Upload
others
View
23
Download
7
Embed Size (px)
Citation preview
November 14, 2018© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Identity and Access Management BlueprintCyber Reference Architecture (CRA)Version 2.1DXC Security
For further information, please contact [email protected]
November 14, 2018© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
1. Identity and Access Management (IAM) blueprint
2. Work packages summary
3. Identity life-cycle layer work packages (extract)
4. Authentication layer work packages (extract)
5. Authorization layer work packages (extract)
6. Appendix
Table of contents
November 14, 2018 3© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
1. Identity and Access Management (IAM) blueprint
November 14, 2018 4© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Physical Security (PS)
Cyber Defense (CD)
Infrastructure & Endpoint
Security (IES)Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance(SLG)
Risk & ComplianceManagement (RCM)
Security ResilientArchitecture (SRA)
- IAM Layers - Related CRA Layers
Authorization Layer
Authentication Layer
Cyber Defense & Orchestration Layer
Strategic Layer
Identity Lifecycle
LayerProvisioning
De-Provisioning
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Actionable Sec & Threat Intelligence
Report & Evidence collection
Metrics & Events
Real Time Monitoring &Remediation
Policy
Identity & Access
Management (IAM)
Layers
November 14, 2018 5© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Layers
Physical Security (PS)
Cyber Defense (CD)
Infrastructure & Endpoint
Security (IES)Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance(SLG)
Risk & ComplianceManagement (RCM)
Security ResilientArchitecture (SRA)
- IAM Layers - Related CRA Layers
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Identity & Access
Management (IAM)
November 14, 2018 6© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Subdomains and capabilitiesIAM.1 IAM.2 IAM.3 IAM.4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Identity & Account Management Access ManagementAuthentication
ManagementPrivileged Account
Management
Claims-based Authentication
Credential-based Authentication
Multi-Factor Authentication
Credential Provisioning
Single Sign-On
Credential Reset & Renewal
Strong Authentication
Authentication Policy Enforcement
Object Access Control List
Group-based Access Control
Access Approval
Role-based Access Control
Access Provisioning & De-provisioning
Attribute-based Access Control
Adaptive Access Control
Access Reconciliation
Access Certification
Access Policy Enforcement
Access Removal
Access Monitoring & Auditing
Web and API Access Management
Delegation
Access Reporting
Non-Personal Account Lifecycle
Management
Privileged Session Management
Password Vaulting
Traceability & Accountability
Privileged Account Reporting
Privileged Account Reconciliation
Privileged Account Revalidation
Identity Feed
Identity Directories
Account Removal
Account Provisioning & De-provisioning
Federated Identity Management
Account Reconciliation & Consolidation
Account Revalidation
Account Monitoring & Auditing
Account Reporting
November 14, 2018 7© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Layers: Summary
Blueprint Layer
StrategicLayer
Cyber Defense &Orchestration Layer
IdentityLife-Cycle Layer
AuthenticationLayer
AuthorizationLayer
Description
Establishes the requisite security policy to manage and govern identity and access-based risk and compliance within the enterprise
Delivers an integrated Security Operations Center(SOC) environment that incorporates data feeds and operational controls from IAM solutions
Provides the ability to centrally manage, report and govern identities and provision their access into the environment
Provides the ability for resources to utilize the appropriate mechanisms to prove identity prior to accessing systems
Provides the ability for resources to access systems based on role and entitlements as well as generate security event data used to identify threats
Examples of typical issues
Inability to view ‘”big picture” without assembling manual reports. No understanding of who has access to what or ability to prove access is controlled. Access requests are not immediately checked against security policies before they are approved.
Lack of monitoring and traceability of privileged accounts that directly affect the enterprise ability to take action in the event of security incident.No user behavior analysis.
Manual IAM workflows and processes, such as access requests and provisioning.Lack of visibility and governance of identities and access, which results in risk.
User or customer experience while authenticating to systems.Inadequate level of authentication for privileged identities or accounts.
Inconsistent access control and segregation of dutiesControl of privileged access to systems
November 14, 2018 8© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Strategic layer StrategicLayer
Cyber Defense andOrchestration
Layer
Identity Life-Cycle
Layer
AuthenticationLayer
AuthorizationLayer
Supporting background informationThe purpose of the strategic layer is to provide alignment of the IAM domain to organizational goals to support business enablement. It should also define roles and responsibilities of the key stakeholders. To achieve this you should:• Ensure that objectives are achieved by:
– assessing the current policies, standards and procedures– providing a strategy and roadmap to meet compliance requirements– ensuring proper metrics, KPIs and reporting are developed and implemented
• Ensure proper leadership and alignment is in place to provide direction to and ownership of the IAM program and/or solution
• Ensure standards and policies used to create, validate, update and communicate policies are used to implement an IAM program and/or solution
• Ensure processes and procedures align with rules governing various aspects of the IAM program and/or solution during development and operation
• Ensure that compliance with policy is assessed, gaps are identified and remediation efforts are detailed in order to comply with law, regulatory, privacy and industry requirements
• Ensure employees get regular awareness training around identity and access best practices
• Proper deployment of an IAM solution including the strategy and governance layer will be in line with corporate security strategy
• Controls who, when, why and what someone has access to within the enterprise and only have access to what is needed
• Proper reporting, control and auditability throughout the enterprise as it pertains to access and who can access what
Benefits of investing
Map security objectives with risk profile of business to help direct and inform security investment and decision making
• Lack of clear reporting and understanding at the enterprise of the current access and who has the ability to access restricted applications/systems/databases
• Without proper leadership and alignment there will be no control around who gets access to what causing a “Material Weakness” during any auditing and compliance reviews
• Improper processes and procedures along with improper implementation of an IAM program and/or solution will cause unrestricted access to enterprise
• Lack of unified metrics, KPIs and reporting can be seen as a negative influence on key business objectives, key measures (revenue, profit, etc.) as well as brand reputation
Risks of NOT investing
November 14, 2018 9© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Cyber defense andorchestration layer
StrategicLayer
Cyber Defense andOrchestration
Layer
Identity Life-Cycle
Layer
AuthenticationLayer
AuthorizationLayer
Supporting background informationIntegrate operational security management processes with service management processes and business processes for effective attack responseDefinition, ownership, deployment and execution of security delivery processes and consolidated and architecturally well-designed SOC processes and procedures.Collection, reporting and review of security key performance indicators to support compliance and audit programs as well as to measure, communicate and improve security performance, maturity and efficiency of security processes.Assignment of properly skilled resources to support operational security processes.Integration between security processes and Incident & Change Management processes and ticketing system to support requests for change and investigative or remediation activities.Establish a baseline of normal behavior, identify which CMDB information can be integrated, and align with critical assets definitionIntegrated asset management and analytics for behavior analysis for prioritization of response to threats and incidents.Identify, source and integrate internal and external threat intelligenceThreat sources vary greatly and the advanced nature of attacks increases the likelihood of exploitation. Threat intelligence helps prioritize resources to address the most significant threats.Provide a digital Investigation & forensics service, active hunting and threat actor profiling capabilitiesThe aim is to pull together the available data and translate it into actionable security intelligence, to provide an active hunting capability to proactively identify advanced threat actors already in place, and finally to allow accurate threat actor profiling to prioritize activities to efficiently respond to the incident and conduct remediation exercise.
