• No results found

Take Control of Identities & Data Loss. Vipul Kumra

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Take Control of Identities & Data Loss. Vipul Kumra"

Copied!
26
0
0

Loading.... (view fulltext now)

Download now ( 26 Page )

Full text

(1)

Take Control of

Identities & Data

Loss

(2)

Security Risks - Results

—Whom you should fear the most when it comes

to securing your environment?

— 4.

— 3.

— 2.

— 1.

Hackers / script kiddies

Insiders

Ex-employees / Disgruntled Employees

Organized Targeted Crime

(3)

Example Insider Abuse

— Ram the insider gets fired and

Shyam the administrator forgets

to void Ram‟s (login)

credentials.

— Ram goes home, logins into his

work machine and takes some

malicious action (introduces

bugs into source, deletes files

and backups, etc…)

— Alternatively, Shyam might void

Ram‟s credentials, but forget

that Ram also uses a shared

group account (phew!!!)

(4)

Why do employees become disgruntled?

— Corporate layoffs/downsizing

− Ex-Rage is now a major concern for industrial psychologists

— Smaller annual raises than anticipated

— Passed over for promotion and advancement

— Racial/sexual discrimination and harassment

— … and many more

— What happens when they find new employment?

— What if the new employer is a competitor?

(5)

Statistics

— Insider attacks account for as much as 80% of all computer

and Internet related crimes [1]

— Majority of insiders are privileged users and majority of

attacks are launched from remote machines [2]

Sources:

[1] Jim Carr. Strategies and issues: Thwarting insider attacks, 2002.

(6)

Why Is This So Hard?

Many Roles

Many Processes

Many Applications

Many Users

Customers Employees

Finance

Email

Sales

Incorrect privilege assignment

Too many roles

Users with too many roles

ProvisioningHelp deskCertificationCRMERPExpensesApprovalAdministrationCompliancePartners Contractors

(7)

Identity Lifecycle Management

Identity Management

Role and Compliance Management

Role Management

> Understand what roles exist in the enterprise > Establish role model that fits organisation > Analyse and maintain role model as business

evolves Identity Management

> Assign users to roles > Apply role-based controls

> Provision users with approved accounts and privileges

> Manage change requests and approvals over time

> User self service – passwords & registration

Identity Compliance Management > User and Role Entitlement Certification

> Real-time identity policy checking

> Detect segregation of duties or other security violations

(8)

The Application Security Silo Challenge

High security administration costs

Expensive coding and maintenance

Poor user experience

J_Doe 121196

0

John Doe

A23JJ4 John Doe John_D Johnd Mobile Phone

Applicatio n Layer User Store Operatin g System SQL 2000 SunONE LDAP Oracle OID OracleRDBM S Active Directory Oracle PKI Cert LDAP

CRM ERP HR ExtranetPartner SCM Customer Self-Service Commerce

E-Employees

Partners

Customers

Security Layer

No centralized security enforcement

No standardized security process

(9)

The Solution

Centralized Web Access Management

Applicatio n Layer User Store Operatin g System SQL 2000 SunONE LDAP Oracle OID OracleRDBM S Active Directory Oracle LDAP

CRM ERP HR ExtranetPartner SCM Customer

Self-Service Commerce E-Security

Layer

Reduced administrative costs

Reduced development costs

Single sign-on & sign-off for users

Faster application deployment

Reduced Risk/Increased security

Eased regulatory compliance

Employees

Partners

Customers

(10)

Secure Web Business Enablement

Federation

Web Access Management

Web Access Management > Web SSO

> Authentication Management > Policy-based Authorization > Centralized Auditing/Reporting

Identity Federation

> Browser-based federation across domains > Flexible options for partner enablement

SOA/Web Services Security

> Authentication of requester based on message content > Policy-based authorization

> XML threat prevention > WS Standards support

(11)

The Privileged User Challenge

— Normal User

− Is identified

− Access is controlled

— „root‟ Administrator

− Is anonymous

− Can bypass application security

− Can see and alter application data

− Can change system files

− Can change system configuration

− Can alter logs and erase records

Application

Security

OS Security

Privileged User

Customer Data

Critical services

(12)

OS Access Management

— Privileged Superuser Account

− “Root” on UNIX/Linux

− “Administrator” on Windows

— How is a Server Maintained?

− Administrators of different roles

sharing access

— Issues

− Inability to segregate duties

− Lack of accountability

− Over-privileged users

− Outsider risk

Before

(13)

Access Control

Without Data Loss Prevention

— Access to data is protected:

− OS Access Control

− Web Access Management

— No control over what can be done

with data.

End User Server Application

OS Access

Control

WEB

Access

Management

(14)

Access Control

With Data Loss Prevention

— Access to data is protected:

− OS Access Control

− Web Access Management

— Data Loss Prevention

− Controls what

end users can do

with data that they

have legitimately

accessed

End User

OS Access

Control

Policy

Data Loss

Prevention

WEB

Access

Management

Server Application

(15)

DLP

Protect Data Everywhere

Network

Email (SMTP), Files (FTP), IM, Web (HTTP), and others

Endpoint

(desktops, laptops)

Email, Web use, Saving Files, Printing Files, Launching Programs Message Server Message servers (Exchange, Domino) Stored Data Shared folders, file and document

repositories, public folders and

other

ENDPOINT NETWORK

MESSAGE

(16)

Data & Resource Protection

Comprehensive Approach

Server Access Management

Data at Rest (Stored Data) Data in Motion (Email, Web…) Data in Use (Saving, Printing…) Data to Supervise (Review, Tag…) Fine-grained access control

Policy-based management Secure policy-based reporting Host protection against data loss

Data Loss Prevention

(17)

It is Mandatory! Why?

