheamemberofourgroup?• Didshereceivethenecessaryauthorization?

• IsdataprivacyOK?

Typeofquestionsforanewcomer

– Whichkindofpassword?– Whichactivitiesareaccepted?– Whichareforbidden?– Towhichcategorythispersonbelongs?– Whendowehavetogivetheauthorization??– Whatcontroldoweneed?– Couldwedemonstrateincourtourprocedure?

24

IAMtripleA

AuthenticationWHO ARE YOU? Authorization / Access ControlWHAT CAN YOU DO? AuditWHAT HAVE YOU DONE?

24

ComponentsofIAM

• Administration– UserManagement– PasswordManagement– Workflow– Delegation

• AccessManagement– Authentication– Authorization

• IdentityManagement– AccountProvisioning– AccountDeprovisioning– Synchronisation

Reliable Identity Data

Adm

inistr

ation

Aut

horiza

tion

Aut

hent

icat

ion


2.Contextin2016

28

variousidentityco-exists

29

IRL&virtualidentity

• InternetisbasedonIPidentification• everybodyhasdifferentprofiles• Eachplatformhasadifferentauthentificationsystem

• Usersaretheweakestlink• Cybercrimeincreases• Controlsmeansidentification• Dataprivacyimposescontrols&security• e-discoveryimposesECM

Welcometoadigitalworld

ExplosionofIDs

Pre1980’s 1980’s 1990’s 2000’s

#ofDigitalIDs

Time

Applications

Mainframe

ClientServer

Internet

BusinessAutomation

Company(B2E)

Partners(B2B)

Customers(B2C)

Mobility


TheDisconnectedReality

• “IdentityChaos”– Manyusers– ManyID– Manylogin&passwords– Multiplerepositoriesofidentityinformation– MultipleuserIDs,multiplepasswords

Enterprise Directory

HR

InfraApplication

Office

In-HouseApplication

External app

Finance

employeeApplication

•Authentication•Authorization•Identity Data




•Authorization•Identity Data

•Authentication




YourCOMPANYand yourEMPLOYEES

YourSUPPLIERS

YourPARTNERSYourREMOTEand VIRTUALEMPLOYEES

YourCUSTOMERS

Customersatisfaction&customerintimacyCostcompetitivenessReach,personalization

CollaborationOutsourcingFasterbusinesscycles;processautomationValuechain

M&AMobile/globalworkforceFlexible/tempworkforce

MultipleContexts


TrendsImpactingIdentity

Increasing Threat LandscapeIdentitytheftcostsbanksandcreditcardissuers$1.2billionin1yr

•$250 billion lost from exposure of confidential info

Maintenance Costs Dominate IT BudgetOn average employees need access to 16 apps and systems

•Companies spend $20-30 per user per year for PW resets

Deeper Line of Business Automation and IntegrationOne half of all enterprises have SOA under development

•Web services spending growing 45%

Rising Tide of Regulation and ComplianceSOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …

•$15.5 billion spend on compliance (analyst estimate)

DataSources:Gartner,AMRResearch,IDC,eMarketer,U.S.Department.ofJustice

Business OwnerEndUserITAdmin Developer Security/Compliance

Tooexpensivetoreachnewpartners,channelsNeedforcontrol

ToomanypasswordsLongwaitsforaccesstoapps,resources

ToomanyuserstoresandaccountadminrequestsUnsafesyncscripts

PainPoints

RedundantcodeineachappReworkcodetoooften

ToomanyorphanedaccountsLimitedauditingability


3.IAM&Cloudcomputing

First, What the heck is Cloud Computing

First, what the heck is Cloud Computing?…in simple, plain English please!

Andy Harjanto I’m cloud confused http://www.andyharjanto.com

Let’s use a simple analogy Say you just moved to a city, and you’re looking for a nice

place to live


You can either

Build a house or Rent an apartment


If you build a house, there are a fewimportant decisions you have to make…


How big is the house? are you planning to grow a large

family? Andy Harjanto I’m cloud confused http://www.andyharjanto.com

Remodel, addition typically cost a lot more once the house is built


But, you get a chance to

customize itRoof


Once the house is built, you’re responsible for maintenance

Hire Landscaper

ElectricianPlumberPay property tax

ElectricityWater

Gutter CleaningHeating and Cooling House Keeping


How about renting?

Consider a builder in your city builds a Huge

number of apartment units Andy Harjanto I’m cloud confused http://www.andyharjanto.com

A unit can easily be converted into a 2,3,4 or more units


You make a fewer,

simpler decisions

You can start with one unit and grow later, or

downsize


But…You do not

havea lot of

options to customize your unit Andy Harjanto I’m cloud confuse

d http://www.andyharjanto.com

However, builders provide you with very high quality infrastructure

high speed Internet

high capacity electricity

triple pane windows

green materials

No need to worry about maintenance


Just pay your

rentand utilities

Pay as You Go


Let’s translate to Cloud Computing?