• Integrated SOC function across all localizations providing the most efficient functional and cost model
• Awareness of all assets on the network, allowing for risk assessment and application of appropriate controls and monitoring, as well as better business continuity management
• Identification and understanding of threats and risks relevant to the enterprise• Prioritization and proportional response to threats, vulnerabilities and incidents• Threat intelligence driven pre-emptive actions and service support reducing the impact of
emerging threats• Security data turning into actionable security intelligence that can be utilized to protect the
business
Benefits of investing
Detect and respond to security incidents, operate security capabilities and manage vulnerabilities
• Security working in silos with increased risk of inappropriate and/or incomplete security response to threats, vulnerabilities and incidents
• Inability to understand and respond to current and emerging threats, advanced threats and risks
• Unknown assets not being monitored or protected thus providing weak points of entry into the network
• Lack of investment in intelligence-driven threat assessments and inability to closely observe the emerging threats reducing the ability to conduct business in the new markets
Risks of NOT investing
November 14, 2018 10© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Identity life-cycle layer StrategicLayer
Cyber Defense andOrchestration
Layer
Identity Life-Cycle
Layer
AuthenticationLayer
AuthorizationLayer
Supporting background informationThe purpose of the identity life-cycle layer is to provide a manage a corporate identity store for storing, structuring, organizing and managing identity information that is used to manage accounts and authorizations. Common identity management issues include:• Practice of nonstandard identity life-cycle workflows across localization resulting the
creation of unauthorized accounts, uncorrelated and orphaned user accounts provisioned on disparate end point systems throughout the enterprise. This practice impedes life-cycle management of user accounts in efficient consist manner
• De-centralized ad hoc manual identity creation processes decreases accountability, auditability and compliance, increases fulfillment time and human error, leading to a loss of confidence. In the worst case this can manifest itself into the creation/development of noncompliant accounts that could be used by malicious attackers
• Lack of centralized and controlled identity life-cycle management results in complex and expensive integration with third parties such as cloud provider
• Inability to view “big picture” without assembling manual reports. No understanding of who has access to what or ability to prove access is controlled. Manual audit reporting processes require a significant number of resources and time to prepare. Fraught with errors and highly scrutinized by auditors
• No consistent policy enforcement or business rules applied to users and access privileges. Manual processes are both time consuming and costly
Improved risk posture and user satisfaction by:• Standardization of user account creation and the approval process for employees, vendors,
contractors (subcontractors) and service accounts, enabling the user account correlation and end-to-end life-cycle management
• Automated enforcement of password policies across localization ensuring all accounts conform to policies
• Automating Onboarding/Off boarding requests — completed in a timely manner inclusive of set workflows and approval requirements
• Audit and reporting on state of inactive/dormant accounts, accounts frequently lock or disabled account demonstrates audit compliance
• Policy enforcement consistently and ability to view ‘big picture’ without assembling manual reports
Benefits of investing
Establish a centralized system to manage and control identities and associated accounts
• Ad hoc and nonstandard identity creation processes simplifies and decrease the time a hacker needs to breach a signal identity to gain undetected access to sensitive assets
• Daily new hacking tools are being developed and sold on the internet, enabling low skilled hackers now to infiltrate and steal sensitive information, each day the risk level slowly climbs as exploitation methods/tools become inexpensive and more available
• Multiple orphaned accounts (particularly service accounts) that may be active resulting in fraudulent access
Risks of NOT investing
November 14, 2018 11© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Authentication layer StrategicLayer
Cyber Defense andOrchestration
Layer
Identity Life-Cycle
Layer
AuthenticationLayer
AuthorizationLayer
Supporting background information• Robust authentication helps organizations comply with regulations mandating data privacy
and protection which effectively save costs• Authentication layer reduces security vulnerabilities to gain a widespread digital presence,
reputation and positive brand image • Users can easily adopt strong and multi-factors authentication solution. This helps
organizations attract security-conscious customers and increase sales• Strong and MFA provides users with needed access to necessary business data and
applications from anywhere, increase productivity by significantly reducing the time spent on password administration and maintenance
• Provide a single consistent method of signing into corporate applications and simplify access to cloud-based applications
Benefits of investing
Implement appropriate mechanisms to prove identity prior to accessing corporate information assets
• Ad hoc and nonstandard password controls, simplifies and decrease the time a hacker needs to breach a signal Identity to gain undetected access to sensitive assets
• Lack of investment in strong authentication will cause brand value damage, dissatisfied customers and loss of market share
• Without robust authentication organizations may not be able to comply with regulations mandating data privacy and user protection which will significantly increase operating cost
• Increased number of Help Desk Calls — Password Management• Policy violations, i.e., shared passwords
Risks of NOT investing
Key issues driving the need for strong authentication service:• Inconsistent implementation and enforcement of password policy controls result in
accounts that have weak passwords, allow password reuse, nonexpiring passwords, no automated account expiration for inactive account, do not lock or disable accounts after to many authentication attempts. Account passwords are targeted daily by hackers, breaching one account can lead unlimited rewards for the hacker
• Rapid growth of the mobile workforce, cloud-based applications offer greater flexibility, but also create new challenges for organizations
• Meeting the traditional challenges like enterprise integration, protecting against data breaches and complying with regulations are now combined with new challenge such as providing users with simple, yet secure access from anywhere to applications that could reside anywhere
• Changing working environment demands remote access to data and applications which poses huge security risks to organizations
• Organizations need managed services that combines strong multifactor authentication (MFA), industry-leading integration, and authentication options to meet varied customer needs
• Authentication options, whether they conform to the traditional MFA model of dynamic security codes or new models such as biometrics, must enable enterprises to select what is right for its users, devices, and applications
November 14, 2018 12© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Authorization layer StrategicLayer
Cyber Defense andOrchestration
Layer
Identity Life-Cycle
Layer
AuthenticationLayer
AuthorizationLayer
Supporting background informationImproved risk posture and user satisfaction by:• Automating Onboarding/off boarding access requests — completed in a timely manner
inclusive of set workflows, role access and approval requirements• Scheduling and performing access certifications, including ongoing periodic access reviews
and account/asset clean-up improving compliance requirements• Streamlining and documenting processes to demonstrate adherence with regulations and
standards• Improving maintenance and monitoring of privileged access, performing reviews to
