Embed Size (px)
Citation preview
1
CISO Insights to Access Security from Gemalto’sAccess Management Survey
Jeremy Tomlin
Director Product Management, Identity and Access Management, Gemalto
www.thalesgroup.com
3
CISO Insights to Access Security from Gemalto’s Access Management Survey
4
Demographics
Gemalto IAMI - research results
…respondent country …organization size …organization sector
1,050 IT decision makers were interviewed in January and February 2019
Figure D1: Analysis of respondent region, asked to all respondents (1,050 respondents)
Figure D2: “How many employees does your organization have in the country you are based?”, asked to all respondents (1,050 respondents)
Figure D3: “In which of these sectors would your organization be categorized?”, asked to all respondents (1,050 respondents)
200
100
100
100
100
50
100
100
100
50
50
US
Brazil
UK
France
Germany
BeNe
India
Japan
Australia
Middle East
South Africa
250
283313
204
250-499 employees
500-999 employees
1,000 - 5,000 employees
More than 5,000 employees
183
132
118
113
94
80
65
61
59
43
43
54
5
IT/computer services
Manufacturing
Financial services
Retail
Telecoms
Government
Utilities
Healthcare (private)
Construction/real estate
Healthcare (public)
Insurance/legal
Other commercial sectors
Other public sectors
5
Targets for cyber-attacks
In general which of the following do you think are the biggest targets for cyber-attacks?
> Unprotected infrastructure is one of the biggest targets for cyber-attacks
54%
50%
49%
45%
37%
37%
30%
28%
28%
28%
28%
25%
18%
1%
0%
Unprotected infrastructure (e.g. new IoT devices)
Web portals
Cloud applications (SaaS, PaaS, IaaS)
Mobile applications
Local network access
Enterprise applications (including legacy systems)
Third party vendors
Virtual desktop infrastructures (VDI)
VPN
Supplier networks
Outlook web access (OWA)
AI based applications
Consultant networks
There are no specific targets
Don’t know
6
Cloud applications as a target
41% say that poor access management solutions for the cloud results in cloud
being a target
63%
55%
54%
50%
44%
41%
0%
71%
55%
N/A
51%
35%
42%
0%
The increasing volume of cloudapplications in use
Lack of strong cyber security solutionsto implement appropriate protection
Inconsistent security protection acrosscloud
Lack of in-house skills to secure cloudapplications
Organizations have poor visibility overtheir applications in the cloud
Poor access management solutions inplace for the cloud
Don’t know
2018/19 total 2017 total
Why do you feel that cloud applications are a target for cyber-attacks
7
Drivers for access management solutions
> Security is a key driver for the implementation of access management solutions
4%
8%
3%
6%
8%
6%
9%
5%
16%
22%
18%
26%
29%
26%
32%
27%
55%
51%
59%
57%
55%
61%
54%
64%
24%
18%
17%
7%
7%
4%
3%
2%
2%
1%
2%
3%
2%
3%
2%
3%
The threat of large scale breaches
Simplified cloud access for end users
Security concerns
Inefficient cloud identitymanagement
Current inability to scale cloud accesscontrols in the enterprise
Enable new ways of doing businesse.g. employee mobility and digital…
The volume of help desk ticketsowing to lost and forgotten…
Visibility and compliance concernsrelating to cloud access events
Not a consideration A small consideration One of the main considerations Most significant consideration Don’t know
8
Cloud access management being conducive to cloud adoption
Do you see cloud access management for cloud and web applications as being conducive to facilitating cloud adoption?
> Cloud access management for cloud and web applications is conducive to facilitating cloud adoption
56%
40%
2%
1%
48%
43%
5%
4%
Yes, definitely
Yes, to some extent
No
My organization does notuse cloud apps
2018/19 total 2017 total
9
Impact of ineffective cloud access management
48%
44%
43%
38%
29%
28%
26%
26%
3%
1%
Cloud becoming a security issue
IT staffs' time being used less efficiently
Increase in operational overheads and IT costs
Larger scale breaches due to a lack of visibility over cloud
Shadow IT taking place
Slower adoption of cloud
Duplication of cloud applications
Decreased user mobility
There is/would be no impact
Don’t know
> Ineffective cloud access management can be problematic
What impacts does/could your organization see to its cloud and web resources as a result of ineffective cloud access management?
10
Authentication policies
Authentication is important to many areas of the business
> Analysis of respondents who agree with these statements
81%
78%
73%
72%
My organization's level of employeeauthentication needs to be able to
support VPN and cloud access
Policy-based access management isthe future of access security
Access management and identitygovernance administration is more
effective when separated
Authentication methods used in theconsumer world can be applied to
ensuring secure access toenterprise resources
11
Two-factor authentication facilitating cloud
> Do you see two-factor authentication for cloud applications as being conducive to facilitating cloud adoption?”,
> Two-factor authentication can be conducive to facilitating cloud deployment
94%...
