Embed Size (px)
Citation preview
Erik Avakian, CISSP, CISA, CISM, CGCIOChief Information Security Officer
Commonwealth of [email protected]
William (Bill) Harrod, CISSPCyber-Security Advisor, Public Sector
Identity and Access Management in the
Commonwealth
• 20% of all the malware ever created appeared
• 43% of all companies experienced a data breach
• Cyber security finally becomes “personal”
• 2014 and 15 were “epic years” for data breaches
What’s the Big Deal?
Notable 2015 Cyber Events
Remains the top worldwide online threat and remains a big issue for state government
• Tricks users into revealing information that can be used against them
• Conducted over email, over phone, in person
• Key component of identity theft: Worldwide losses more than $7 billion in 2015
• Spear Phishing on the rise with data breaches and used to carry out extremely sophisticated attacks
Trending – Phishing Attacks
Classic “Real” Phishing Example
Classic “Real” Phishing Example
Ramifications for the User
First Lines of Defense
End users are our first lines of defense. Every day, hackers attack our end users with phishing emails luring them to click. If users fall victim, passwords and data can be compromised or systems infected. While we have protection in place, some malicious emails make it through.
To the Insider Threat
59% of employees steal proprietary corporate data when they quit or are
fired
End users continue to be the first layer of defense & weakness
Trending - Online Extortion
Ransomware & Online Extortion
• Code is delivered via phishing attacks or illegitimate downloads or compromised websites
• Malware locks screens, encrypts files and extorts a fee before giving users the key needed to get their data back.
• CryptoWall, CryptoLocker, CoinVault, Bitcryptor
Ransomware & Online Extortion
Trending - Online Extortion
Trending - Online Extortion
13
Strategy:
Implement enterprise access services to enhance services and bolster security
Three Focus Areas
• Risk Based Authentication – Multi Factor Implementation Unified Directory Services (Single Face of Government)
• Privileged User Management
IAM Strategy
Build a culture of situational and risk awareness
Enhance enterprise security services and posture
Develop robust enterprise security situational awareness and response
Security Governance
Alignment with the Business
What is ‘Multi-Factor Authentication?’
16
Current Status:
TBC by June 30th
Second Factor Authentication methods:
• Soft Token with secondary authentication with two choices
• Security Question & Answer
• Security One-Time Password (OTP) Over SMS
Multi-Factor Authentication
Multi-Factor Authentication
Objectives
• Provide streamlined and efficient access to online services by using a single secure online credential across programs.
• Reduce fraud and false, stolen and outdated identities by identity verification and identity proofing users.
Benefits:
• Enables seamless and secure access for citizens to access government services online.
• Enables citizen interaction to increase trust and embrace transparency
• Building block for enabling a one stop shopping experience for the citizens
• One user credential across many apps
Unified Directory Services
The Problem – a Silo’d Approach
19
Duplication of effort and cost: • Agency applications developed with own custom-built security
models• Reinventing the same basic IAM service at agency or application
level = paying for it over and over leads to increased cost
Multiple userIDs and passwords: • One set for one agency and a different set for another agency• Registration of users to a given agency or to a given application
– Maintaining multiple copies of same basic/common data over and over
Security implementations: • Inconsistent levels depending on skill of developer• Inconsistent application of enterprise policies and standards
(userID, password, data protection, etc.)
Current State
Current State:
• Silo’ed• Hard to enforce security
standards• Multiple identities• Duplication of data• 67+ separate user repositories
Future:
• Unified and Manageable• Single multi-agency use of digital
identity• Shared identity data across all
agencies• Identity is verified
Unified Directory Services
The Solution – Enterprise Services
Consolidation of effort and lower cost: • Agency applications developed with standardized security models• Application development simplified by integrating with existing
enterprise services, less custom development needed – lower cost• Maintaining single instance of the basic IAM service resulting in lower
cost
Shared userIDs and passwords: • Single sign on• Authentication controlled at enterprise for all applications; authorization
controlled by the agency• Registration of users once with sharing of same basic/common data
Security implementations: • Enterprise-level security implementation• Consistent application of enterprise policy and standards (userID,
password, data protection, etc.)
23
Goals/Strategy:
• Shared Enterprise Directories (e.g. employees, business partners and citizens)
• Shared Enterprise Account Management (provisioning, password management, de-provisioning, verification, etc.)
• Shared Authentication Model with Multi-Factor Authentication
Enterprise Strategy
• New applications are to be
developed with these
• Existing /Legacy applications
will be required to integrate
with at their next technology
refresh cycle
• Provisioning/de-provisioning
• User management
• Password change/account recovery
• Identity verification
• Multi-factor authentication
CoEManaged
Governance
Agency (NewApp )
Directory Services (GOTIME Initiative) Phase 1
SiteMinder, Risk Based MFA
Agency (NewApp ) Agency (NewApp ) Agency (Legacy ) Agency (Legacy )
• New applications are to be
developed with these
• Existing /Legacy applications
will be required to integrate
with at their next technology
refresh cycle
• Provisioning/de-provisioning
• User management
• Password change/account recovery
• Identity verification
• Multi-factor authentication
CoEManaged
Governance
Agency (NewApp )
SiteMinder, Risk Based MFA
Agency (NewApp ) Agency (NewApp ) Agency (Legacy ) Agency (Legacy )
Directory Services (GOTIME Initiative) Phase 2
Why is this important?Unified Directory Services streamlines citizen access to services and will help get Pennsylvania closer to the single checkout “Amazon-like” shopping experience
Unified Directory Services
So again…From this….
CoEManaged
Governance
Agency (NewApp )
SiteMinder, Risk Based MFA
Agency (NewApp ) Agency (NewApp ) Agency (Legacy ) Agency (Legacy )
Directory Services Phase 2
Final Thoughts
What can we expect going forward?
• Much more cyber crime!
• Higher frequency of breaches due to the Internet of Things (IoT)
• Attacks will get much more sophisticated & targeted
State Governments are a target.
28
INAMOIBW
?
28 Months
28 Months is the Average Tenure
for a Large Agency CISO
INAMOIBW
IT’S
NOT
A
MATTER
OF
IF
BUT
WHEN
It’s not a matter of if but when
That you will be attacked
NOT, that the bad guys will
succeed
How to Protect your Enterprise
KNOW who your users are and what they can access
• Stronger User Authentication – Passwords are dead
• Risk based Authentication – Risk Score
• Behavior Based Authentication – Is this typical
• Stronger user Identity Governance – Limit Scope and
clean up “ghost” accounts
Move from “NO” to “KNOW”
Be Flexible, Nimble, and Adapt
• KNOW the Impact of Changing & Emerging
Technologies – Cloud, Mobility, AaaS (anything as a service)
• Security Frameworks are good, but not enough – be
compliant, but more dynamic – adaptive, adjusted
controls are the new normal
• Beware of Shadow IT – Dropbox, AWS, Next App
3 Things you can do tomorrow
KNOW your greatest risks – and ACT
1. Email filter / block rules DMARC* – Reduces spam
and phishing attacks by 80-90%
2. Set up an Inter-Agency ISAC – information sharing
& analysis center - work together to share threat
and vulnerability information
3. Adopt a risk management driven security posture
*https://dmarc.org
Q&A?