remediate issues • Eliminating segregation of duties and “cloning” issues by implementing the RBAC life cycle
of building, reviewing, correlating and maintaining access rights and entitlements
Benefits of investing
Access management strategies resulting in meeting enterprise security challenges and appropriate levels of access
Lack of enforcement or weakly defined controls resulting in overall security risks both internal and external:• Noncompliance; limited auditing; limited accountability, too many privileged users • Over-privileged accounts not tracked properly resulting in data loss or theft; account access
“creep”• Access requests not immediately checked against security policies before they are
approved
Risks of NOT investing
Access management is a control that can improve security by centralizing access decisions -subscribing to a common set of policies, creating and enforcing standards and procedures for provisioning and managing users. Secondly, by identifying the most critical applications and systems and by deploying the tools to discover what permissions exist for current and previous employees will enable most enterprises to utilize a risk-based approach of access management.Most government and industry-specific standards (e.g. SOX, HIPPA, GLBA, NIST, PCI, etc.) can be used to map processes and establish appropriate policy. Some organizations struggle in areas such as:• Lack of documentation• Visibility into orphaned accounts or unused accounts• Audit and compliance issues — no reporting or ad hoc reporting is used• No scheduled attestation or periodic access reviews • Third party access policy not documented or enforced if existing• Privileged Access Management controls not in place or enforced if existing• Manual and legacy processes for granting access; lack of automation• Workflows and Approval process is inefficient• Onboarding — waiting for excessive periods to obtain baseline or “birthright” access
November 14, 2018 13© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
2. Work packages summary and capabilities mapping
November 14, 2018 14© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work packages per subdomain
Identity & Account
Management
IAM.1.a – Establish Corporate Identity StoreIAM.1.b – Automated Identity ManagementIAM.1.c – Account Provisioning / De-provisioningIAM.1.d – Discovery of Accounts and PrivilegesIAM.1.e – Federated Identity ManagementIAM.1.f – Role model
Authentication Management
IAM.2.a – Password Self ServiceIAM.2.b – Multi-Factor AuthenticationIAM.2.c – Single Sign-OnIAM.2.d – Adaptive Authentication
Access Management
IAM.3.a – Approval of AccessIAM.3.b – Certification of AccessIAM.3.c – Role Based AccessIAM.3.d – Auditing and Reporting of AccessIAM.3.e – Web Access Management IAM.3.f – API Access Management
Privileged Account
Management
IAM.4.a – Privileged Account Discovery & Assessment IAM.4.b – Privileged Account and Password ControlIAM.4.c – Privileged Account Monitoring & Session Management
Security Analytics
CD 6.c – User Behavior Analytics CD 6.e – Privileged Threat Analytics
Work Package in next release
Work Package available
November 14, 2018 15© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work packages (WP) summary (1/3)
WP name Subdomain WP description WP outcomes Objective TimescaleIAM.1.a – Establish Corporate Identity Store
Identity & Account Management
• Corporate repository for storing, structuring, organizing, and managing data within an LDAP structure or other proprietary directory structure
• Requirements, design, use case, implementation and operational documentation
• Centralized corporate directory to satisfy the secure storage of UIDs, credentials, and attributes
• Facilitate administration, and support synchronization of data cross domains
PRODUCTIVITY
INTEGRATION
2+ months
IAM.1.b – Automated Identity Management
Identity & Account Management
• Configure a feed of user data into an identity management system• Define appropriate policies and processes (joiners, movers and leavers
process)• Configuration of policies based on data feed
• User access configured without administrator interaction
• Decreased administrator overhead
PRODUCTIVITY 2+ months
IAM.1.c – Account Provisioning/De-provisioning
Identity & Account Management
• Connect to directories, systems or applications• Develop automated process for creating, modifying and removing accounts
• Decreased time for account changes• Increased user productivity• Accounts configured accurately
PRODUCTIVITY 6 months
IAM.1.d – Discovery of Accounts and Privileges
Identity & Account Management
• Match users to current accounts to gather accurate record of access a user has
• Identify users with multiple accounts• Identity users with privileged access• Identity users with access from prior roles• Identity accounts belonging to users no longer with the company
• Identity owners of accounts• Complete visibility of a users access• Ability to mine application to develop roles• Reduced administrative overhead
ACCOUNTABILITY 1+ month
IAM.1.e – Federated Identity Management
Identity & Account Management
• Establish authentication relationships with external partners • Configure authorization controls to internal resources allowing external users
access
• Partners are able to manage their users internally while accessing shared resources
• Ability to grant access to internal resources to a external user
• Third parties are able to independently verify identities of users
SIMPLIFICATION
INTEGRATION
3+ months
November 14, 2018 16© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work packages summary (2/3)
WP name Subdomain WP description WP outcomes Objective TimescaleIAM.2.a – Password Self-Service
Authentication Management
• Configure password self-service• Configure password self-service registration
• Decrease help desk calls• Increased user productivity• Increased security
PRODUCTIVITY 3 months
IAM.2.b – Multi-Factor Authentication
Authentication Management
• Setup of two or more distinct systems of authentication used together to grant access to systems
• Development of policies and procedures for controls
• Increased security• Increased accountability• Meeting compliance requirements
SECURITY
COMPLIANCE
1+ months
IAM.2.c – Single Sign-On Authentication Management
• Using a single authentication source to authorize access to multiple systems • Reduced administrative overhead• Centralization of user management• Decreased effort to roll out new systems
SECURITY
SIMPLIFICATION
3+ months
IAM.3.a – Approval of Access
Access Management • Identity responsible parties for any creations, modifications or removal of access
• Configure or integrate with a request system• Configuration of approval workflow
• Streamlined process for administrators• Simplified fulfillment process• Reduced administrative overhead• Accountability for users and access
ACCOUNTABILITY 1+ months
IAM.3.b – Certification of Access
Access Management • Establish owners of users and applications• Identity users management hierarchy• Development of automated and/or manual processes to review access
• Accountability of user and applications• Ability to respond to internal and external auditors
ACCOUNTABILITY 1+ months
IAM.3.c – Role Based Access
Access Management • Data mine existing access to develop possible roles• Work with user managers to manually develop roles• Work with application owners to manually develop roles• Configure Identity Manager System to assign roles based on available user
data
• Decreased administrative overhead• Increased user productivity• Increased compliance• Increased account access accuracy
PRODUCTIVITY 5+ months
November 14, 2018 17© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work packages summary (3/3)
WP name Subdomain WP description WP outcomes Objective TimescaleIAM.3.d – Auditing and Reporting of Access
Access Management • Generation of reports• Review of access versus established policy or controls• Review of account usage versus established policy or controls
• Data is available for compliance review• Internal controls are evaluated for effectiveness• Additional controls, policies, and/or procedures are
developed
COMPLIANCE 1+ months
IAM.4.a – Privileged Account Discovery & Assessment
Privileged Account Management
• Gain complete visibility of privileged user accounts; answers the question “who has privileged access to what?”