As an end-consumer, believe it or not

you’ve been using Cloud for long times


most of them are

Free

In return, you’re willing to give away

your information for ads and other purposes

But you’ve been enjoying High Reliability Service

Limited Storage

Connecting, Sharing

OK, Now tell that to the business owner

Give up your data, then

you can use this infrastructure for free

Are You crazy?will answer the CEO

My Business Needs…

SecurityPrivacy

ReliabilityHigh Availability

Building EnterpriseSoftware

Stone WallFire-proofMoatArmy Death Hole

is like…. Building Medieval

Castle


Let’s Hire an Army of IT Engineers

Software Upgrade Support

Backup/Restore

Service Pack

Development

Network issues


Let’s BuildHuge Data

Center

Capacity Planning

Disaster Plan

Cooling Management

Server Crashes


Your data is replicated3 or 4 times in their data

center

High Availability

Adding “servers” is a click away. Running in just minutes, not days

Hig

h Tr

affi

c?

It can even load balance your server traffic

Expect your Cloud

Networkis always up

Yes, you can even pick where your data

and “servers” reside

Don’t forget data privacy issues

So we know what Cloud is and the choice we have

CloudComputing:Definition

• NoUniqueDefinitionorGeneralConsensusaboutwhatCloudComputingis…

• DifferentPerspectives&Focuses(Platform,SW,ServiceLevels…)

• Flavours:– ComputingandITResourcesAccessibleOnline– DynamicallyScalableComputingPower– VirtualizationofResources– Accessto(potentially)Composable&InterchangeableServices– AbstractionofITInfrastructure!Noneedtounderstanditsimplementation:useServices&theirAPIs– Somecurrentplayers,attheInfrastructure&ServiceLevel:SalesfoRce.com,GoogleApps,Amazon,Yahoo,Microsoft,IBM,HP,etc.

TheFutureofIdentityintheCloud:Requirements,Risks&OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMAe-IdentityConference,2009

CloudComputing:Implications

• Enterprise:ParadigmShiftfrom“Close&Controlled”ITInfrastructuresandServicesto

ExternallyProvidedServicesandITInfrastructures

• PrivateUser:ParadigmShiftfromAccessingStaticSetofServicestoDynamic&Composable

Services

• GeneralIssues:– PotentialLossofControl(onData,Infrastructure,Processes,etc.)– Data&ConfidentialInformationStoredinTheClouds– ManagementofIdentitiesandAccess(IAM)intheCloud– CompliancetoSecurityPracticeandLegislation– PrivacyManagement(Control,Consent,Revocation,etc.)– NewThreatEnvironments– ReliabilityandLongevityofCloud&ServiceProviders


IdentityintheCloud:EnterpriseCase

Enterprise

DataStorageService

OfficeApps

OnDemandCPUsPrinting

Service

CloudProvider#1

CloudProvider#2

InternalCloud

CRMService

…

Service3

BackupServiceILM

ServiceService

Service

Service

BusinessApps/Service

Employee

……

… TheInternet

Identity&Credentials







AuthenticationAuthorizationAudit




UserAccountProvisioning/De-provisioning




Data&ConfidentialInformation




IAMCapabilitiesandServicesCanbeOutsourcedinTheCloud…



IssuesandRisks[1/2]

•PotentialProliferationofRequiredIdentities&CredentialstoAccessServices!Misbehaviourswhenhandlingcredentials(writingdown,reusing,sharing,etc.)

•Complexityincorrectly“enabling”InformationFlowsacrossboundaries!SecurityThreats(Enterprise!Cloud&ServiceProviders,ServiceProvider!ServiceProvider,…_

•PropagationofIdentityandPersonalInformationacrossMultipleClouds/Services!Privacyissues(e.g.compliancetomultipleLegislations,ImportanceofLocation,etc.)!Exposureofbusinesssensitiveinformation(employees’identities,roles,organisationalstructures,enterpriseapps/services,etc.)!HowtoeffectivelyControlthisData?

•DelegationofIAMandDataManagementProcessestoCloudandServiceProviders!HowtogetAssurancethattheseProcessesandSecurityPracticeareConsistentwithEnterprisePolicies?-RecurrentproblemforallStakeholders:Enterprise,CloudandServiceProviders…!ConsistencyandIntegrityofUserAccounts&InformationacrossvariousClouds/Services!HowtodealwithoverallComplianceandGovernanceissues?