…see two-factor authentication for cloud
applications as being conducive to facilitating cloud
adoption
12
Data/information used in a smart SSO solution
Smart SSO is a sought after solution
65%
57%
44%
42%
36%
30%
29%
1%
2%
Sensitivity of the data
Sensitivity of the application
Function/department of the user
The network being used
Seniority of the user
Other data accessed in the previous24 hours
Length of service to the organization
I would not like to see a smart SSOsolution
Don’t know
Which of the following types of data/information would you like to see used in a smart SSO solution?
13
Benefits of smart SSO
54%
52%
50%
42%
41%
37%
37%
32%
1%
2%
Employees feel their data is secure
Customers feel their data is secure
Preventing breaches of data
Security solutions becoming proactive rather than reactive
More secure than regular SSO (the same credential is used across
the board for all apps)
Speed of allowing access
Better able to be compliant/meet regulations
Cost effective
There are/would be no benefits
Don’t know
> Smart SSO can bring vast benefits to organizations
What are/would be the benefits of your organization using smart SSO?
14
Typical Cloud Migration Scenarios
15
> We wanted access from anywhere on any device
> We added applications
> We wanted partner access
> We wanted cloud applications
> The perimeter has changed
What does cloud adoption mean
16
Before you know it…
DB
Network Storage
On-Prem Apps
File Servers
End PointVPN
IT Admins
Standard Users
C-Suite
HR
TravelFinancial PAM
Password ?
Password ?
Password ?
Password ?
Password ?
Password ?
Password ?
MFA
RADIUS
AGENTS
APIs
17
Determine who, when and how users log in to cloud apps
ASESS RISK
MANAGE RISK
CONTAIN RISK
• Define where your
sensitive data is located
• Identify cloud apps
• Define who should access
what
• Define appropriate
authentication method
Define access policies taking into
account
• Identities/profiles
• Type of resource being accessed
• Context (device, location, network…)
Detect, Monitor and Respond
• Detect unusual security events
• Respond: Block, allow, step-up,
etc.
• Monitor: Report & adapt policies
1
2
3
18
Step up to MFA
SS
O
Access P
olic
ies
Set policies that take into account role and context to apply the right level of security at the right time
SaaS / IaaS
Conte
xtu
al attribute
s
SAML
OIDC
APIs
IT Admins
Standard Users
C-Suite
19
Applying the right level of security for the right users
DB
Network Storage
On-Prem Apps
File Servers
End PointVPN
IT Admins
HR
TravelFinancial PAM
Access to admin consolesSmart Card authentication needed every time
20
Applying the right level of security for the right users
DB
Network Storage
On-Prem Apps
File Servers
End PointVPN
IT Admins
HR
TravelFinancial PAM
Access to admin consolesSmart Card authentication needed every time
Standard Users
O365 access from local networkTransparent authentication (context), once per session
21
Applying the right level of security for the right users
DB
Network Storage
On-Prem Apps
File Servers
End PointVPN
IT Admins
HR
TravelFinancial PAM
Access to admin consolesSmart Card authentication needed every time
Standard Users
O365 access from local networkTransparent authentication (context), once per session
C-SuiteO365 access from outside network on known device
PUSH OTP, once per session
22
Step up to MFA
SS
O
Access P
olic
ies
Now tie it into your existing access security and MFA framework
SaaS / IaaS
On-prem Apps
RADIUS
SAML
OIDC
AGENTS
APIs
Conte
xtu
al attribute
s
23
C-Suite
Users/GroupsTarget Apps
IT Admins
Standard Users
C-Suite
Example on how to set access policies with SafeNet Trusted Access
24
C-Suite
Users/GroupsTarget Apps
Define Policies
• Scenario-driven
• Compliance-focused
• Based on context & risk
• Set Auth rules by policy
IT Admins
Standard Users
C-Suite
Example on how to set access policies with SafeNet Trusted Access
25
C-Suite
Users/GroupsTarget Apps
Define Policies
• Scenario-driven
• Compliance-focused
• Based on context & risk
• Set Auth rules by policyMonitor Risk
IT Admins
Standard Users
C-Suite
Example on how to set access policies with SafeNet Trusted Access
26
C-Suite
Users/GroupsTarget Apps
Define Policies
• Scenario-driven
• Compliance-focused
• Based on context & risk
• Set Auth rules by policyMonitor Risk
Adjust
IT Admins
Standard Users
C-Suite
Example on how to set access policies with SafeNet Trusted Access
27
Trusted by leading global brands
30 years in Identity & Access Management
More than 25,000 customers and more than 30
million users
Cloud security pioneer: First vendor to offer
cloud-based authentication
Gemalto is the world leader in digital security with
solutions that protect the entire digital service cycle
UK Government
Access Management and Authentication from Gemalto
28
Thank You