• Perform discovery on UNIX, Linux, and Windows Endpoints to discover where privileged accounts exist, discover SSH Key Pairs and geography
• Assess privileged account security risks, identify machines vulnerable to Pass-the-Hash attacks
• Better understanding of the Privileged Accounts• Enforce granular privileged access controls with
complete understanding of policies
ACCOUNTABILITY 1 month
IAM.4.b – Privileged Account and Password Control
Privileged Account Management
• Gathering of existing privileged account passwords• Creation of password vault including OTP and check in/out• Setup of approval workflows for password release• Setup of password rotation
• Increased security• Increased accountability• Increased availability to passwords• Increased compliance
ACCOUNTABILITY 7 months
IAM.4.c – Privileged Account Monitoring & Session Management
Privileged Account Management
• Configure session monitoring and recording (flight recorder)• Configure auditing and reporting• Configure session proxying
• Increased accountability• Ability to monitor sessions live and terminate if
needed
ACCOUNTABILITY 5 months
November 14, 2018 18© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
3. Identity life-cycle layer work packages (extract)
November 14, 2018 19© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.1.a
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Identity Lifecycle Layer Work Packages
Establish Corporate Identity
Store (IAM.1.a)
Corporate repository for storing, structuring, organizing, and managing data within a LDAP structure or other proprietary directory structure
November 14, 2018 20© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.1.b
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Identity Lifecycle Layer Work Packages
Establish Corporate Identity
Store (IAM.1.a)
Corporate repository for storing, structuring, organizing, and managing data within a LDAP structure or other proprietary directory structure
Automated Identity Management
(IAM.1.b)
Configure a user data feed into the Identity Management System and define appropriate policies and processes (joiners, movers and leavers)
November 14, 2018 21© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.1.c
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Identity Lifecycle Layer Work Packages
Establish Corporate Identity
Store (IAM.1.a)
Corporate repository for storing, structuring, organizing, and managing data within a LDAP structure or other proprietary directory structure
Automated Identity Management
(IAM.1.b)
Configure a user data feed into the Identity Management System and define appropriate policies and processes (joiners, movers and leavers)
Account Provisioning / De-
provisioning (IAM.1.c)
Connect to directories, systems or applications and develop an automated process for creating, modifying, and removing accounts
November 14, 2018 22© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.1.d
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Identity Lifecycle Layer Work Packages
Establish Corporate Identity
Store (IAM.1.a)
Corporate repository for storing, structuring, organizing, and managing data within a LDAP structure or other proprietary directory structure
Automated Identity Management
(IAM.1.b)
Configure a user data feed into the Identity Management System and define appropriate policies and processes (joiners, movers and leavers)
Account Provisioning / De-
provisioning (IAM.1.c)
Connect to directories, systems or applications and develop an automated process for creating, modifying, and removing accounts
Discovery of Account and
Privileges (IAM.1.d)
Gather accurate records of access a user has. Identify users with multiple accounts, privileged access, access from prior roles, accounts of users who left the company
November 14, 2018 23© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.1.e
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Identity Lifecycle Layer Work Packages
Establish Corporate Identity
Store (IAM.1.a)
Corporate repository for storing, structuring, organizing, and managing data within a LDAP structure or other proprietary directory structure
Automated Identity Management
(IAM.1.b)
Configure a user data feed into the Identity Management System and define appropriate policies and processes (joiners, movers and leavers)
Account Provisioning / De-
provisioning (IAM.1.c)
Connect to directories, systems or applications and develop an automated process for creating, modifying, and removing accounts
Discovery of Account and
Privileges (IAM.1.d)
Gather accurate records of access a user has. Identify users with multiple accounts, privileged access, access from prior roles, accounts of users who left the company
Federated Identity Management
(IAM.1.e)
Establish authentication relationships with external partners and configure appropriate authorization controls to internal resources for external users
November 14, 2018 24© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package: IAM.1.bAutomated identity management
Name: Automated Identity Management Work Package ID: IAM.1.bPurpose and High Level Description:• Define Authoritative source(s) (e.g. HR Database/System) towards providing a consolidated identity management system • Extract and analyze business and technical requirements of Identity Management • Support identity requirements defined by the Business by providing processes, procedures and technologies • Examine and update infrastructure topology to adopt with requirements of technical implementation• Examine and update business policies and procedures to meet the requirements of automated Identity Management: joiners, movers and leavers (JML)
process• Implement and configure an automatic or (partly) manual feed from Authoritative source to the Identity Management System• Define the attribute mapping of information from the data feed to the field in the Identity Management System• Define rules and policies for handling of processing the information from the feed• Define account correlation rules for reconciling and validating the ownership of accounts
Staffing Requirements:• DXC Roles:
• 1 x Security Principal (5 days)• 1 x Security Consultant and IAM SME (50 days)• 1 x Project Manager (15 days)• 1 x IDM System Engineer (10 days)• 1 x Networking Engineer (5 days)
• Customer Roles:• 1 x Head of Security (2 days)• 1 x HR Application SME (10 days)• 1 x IAM SME (15 days)• 1 x Privacy officer ( 3 days)
Key Activities:• Analyze existing identity Life-Cycle and optimize feed of identities into the Identity Management System• Define and optimize processing policies based on data of feed• Risk analysis on feed attribute update• Implement designed solution
Deliverables:• Authoritative System Interface specification• Report of the feed update status• Identity Attributes mapping table • Automated User Management, Use Cases for Joiner, Mover, Leaver
Workload estimation:• Estimated project duration = 2-3 months (depending on the current maturity)• Estimated number of man days effort for DXC = 80 man days• Estimated number of man days effort for Customer = 30 man days• Hardware and Software costs not included
Business Benefits and Outcomes:• Improve efficiency and lowering operating costs by limiting the (manual) interactions of internal/3rd
party administrators• 1 Source of truth by having a single Authoritative System • Authoritative source drives the lifecycle events: e.g. Leaver in HR system results in automatic de-
provisioning of Identity and accounts• Specific attributes from Authoritative source(s) can facilitate Role Based Access Control (e.g.
department and function roles)
Business Challenges and Problems Foregoing Commitment:• External personnel are not usually included in the HR database• Automation of authoritative source might not be directly linked to Identity Management System• People with multiple roles or responsibilities• Alignment of multiple data, process and system owners• Privacy conflicts using HR data as authoritative source• Conversion of HR data format sometimes requires additional manual effort• Lack of processes and procedures for management of users and access rights in organizations
Duration
Business impact/ disruption
Cost
IAM.1.1Capabilities addressed
H
M
M
Work Package example ---
The CRA library of Work Packages is DXC Intellectual Property. For further information,
please contact [email protected]
November 14, 2018 25© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
4. Authentication layer work packages(extract)
November 14, 2018 26© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.2.a
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Authentication Layer Work Packages
Password Self Service (IAM.2.a)
Configure password self service and registration
November 14, 2018 27© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.2.b
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Authentication Layer Work Packages
Password Self Service (IAM.2.a)
Configure password self service and registration
Multi-Factor Authentication
(IAM.2.b)
Set up two or more distinct authentication systems used together to grant access to systems, develop appropriate policies and procedures for controls
November 14, 2018 28© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.2.c
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Authentication Layer Work Packages
Password Self Service (IAM.2.a)
Configure password self service and registration
Multi-Factor Authentication
(IAM.2.b)
Set up two or more distinct authentication systems used together to grant access to systems, develop appropriate policies and procedures for controls
Single Sign-On (IAM.2.c)
Use a single authentication source to authorize access to multiple systems
November 14, 2018 29© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package: IAM.2.aPassword self-service
Name: Password Self Service Work Package ID: IAM.2.aPurpose and High Level Description:• Establish single entry web-based solution for end-users to reset or recover forgotten passwords using configurable challenge/response questions• Provide mobile support to reset password or unlock accounts from different devices• Delegate password management actions to management and administrators• Establish strong password policies• Enforce strong password policies into existing account directory services • Optional: Provide automatic synchronization of password to selected applications/systems using underlying technology
Staffing Requirements:• DXC Roles:
• Security Principal (5 days)• 1 x Security Consultant, IAM SME (5 days)• 1 x IDM System Engineer (10 days)
• Customer Roles:• 1 x Head of Security (3 days)• 1 x Application owner (5 days per application)• 1 x IAM SME (2 days)
Key Activities:• Define use cases, password policies, challenge/response authentication• Define corporate design (logo and colors only)• Optional: Define integration of Password Self Service into existing corporate portal and/or Windows logon screen (underlying technical limitations may apply)• Optional: Define overall requirements regarding password synchronization to selected systems (underlying technical limitations may apply)
Deliverables:• Complemented password management concept including Password Self Service• Implement technology • Adapt Password Self Service to corporate design (logo and colors only)• Testing and documentation• Client training if applicable• System handover• Optional: integration into existing corporate portal and/or Windows logon screen
Workload estimation:• Estimated project duration = 3 months (depending on the infrastructure complexity)• Estimated number of man days effort for DXC = 20 man days• Estimated number of man days effort for Customer = 10 man days• Hardware and Software costs not included
Business Benefits and Outcomes:• Reduce operational costs and Help Desk call volume by reducing the number of password resets• Improve end-user productivity and satisfaction by providing an easy to use web portal for Password