IssuesandRisks[2/2]

•MigrationofServicesbetweenCloudandServiceProviders

!ManagementofDataLifecycle

•ThreatsandAttacksintheCloudsandCloudServices!CloudandServiceProviderscanbethe“weakestlinks”inSecurity&Privacy!RelianceongoodsecuritypracticeofThirdParties


4.WhydoweneedIAM?

•Security

•Compliance

•Costcontrol•Auditsupport•Accesscontrol

Source:ftp://ftp.boulder.ibm.com/software/uk/productnews/tv/vh_-_access_and_identity_management.pdf

costreduction• DirectorySynchronization

“Improvedupdatingofuserdata:$185peruser/year”“Improvedlistmanagement:$800perlist”-GigaInformationGroup

• PasswordManagement“Passwordresetcostsrangefrom$51(bestcase)to$147(worstcase)forlaboralone.”–Gartner

• UserProvisioning“ImprovedITefficiency:$70,000peryearper1,000managedusers”“Reducedhelpdeskcosts:$75peruserperyear”-GigaInformationGroup

CanWeJustIgnoreItAll?

• Today,averagecorporateuserspends16minutesadayloggingon

• Atypicalhomeusermaintains12-18identities

• Numberofphishingsitesgrewover1600%overthepastyear

• CorporateITOpsmanageanaverageof73applicationsand46suppliers,oftenwithindividualdirectories

• Regulatorsarebecomingstricteraboutcomplianceandauditing

• Orphanedaccountsandidentitiesleadtosecurityproblems

Source:Microsoft’sinternalresearchandAnti-phishingWorkingGroup

IAMBenefits

Benefits to take you forward (Strategic)

Benefits today(Tactical)

Save money and improve operational efficiency

Improved time to deliver applications and service

Enhance Security

Regulatory Compliance and Audit

New ways of working

Improved time to market

Closer Supplier, Customer, Partner and Employee relationships


5.IAMtodolist

• Automaticaccountmanagement

• Archiving• Dataprivacy• Compliance• SecuriryVSRisks• useridentification• E-business• M2M

6.Dataprotection

Source:https://www.britestream.com/difference.html.

needtocheck

legallimits

datacontrollerresponsibility

teleworking

datatheft

7.IAM&control

datatransfer

• limitationofcontrol

• Privateemail

• penalties

• whocontrols

• securityismandatory!

• technicalsecurity– Riskanalysis– Back-up– desasterrecovery– identitymanagement– Stronglogin&passwords

• legalsecurity– informationintheemploymentcontracts

– Contractswithsubcontractors

– Codeofconduct

– Compliance

– Controloftheemployees

Control?

8.E-discovery

Definitionofe-discovery

• Electronicdiscovery(ore-discovery)referstodiscoveryincivillitigationwhichdealswithinformationinelectronicformatalsoreferredtoasElectronicallyStoredInformation(ESI).

• Itmeansthecollection,preparation,reviewandproductionofelectronicdocumentsinlitigationdiscovery.

• Anyprocessinwhichelectronicdataissought,located,secured,andsearchedwiththeintentofusingitasevidenceinacivilorcriminallegalcase

• Thisincludese-mail,attachments,andotherdatastoredonacomputer,network,backuporotherstoragemedia.e-Discoveryincludesmetadata.

Recommandations

Organizationsshouldupdateand/orcreateinformationmanagementpoliciesandproceduresthatinclude:– e-mailretentionpolicies,Onanindividuallevel,employeestendto

keepinformationontheirharddrives“justincase”theymightneedit.

– Workwithuserstorationalizetheirstoragerequirementsanddecreasetheirstoragebudget.

– off-lineandoff-sitedatastorageretentionpolicies,– controlsdefiningwhichusershaveaccesstowhichsystemsandunder

whatcircumstances,– instructionsforhowandwhereuserscanstoredata,and•backup

andrecoveryprocedures.– Assessmentsorsurveysshouldbedonetoidentifybusinessfunctions,

datarepositories,andthesystemsthatsupportthem.– Legalmustbeconsulted.Organizationsandtheirlegalteamsshould

worktogethertocreateand/orupdatetheirdataretentionpoliciesandproceduresformanaginglitigationholds.

9.Conclusion

• IAMisalegalquestion,notonlybusiness&IT

• complianceisimportant

• Moresecuritydueto

– Cloudcomputing

– Virtualisation

– Dataprivacy

– archiving

• Transparency

• E-discovery

IAMcouldbeanopportunity

• Rethinksecurity

• risksreduction

• costsreduction

• preciseroles&responsibilities

Any question?

Jacques [email protected]

IDENTITY ACCESS MANAGEMENT

Education

Transcript of IDENTITY ACCESS MANAGEMENT