Why Log Management Matters to Compliance

— Logs show how critical data is used

and who uses it

− Who created that user?

− When was privileged access granted?

− When was privileged access removed?

− Who has accessed this data?

− Did someone delete the security log?

— Logs help to investigate why

performance is degraded or failed

− Did the configuration change?

− When was the configuration changed?

− Who changed the configuration?

− Why can‟t the app server connect to db?

− When did the route change?

− What error is the web server giving?

ISO17799

10.10.1 …establish and maintain audit

logs

10.10.3 …protect logging facilities and

log data

NIST 800-53

AU-6 …regular audit review

AU-9 …protects audit info from

unauthorized access, changes, deletion

PCI DSS

Requirement 10: Track and monitor all access to

network resources and cardholder data

Cobit

Use logging and monitoring to detect abnormal activity activities SOX Section 404: Demands controls and consistent processes

(18)

> Collect Log Data > Aggregate and Analyze Logs > Visualize Compliance, Security and Risk

Posture

Security Information Management

Enterprise-wide IT Activity Visibility and Awareness

Enterprise Log Management

> Prove Compliance > Deliver Rapid Time-to-Value > Provide Lower Total Cost of Ownership

(19)

Content Aware IAM allows

Controlling identities, their access & how they can use the

information they access

Content Aware Identity and Access Management

Control

Identities

Control

Access

Information

Control

The control you need to confidently drive business forward

(20)

Content Aware adds additional checks based on

the content within the application

Traditional Web Access

Management

Content Aware IAM

Web Content User AuthorizationCheck Req uest s Web Content User AuthorizationCheck Content Check R eque sts

Traditional WAM examines if the user is authorized for the

application – Content Aware examines if the Content within the

app is appropriate for this user

(21)

Cloud Adoption & Security

Extend Security To the Cloud

Security For the Cloud

Security From the Cloud

1

1

2

2

3

3

(22)

extend enterprise security to the cloud

Enterprises want...

to increasingly use more SaaS applications & cloud services

Enterprise LAN

User

In-house

Applications

Corporate Directory “Identity Provider”

Public

Remote User IAM Dir Dir Dir

Provisioning

Single Sign-On

Attestation

Information control

Auditing

(23)

security for the cloud

IAM

Hyper Visor App 1 App 2 App 3

On-Premise Private Cloud

IAM

Hyper Visor App 1 Customer 2 App 2 Customer n

Public Cloud

App 3 App 3 App 3 App 3 App 3 App 1 Customer 1

Organizations & Service Providers will build their own clouds

leveraging virtualization

Security & management of virtualization will be critical

Manage complexity with automation and extended policy

(24)

security from the cloud

Cloud-based Identity Management Services will emerge…

as trust model changes & cloud relationships

become more complex

Enterprise LAN

User

In-house

Applications

Corporate Directory “Identity Provider” IAM Dir Dir Dir

Provisioning

Single Sign-On

Attestation

Information control

Auditing

IAM as a Service

Strong Auth

Public

Remote User

(25)

Of course, this does not cover everything.

Traditional security e.g. Backups, Business Continuity,

Disaster Recovery, Antivirus, firewalls still exist.

Really it comes down to two aspects

TRUST & RISK and finding the

right balance.

In Summary

Identity Management

Data Protection

Access Control

Strong Authentication

Governance

(26)

References

Download now ( PDF - 26 Page - 1.63 MB )

Related documents

Measuring service quality in higher education: HEdPERF versus SERVPERF Firdaus Abdullah MARA University of Technology, Jalan Meranek, Malaysia

The primary goal was to test and compare the relative efficacy of the three conceptualisations of service quality in order to determine which instrument had the superior

The Role of Nurse Educators in Malta

When asked what they perceived as the ideal role for a nurse educator in the clinical area two categories emerged, one being the educator as a clinical teacher, and the other as

DIVAR IP U. Video DIVAR IP U.

DIVAR IP 7000 2U is an affordable, simple and reliable all-in-one recording, viewing and management solution for network surveillance systems of up to 128.. channels (with 32

Assessing Collateral Consequences Accompanying Sex Offender Registration

Finally, in regard to Family Relationships, four out of five third party respondents (80%) reported that registration and community notification had a negative impact and this

Bridging the Cultural Divide Between Banks and Life Insurers TM Australia Bancassurance Study

Given the increasingly extensive bank customer needs Australian life insurers and banks are seeking to address via bancassurance, it is essential that the issues outlined thus far

Statewide Vendor File Reference Guide

Vendors that are paid solely by PCard are exempt from registering in MFMP VIP and can be added by agencies directly to SWVF.. Do not add a new sequence to SWVF if the vendor is

Thinking about assessment: Further evidence of the validity of the Movie for the Assessment of Social Cognition as a measure of mentalistic abilities

With the exception of the correlation between age and Discomfort with Closeness, r = .20, p <.01, none of the other correlation coefficients between age and the ASQ scales

Wind Turbines in Ontario: An Examination of Perceptions and Potential Health Effects, and How They Relate To Policy and Decision-Making Processes

scientific evidence that demonstrates a link between wind turbine noise and reported symptoms such as dizziness, headaches, and sleep disturbance, (2) the intensity of the sound