Self Service• Strengthen security through consistent enforcement of password policy• Optional: Usage of automated password synchronization to selected systems
Business Challenges and Problems Foregoing Commitment:• High Help Desk call volume regarding password resets or recovery of forgotten passwords• No single entry solution for end-users to reset or recover forgotten passwords• No consistent enforcement of password policy across different applications/systems
Duration
Business impact/ disruption
Cost
IAM.2.3 ; IAM.2.4 ; (IAM.2.8)Capabilities addressed
L
L
L
Work Package example ---
The CRA library of Work Packages is DXC Intellectual Property. For further information,
please contact [email protected]
November 14, 2018 30© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
5. Authorization layer work packages(extract)
November 14, 2018 31© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.3.a
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Authorization Layer Work Packages
Approval of Access (IAM.3.a)
Identity parties responsible for granting, modifying, or removing access, and configure an approval workflow
November 14, 2018 32© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.3.b
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Authorization Layer Work Packages
Approval of Access (IAM.3.a)
Identity parties responsible for granting, modifying, or removing access, and configure an approval workflow
Certification of Access
(IAM.3.b)
Establish owners of users and applications and develop an automated or manual processes to review access
November 14, 2018 33© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.3.c
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Authorization Layer Work Packages
Approval of Access (IAM.3.a)
Identity parties responsible for granting, modifying, or removing access, and configure an approval workflow
Certification of Access
(IAM.3.b)
Establish owners of users and applications and develop an automated or manual processes to review access
Role Based Access(IAM.3.c)
Data-mine existing access, work with user managers and application owners to develop roles. Configure Identity Manager System to assign roles
November 14, 2018 34© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.3.d
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Authorization Layer Work Packages
Approval of Access (IAM.3.a)
Identity parties responsible for granting, modifying, or removing access, and configure an approval workflow
Certification of Access
(IAM.3.b)
Establish owners of users and applications and develop an automated or manual processes to review access
Role Based Access(IAM.3.c)
Data-mine existing access, work with user managers and application owners to develop roles. Configure Identity Manager System to assign roles
Auditing and Reporting of
Access(IAM.3.d)
Review and generate reports on access and account usage vs established policy or controls
November 14, 2018 35© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.4.a
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Authorization Layer Work Packages
Approval of Access (IAM.3.a)
Identity parties responsible for granting, modifying, or removing access, and configure an approval workflow
Certification of Access
(IAM.3.b)
Establish owners of users and applications and develop an automated or manual processes to review access
Role Based Access(IAM.3.c)
Data-mine existing access, work with user managers and application owners to develop roles. Configure Identity Manager System to assign roles
Auditing and Reporting of
Access(IAM.3.d)
Review and generate reports on access and account usage vs established policy or controls
Privileged Account Discovery & Assessment
(IAM.4.a)
Gain complete visibility of privileged user accounts; answers the question “who has privileged access to what?”
November 14, 2018 36© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.4.b
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Authorization Layer Work Packages
Approval of Access (IAM.3.a)
Identity parties responsible for granting, modifying, or removing access, and configure an approval workflow
Certification of Access
(IAM.3.b)
Establish owners of users and applications and develop an automated or manual processes to review access
Role Based Access(IAM.3.c)
Data-mine existing access, work with user managers and application owners to develop roles. Configure Identity Manager System to assign roles
Auditing and Reporting of
Access(IAM.3.d)
Review and generate reports on access and account usage vs established policy or controls
Privileged Account Discovery & Assessment
(IAM.4.a)
Gain complete visibility of privileged user accounts; answers the question “who has privileged access to what?”
Privileged Account and Password
Control (IAM.4.b)
Management of privileged accounts and associated passwords including policies, reconciliation, password vaulting, OTP, check in/out, rotation
November 14, 2018 37© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package mapping: IAM.4.c
Actionable Sec & Threat Intelligence
Report & Evidence collection
Provisioning De-Provisioning
Policy
Business drivers, Policy &
Directions
HR Identity Records & Job Role Definition
Policy Enforcement
Metrics & Events
Real Time Monitoring &Remediation
Strategic Layer
Cyber Defense & Orchestration Layer
Authentication Layer
Authorization LayerIdentity Lifecycle Layer
Audit Management &
Certification
Empowered Workforce
Legal, Regulatory &
Privacy Compliance
Identity & Account
Management
Security Monitoring
Security Analytics
Security Operations
Management
Authentication Management
Access Management
Privileged Account
Management
Authorization Layer Work Packages
Approval of Access (IAM.3.a)
Identity parties responsible for granting, modifying, or removing access, and configure an approval workflow
Certification of Access
(IAM.3.b)
Establish owners of users and applications and develop an automated or manual processes to review access
Role Based Access(IAM.3.c)
Data-mine existing access, work with user managers and application owners to develop roles. Configure Identity Manager System to assign roles
Auditing and Reporting of
Access(IAM.3.d)
Review and generate reports on access and account usage vs established policy or controls
Privileged Account Discovery & Assessment
(IAM.4.a)
Gain complete visibility of privileged user accounts; answers the question “who has privileged access to what?”
Privileged Account and Password
Control (IAM.4.b)
Management of privileged accounts and associated passwords including policies, reconciliation, password vaulting, OTP, check in/out, rotation
Privileged Account Monitoring &
Session Mgmt. (IAM.4.c)
Session monitoring and recording (flight recorder) ; auditing and reporting ; session proxying
November 14, 2018 38© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work package: IAM.3.bCertification of access
Name: Certification of Access Work Package ID: IAM.3.bPurpose and High Level Description:• Provide periodic (on-demand and scheduled) evaluation of access throughout the identity’s full life cycle and ensure granted access are still appropriate as
peoples role and relationship with the business changes• Enables detective control mechanism to ensure that subsequent access change are aligned with user’s current roles and responsibilities• Review, assess and validate appropriateness of user access to applications systems and information • Provides a process to determine the person responsible for periodically reviewing and certifying/recertifying/attesting the access, routing the access
certification/recertification/attestation request to appropriate person, conducting the review and certifying appropriate entitlements, and revoking any inappropriate access
• Generates auditable ‘action item/events’ that can be tracked through the system
Staffing Requirements:• DXC Roles:
• 1 x Security Principal (10 days)• 1 x IAM Consultant (30+ days)• 1 x IAM SME (30+ days)• 1 x Project Manager (15+ days)• 1 x Operations Support Rep(* if applicable*)
(15+ days)• Customer Roles:
• 1 x Head of IT Security (3 days)• 1 x Chief Information Security Officer (2 days)• 1 x Security Architect (4+ days)• 1 x Project Coordinator (4+ days)• 3 x SME’s (i.e. DBA, IT Support, HR Rep) (30+
days)Key Activities:• Define access review scope and approach• Communicate the approach to stakeholders • Define the access review process or review and optimize the current process • Collect and maintain access and entitlement data • Define and agree with relevant teams and stakeholders the different use cases for process flow• Configure and deploy the solution with customizations (if required) • Monitor the outcomes of the entire process, document lessons learned and close the project with appropriate feedbackDeliverables:• Documented Use cases with identified actors (subjects and objects)• Documented Access Certification process aligned with business requirements and best practices• Build and integrate solution package• End user training and guidance for Production Support• Access Review and Certification Tool Implementation Run Book
Workload estimation:• Estimated project duration = 1+ months (depending on environment complexity)• Estimated number of man days effort for DXC = 85 man days (may vary based on customization) • Estimated number of man days effort for Customer = 43 man days (may vary based on customization)• Hardware and Software costs not included
Business Benefits and Outcomes:• Provide a well managed and trackable medium for Security Team, System and Account Owners and
Audit and Compliance Teams • Managed according to business and operational requirements • Systems, platforms and application owners are well equipped to control access to their respective
environment • Centralization of processes, procedures and policies• Reduced manual processes that simplify User Access Review• Improved auditing and sustainable compliance• Improved security posture due to frequent review of accesses and entitlements
Business Challenges and Problems Foregoing Commitment:• Lack of control and visibility on access and entitlements• Low ROI on the entire IAM program because inappropriate access review process results in
unmanaged and irrelevant access which disregards the entire purpose of the IAM strategy and program
• Ineffective and inefficient audit and compliance which can be a major business risk for regulated industries and sectors
Duration
Business impact/ disruption
Cost
IAM.3.8 ; IAM.3.9 ; IAM.3.10 ; IAM.3.14 ; IAM.3.15
Capabilities addressedL
L
L
Work Package example ---
The CRA library of Work Packages is DXC Intellectual Property. For further information,
please contact [email protected]
© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
For further information, please contact [email protected]
November 14, 2018 40© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
6. Appendix
November 14, 2018 41© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Blueprint structure
November 14, 2018 42© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Blueprint structure: Layers
Blueprint layering model 1-page summarized description of all layers
+ 1 page per layer
Blueprint Layer
ControlsLayer
OperationsLayer
Context &Behavior Layer
VulnerabilityLayer
IntelligenceLayer
StrategicLayer
Description
Onboard new and existing feedsIdentify and remediate gaps in feeds and controls
Deliver a consolidated SOC environment with business-aligned use cases and a service provider model
Establish a baseline of normal behaviorIdentify which CMDB information can be integratedAlign with critical assets definition
Identify, integrate and manage vulnerability landscape
Provide a Digital Investigation & Forensics serviceActive hunting and threat actor profiling capabilities
Map Security objectives with business risk profile to help prioritize security investment and decision making
Examples of typical issues
Limited types of data feeds, limited coverage of feeds etc.
No SOC or multiple local SOC’s working in silos, poor engagement and information sharing efficiency, etc.
Inconsistent and incomplete asset and configuration awareness, little contextual information for decision making
Lack of knowledge of vulnerability landscape to prioritize incident management activities
Lack of knowledge of threat landscape, poor detection rate for advanced threat, inconsistent response, etc.
No defined metrics/ KPI’s, limited engagement with customers, limited understanding of business impact etc.
ControlsLayer
OperationsLayer
Context &Behavior Layer
VulnerabilityLayer
IntelligenceLayer
StrategicLayer
Supporting background information
Data feeds are absolutely essential to drive improved detection. They bring more events for analysis and provide the basis for more correlation of data.If the necessary feeds are not available there can be a significant impact to security operations, such as:• Enterprise is dependent on only ‘noisy’ and lower value feeds such as
Firewalls and IPS• The lack of required feeds can mean identified Critical Risk Use Cases
cannot be created and acted upon. This results in a large information & security awareness gap
• Where feeds are available in many cases they do not contain the needed information and require retuning
• A lack of feeds can mean that only relatively simplistic use cases can be created. To produce more complex, behavior-orientated and correlated use cases more feeds are required
• Compliance programs need to be aligned with identified detection requirements, which are invariably supported by specific data feeds
• Creation of a centralized view of the current state of security of the Enterprise network, enhancing situational awareness, correlation capability and security operational efficiency
• Ability to quickly and efficiently respond to threats, vulnerabilities and incidents• Ability to respond as and when needed across all departments, business units
and local markets• Regulatory compliance in-line with device control logging, monitoring and
analysis
Benefits of investing
Onboard new and existing feeds, identify and remediate gaps in feeds and controls
• Significantly increased risk of a successful attack/breach with possibility of the attack not being detected at all, resulting in a potential financial loss/competitive loss (e.g. IP loss)/brand damage
• Risk of inappropriate and/or incomplete security response to a threat, vulnerability or incident, resulting in a potential financial loss/competitive loss (e.g. IP loss)/brand damage
• Lack of regulatory and audit compliance
Risks of NOT investing
• One single picture is used to outline the blueprint• Layers represent the key functional areas and are mapped to domains• Relevant subdomains are mapped to layers providing the end-to-end story
Physical Security (PS)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance(SLG)
Risk & ComplianceManagement (RCM)Security ResilientArchitecture (SRA)
Actionable Security & Threat Intelligence
Correlated events
Containment, Clean-up, Eradication, Disruption, Remediation Physical
eventsIT
eventsOT
events
Security Analytics
Context & Behavior Layer
Threat Intelligence & Profiling
Digital Investigation & Forensics
Intelligence Layer
Vulnerability Management
Vulnerability Layer
Security MonitoringSecurity Incident
Response & Remediation Management
Forensic Analysis & Response
Operations Layer
Controls Layer
Strategic Layer
Asset Management
November 14, 2018 43© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Blueprint structure: Work packages
• Each work package has the objective to deploy, setup, implement some capabilities addressing one subdomain (with sometimes dependencies with other subdomains)
Work packages summary list
Work package detailed description
Name: Infrastructure Security Monitoring Work Package ID: CD.1.aPurpose and High Level Description:• Define SIEM Use Cases to support SOC objectives or known threat actors targeting the organization. This has to be done based on the outcomes of several Work Packages helping to
profile threat actors (CD.3.c, CD.3.d, CD.4.a, CD.4.b are examples but others as well). This will allow the corresponding alerting to be automated• Create a «use cases to log source mapping» to identify and justify onboarding of new log sources• To support the deployment of identified use cases, define the requirements for log policy, log generation and log storage, for critical IT security infrastructure for SIEM Part 1 project (MS
domain controllers, firewalls, VPN GW, DHCP, DNS, email GW, web proxies, NIPS, endpoint threat management solutions, sandboxing solutions, “touched” devices etc.)• Define logging setting changes to be made on targeted systems to allow proper logging• Define or revisit and update SIEM architecture requirements to support additional onboarding of log sources• Perform design and sizing impact analysis of the current solution if any and upgrade the existing SIEM solution or define a new solution, to support additional requirements and to support
new use cases• Review and update security incident management and incident response processes if necessary (dependency on Work Package CD.2.b)• Define the transformation plan to deploy the log policy across the environment• Define the transformation plan to upgrade the existing SIEM solution or to deploy a new solution as well as use cases implementation• Execute the transformation planIdeally, if affordable during phase 1 (optional):• Integrate the Asset Management system as an information source to optimize prioritization decision making (make sure to obtain Asset name, Host name, IP@, MAC@, Asset classification
as a minimum)• Integrate IPAM information (IP subnets, start address, end address, classification)• Integrate NetFlow information from core networks (could be filtered first with another tool before feeding into the SIEM) for at least 1 day history• Define the requirements for log protection (including separation of duty and compliance requirements)
Staffing Requirements:• DXC Roles:
– 1 x Security Principal (10 days)– 1 x Program Director (5 days) – N x Security Consultant & Security Architect (25 days)– 2 x SIEM SME’s (100 days)– 1 x Content SME (50 days)– 1 x Account Security Officer (15 days)– 1 x SME per o/s platform (Wintel, Linux/Unix, Mainframe,
VMWare, network security infra. components, applications, etc.) (~30 days)
– 1 x Project Manager (45 days or 50% of time)• Customer Roles:
– 1 x Head of IT Security (3 days)– 1 x Chief Information Security Officer (2 days)– 1 x Head of Security Operations (2 days)– 1 x Head of Risk Management, Group Internal Auditor (2
days)– 1 x Program Director (5 days) – 1 x Project Coordinator (5 days)
Key Activities:1) Perform Project initiation and team briefings 2) Define use cases 3) Perform Current State Assessment to establish critical infrastructure and asset feeds 4) Define both technical and service requirements 5) Create a detailed technical and service design 6) Build 7) Test 8) DeployDeliverables:• Project Plan & Schedule, Processes & Plans including Test Plan and Success Criteria• SIEM solution deployment, onboarding of feeds, implementation of use cases and fine tuning• SIEM architecture and standard service documentation update including use cases • Existing security processes updated with corresponding use cases
Workload estimation:• Estimated project duration = 9 months• Estimated number of man days effort for DXC = 210 man days• Estimated number of man days effort for Customer = 19 man days• Hardware and Software costs not included
Business Benefits and Outcomes:• Ability to achieve faster identification of incidents and mitigation of threats by implementing the Cyber Defense Strategy and
SIEM Phase I; centralized log management and alerting solution • A more complete view of security throughout the infrastructure• A more accurate and integrated security incident & response process. Less downtime through an integrated and experienced
response process• Reduced cyber risk by implementing key log policies and improved security incident handling processes• 24x7x365 rapid response from a highly experienced and industry-certified global security incident response team
Business Challenges and Problems Foregoing Commitment:• Breaches of information security (e.g. loss of confidentiality, integrity and availability). Intellectual property theft (trade secrets,
competitive information, IP theft, secured collaboration)• Breaches of legal, regulatory or contractual requirements (legal exposure, data loss, privacy breaches, information leakage,
etc.)• Less visibility of events and hack attempts across the entire estate• Lack of proactive monitoring and addressing threats, reacting to security incidents• Loss of business and financial value• Damage to reputation• Productivity loss, disruption of plans and deadlines, impaired operations (internal or third parties)
Duration
Business impact/disruption
Cost
CD.1.1 ; CD.1.2 ; CD.1.3 ; CD.1.4 ; CD.1.5 ; CD.1.7 ; CD.1.8
Capabilities addressedL
M
M
Actionable Security & Threat Intelligence
Correlated events
Containment, Clean-up, Eradication, Disruption, Remediation
Physical events
IT events
OT events
Security Analytics
Context & Behavior Layer
Threat Intelligence & Profiling
Digital Investigation & Forensics
Intelligence Layer
Vulnerability Management
Vulnerability Layer
Security Monitoring
Security Incident Response & Remediation Management
Forensic Analysis & Response
Operations Layer
Controls Layer
Strategic Layer
Asset Management
SOC Foundation Key Work Packages
Infrastructure Security Monitoring (CD.1.a)
Centralized storage of normalized data. Detect security incidents quickly based on Use Cases Comprehensive breadth & depth of collection of events across the infrastructure
Assess / define SOCprocesses (CD.2.a) Monitor and analyze security events 24 x 7 x 365
Work packages mapping to subdomains
November 14, 2018 44© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Name: Infrastructure Security Monitoring Work Package ID: CD.1.aPurpose and High Level Description:• Define SIEM Use Cases to support SOC objectives or known threat actors targeting the organization. This has to be done based on the outcomes of several Work Packages helping to
profile threat actors (CD.3.c, CD.3.d, CD.4.a, CD.4.b are examples but others as well). This will allow the corresponding alerting to be automated• Create a «use cases to log source mapping» to identify and justify onboarding of new log sources• To support the deployment of identified use cases, define the requirements for log policy, log generation and log storage, for critical IT security infrastructure for SIEM Part 1 project (MS
domain controllers, firewalls, VPN GW, DHCP, DNS, email GW, web proxies, NIPS, endpoint threat management solutions, sandboxing solutions, “touched” devices etc.)• Define logging setting changes to be made on targeted systems to allow proper logging• Define or revisit and update SIEM architecture requirements to support additional onboarding of log sources• Perform design and sizing impact analysis of the current solution if any and upgrade the existing SIEM solution or define a new solution, to support additional requirements and to support
new use cases• Review and update security incident management and incident response processes if necessary (dependency on Work Package CD.2.b)• Define the transformation plan to deploy the log policy across the environment• Define the transformation plan to upgrade the existing SIEM solution or to deploy a new solution as well as use cases implementation• Execute the transformation planIdeally, if affordable during phase 1 (optional):• Integrate the Asset Management system as an information source to optimize prioritization decision making (make sure to obtain Asset name, Host name, IP@, MAC@, Asset classification
as a minimum)• Integrate IPAM information (IP subnets, start address, end address, classification)• Integrate NetFlow information from core networks (could be filtered first with another tool before feeding into the SIEM) for at least 1 day history• Define the requirements for log protection (including separation of duty and compliance requirements)
Staffing Requirements:• DXC Roles:
– 1 x Security Principal (10 days)– 1 x Program Director (5 days) – N x Security Consultant & Security Architect (25 days)– 2 x SIEM SME’s (100 days)– 1 x Content SME (50 days)– 1 x Account Security Officer (15 days)– 1 x SME per o/s platform (Wintel, Linux/Unix, Mainframe,
VMWare, network security infra. components, applications, etc.) (~30 days)
– 1 x Project Manager (45 days or 50% of time)• Customer Roles:
– 1 x Head of IT Security (3 days)– 1 x Chief Information Security Officer (2 days)– 1 x Head of Security Operations (2 days)– 1 x Head of Risk Management, Group Internal Auditor (2
days)– 1 x Program Director (5 days) – 1 x Project Coordinator (5 days)
Key Activities:1) Perform Project initiation and team briefings 2) Define use cases 3) Perform Current State Assessment to establish critical infrastructure and asset feeds 4) Define both technical and service requirements 5) Create a detailed technical and service design 6) Build 7) Test 8) DeployDeliverables:• Project Plan & Schedule, Processes & Plans including Test Plan and Success Criteria• SIEM solution deployment, onboarding of feeds, implementation of use cases and fine tuning• SIEM architecture and standard service documentation update including use cases • Existing security processes updated with corresponding use cases
Workload estimation:• Estimated project duration = 9 months• Estimated number of man days effort for DXC = 210 man days• Estimated number of man days effort for Customer = 19 man days• Hardware and Software costs not included
Business Benefits and Outcomes:• Ability to achieve faster identification of incidents and mitigation of threats by implementing the Cyber Defense Strategy and
SIEM Phase I; centralized log management and alerting solution • A more complete view of security throughout the infrastructure• A more accurate and integrated security incident & response process. Less downtime through an integrated and experienced
response process• Reduced cyber risk by implementing key log policies and improved security incident handling processes• 24x7x365 rapid response from a highly experienced and industry-certified global security incident response team
Business Challenges and Problems Foregoing Commitment:• Breaches of information security (e.g. loss of confidentiality, integrity and availability). Intellectual property theft (trade secrets,
competitive information, IP theft, secured collaboration)• Breaches of legal, regulatory or contractual requirements (legal exposure, data loss, privacy breaches, information leakage,
etc.)• Less visibility of events and hack attempts across the entire estate• Lack of proactive monitoring and addressing threats, reacting to security incidents• Loss of business and financial value• Damage to reputation• Productivity loss, disruption of plans and deadlines, impaired operations (internal or third parties)
Duration
Business impact/disruption
Cost
CD.1.1 ; CD.1.2 ; CD.1.3 ; CD.1.4 ; CD.1.5 ; CD.1.7 ; CD.1.8
Capabilities addressedL
M
M
Work package structure
Description of the WP’s scope and objective along with some solution
requirementsWP title Reference
Number
Workload estimation summary and elapsed time to complete the work package
Deliverables: what will be provided/delivered to the customer once WP is completed
Expected benefits from successful delivery of this project
Key activities to be executed as part of this work package
Staffing estimation provided for DXC and for the customer
List of Capabilities addressed by the WP
Evaluation criteria
Impacts to the customer by not implementing this WP
November 14, 2018 45© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Duration
Business impact/disruption
Cost
L
M
M
October 25, 2018 28© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Work Package – CD.1.aInfrastructure Security Monitoring
Name: Infrastructure Security Monitoring Work Package ID: CD.1.aPurpose and High Level Description:• Define SIEM Use Cases to support SOC objectives or known threat actors targeting the organization. This has to be done based on the outcomes of several Work Packages helping to
profile threat actors (CD.3.c, CD.3.d, CD.4.a, CD.4.b are examples but others as well). This will allow the corresponding alerting to be automated• Create a «use cases to log source mapping» to identify and justify onboarding of new log sources• To support the deployment of identified use cases, define the requirements for log policy, log generation and log storage, for critical IT security infrastructure for SIEM Part 1 project (MS
domain controllers, firewalls, VPN GW, DHCP, DNS, email GW, web proxies, NIPS, endpoint threat management solutions, sandboxing solutions, “touched” devices etc.)• Define logging setting changes to be made on targeted systems to allow proper logging• Define or revisit and update SIEM architecture requirements to support additional onboarding of log sources• Perform design and sizing impact analysis of the current solution if any and upgrade the existing SIEM solution or define a new solution, to support additional requirements and to support
new use cases• Review and update security incident management and incident response processes if necessary (dependency on Work Package CD.2.b)• Define the transformation plan to deploy the log policy across the environment• Define the transformation plan to upgrade the existing SIEM solution or to deploy a new solution as well as use cases implementation• Execute the transformation planIdeally, if affordable during phase 1 (optional):• Integrate the Asset Management system as an information source to optimize prioritization decision making (make sure to obtain Asset name, Host name, IP@, MAC@, Asset classification
as a minimum)• Integrate IPAM information (IP subnets, start address, end address, classification)• Integrate NetFlow information from core networks (could be filtered first with another tool before feeding into the SIEM) for at least 1 day history• Define the requirements for log protection (including separation of duty and compliance requirements)
Staffing Requirements:• DXC Roles:
– 1 x Security Principal (10 days)– 1 x Program Director (5 days) – N x Security Consultant & Security Architect (25 days)– 2 x SIEM SME’s (100 days)– 1 x Content SME (50 days)– 1 x Account Security Officer (15 days)– 1 x SME per o/s platform (Wintel, Linux/Unix, Mainframe,
VMWare, network security infra. components, applications, etc.) (~30 days)
– 1 x Project Manager (45 days or 50% of time)• Customer Roles:
– 1 x Head of IT Security (3 days)– 1 x Chief Information Security Officer (2 days)– 1 x Head of Security Operations (2 days)– 1 x Head of Risk Management, Group Internal Auditor (2
days)– 1 x Program Director (5 days) – 1 x Project Coordinator (5 days)
Key Activities:1) Perform Project initiation and team briefings 2) Define use cases 3) Perform Current State Assessment to establish critical infrastructure and asset feeds 4) Define both technical and service requirements 5) Create a detailed technical and service design 6) Build 7) Test 8) DeployDeliverables:• Project Plan & Schedule, Processes & Plans including Test Plan and Success Criteria• SIEM solution deployment, onboarding of feeds, implementation of use cases and fine tuning• SIEM architecture and standard service documentation update including use cases • Existing security processes updated with corresponding use cases
Workload estimation:• Estimated project duration = 9 months• Estimated number of man days effort for DXC = 210 man days• Estimated number of man days effort for Customer = 19 man days• Hardware and Software costs not included
Business Benefits and Outcomes:• Ability to achieve faster identification of incidents and mitigation of threats by implementing the Cyber Defense Strategy and
SIEM Phase I; centralized log management and alerting solution • A more complete view of security throughout the infrastructure• A more accurate and integrated security incident & response process. Less downtime through an integrated and experienced
response process• Reduced cyber risk by implementing key log policies and improved security incident handling processes• 24x7x365 rapid response from a highly experienced and industry-certified global security incident response team
Business Challenges and Problems Foregoing Commitment:• Breaches of information security (e.g. loss of confidentiality, integrity and availability). Intellectual property theft (trade secrets,
competitive information, IP theft, secured collaboration)• Breaches of legal, regulatory or contractual requirements (legal exposure, data loss, privacy breaches, information leakage,
etc.)• Less visibility of events and hack attempts across the entire estate• Lack of proactive monitoring and addressing threats, reacting to security incidents• Loss of business and financial value• Damage to reputation• Productivity loss, disruption of plans and deadlines, impaired operations (internal or third parties)
Duration
Business impact/disruption
Cost
CD.1.1 ; CD.1.2 ; CD.1.3 ; CD.1.4 ; CD.1.5 ; CD.1.7 ; CD.1.8
Capabilities addressedL
M
M
Subdomain, capability and work package ID assignment rulesSubdomains
An ID for a subdomain is made up of:• The acronym for its parent domain (for example, “CD” for
“Cyber Defense”)• The position of the subdomain in the header of the matrixExample: the ID of “Security Monitoring” subdomain will be “CD.1”
An ID for a capability is defined by its position in the matrix and is made up of:- The ID of the subdomain it
belongs to- Its row number in the matrixExample: the ID of “Big Data Security Analytics” Capability will be “CD.6.1”
Capabilities
Work packages
CD.1.aAn ID for a work package is made up of:- the ID of the subdomain it is related to- a lowercase letter (‘a’, ‘b’, ‘c’, etc.)Example: The IDs of work packages related to CD.1 subdomain can be CD.1.a, CD.1.b, CD.1.c etc.
Work package evaluation criteria
Criteria Low if… Medium if… High if…
Cost < USD 100k USD 100-500k > USD 500k
Duration < 3 months 3-6 months > 6 months
Business Impact/Disruption Low Medium High
CD.1 CD.2 CD.3 CD.4 CD.5 CD.6
1
2
3
4
5
6
7
8
9
10
11
12
13
Security Monitoring Threat Intelligence & ProfilingSecurity Incident Response & Remediation Mngt Security AnalyticsVulnerability ManagementDigital Investigation & Forensics
Incident & Defect Notification
CERT & Authority Information Request
Incident Analysis
Incident Triage
Root Cause Analysis
Incident Validation
Incident Classification
Incident Mitigation & Remediation
Incident Recovery
Crisis Communication
Incident Reporting
Crisis Leadership & Organization
Escalation Procedure
Threat Intelligence Platform
Cyber Threat Intelligence Sources
Threat Actor Profiling
Cyber Threat Intelligence Sharing
Malware Analysis
Security Trends
Technical Threat Modeling
Threat Intelligence Knowledge Management
Digital Investigations
Digital Forensics
E-Discovery
Active Threat Hunting
Static Code Analysis
Dynamic Code Analysis
Social Engineering
Penetration Testing
Vulnerability Remediation
Attack Simulation
Vulnerability Scanning
Patch Management
Vulnerability Notification
Vulnerability Monitoring
Vulnerability Validation & Criticality
Vulnerability Research
Big Data Security Analytics
Baselining
Social Media Analysis
Data Anomaly Detection
Network Anomaly Detection
User Behavior Analysis
Privileged Threat Analytics
DNS Analytics
Technical Attack Reconstruction & Visualization
Log Policy Definition
Log Management
Monitoring & Alerting Processes
Log Correlation
Event Query
Log Integrity
Use Case Management
Log Reporting
Shift-Handover Process
Daily Operations Meeting Procedure
CD.6
Security Analytics
Big Data Security Analytics
CD.1
Security Monitoring