Upload
lybao
View
218
Download
0
Embed Size (px)
Citation preview
1
Identity is the new perimeterIdentity & Access Management in the age of Cybersecurityand Digital transformation
April 18, 2017Andrea RossiGlobal Sales Leader, Identity Management ([email protected])
2
... IT and security need to get onboardand not derail this progress
Organizations adopt innovations at an ever increasing rate…
3
The extended enterprise adds a layer of complexity
Organizations need to adopt identity as their first security control !
CISO / CROITLoB Security
Semi-Trusted Users(Agents, Contractors, Partners)
Trusted Users(Admin, Privileged, Regular)
Untrusted Users(Consumers)
B2E & B2B B2C
4
Key drivers for identity as the new perimeter
INSIDERTHREAT
Digital Transformation B2E and B2B
Digital Transformation B2C
• Reduce risk of excessive
user entitlements
• Alert on user behavior
anomalies
• Secure BYOD adoption
• Enhance security with
Multi-factor authentication
• Federate Enterprise users
to Cloud applications
• Reduce costs by moving
consumer IAM to the cloud
• Embrace ”Bring your own
social ID”
5
Identity Governance and Intelligence Access Management
• Adaptive Access Control and Federation
• Application Content Protection
• MFA and Single Sign On
• Identity Lifecycle Management
• Entitlement Analytics and Compliance
• Privileged Identity Control
Datacenter Web Social Mobile Cloud
Cloud Managed / Hosted ServicesSoftware-as-a-Service
On Premise Appliances Platform-as-a-Service
IBM Security Identity and Access Management Solutions and IBM Security Services
Directory Services
IBM’s Identity and Access Management Portfolio
Manage and control digital identities in the era of cloud and mobile
6 IBM Security
Managing Insider threatsWhy and how Identity Governance and Intelligence is the brain behind it
7
~70% of users have unnecessary access, and 60% of the data breaches are from insiders….
Privileged
Accounts
To Applications (e.g. SAP, Mainframe)
To Data (Structured/Unstructured)
To Platforms (e.g. On-premise, Cloud)
9
IBM Identity Governance and Intelligence (IGI) is the IBM IGA Product
Access Compliance
User lifecycle Access Analytics
Simplify self-service user access management
Automate user and identity lifecycle processes
Discover Roles and patterns
Visualize, Score and Trend Access Risk
Visualize and certify user entitlements
Provide insight into user risks
10
IGI automates the user lifecycle with a unique risk-based approach
Deprovision
Provision
Recertify
Business activity Risk
modeling
Risk-driven
certification
11
Use case: IGI enables GDPR controls on Personal Information
Users with ’GDPR’ risks are
highlighted during the certification
process
IGI provides in-depth
details about the Risk so
that the Business
reviewer can take
appropriate decisions
12
IGI Adapters/Connectors set
IBM AND BUSINESS PARTNER INTERNAL USE ONLY
Infrastructure
• Azure Active Directory
• Command Line (CLIx)
• Desktop Password Reset
Assistant
• IBM DB2
• IBM DB2 for z/OS
• IBM Security Access Manager
• IBM Security Privileged Identity
Manager
• LDAP
• Lotus Notes
• Microsoft SQL Server
• Oracle Database
• RSA Authentication Manager
• SoftLayer
• Sybase
• UNIX (AIX/Solaris/HPUX)
• Linux (RedHat/SLES/Oracle)
• Windows Active Directory
• Windows Local Account
Application edition adapters
• Box Cloud
• Documentum Content Server
• Google applications
• Microsoft Office 365
• Microsoft SharePoint
• Oracle eBusiness Suite
• PeopleTools
• Remedy AR System
• Salesforce.com
• SAP HANA Database
• SAP Netweaver
• SAP UME
• ServiceNow
• Siebel JDB
• PeopleSoft
Mainframe adapters
• CA ACF2
• IBM iSeries (i5OS)
• RACF
Infrastructure
• Active Directory LDAP
• Active Directory Changelog
• Domino / Change Detection
• FTP Client Connector
• File System Connector
• IBM/SunONE/… LDAP
• IBM/SunONE/… Changelog
• In-Flight Data Transforms
• JDBC
• JMS Pub/Sub
• JNDI (Generic)
• LDAP Server
• RACF (z/OS LDAP)
• RACF password pickup
• IBM Security Identity Mgr
• IBM Security Access Mgr
• Memory Stream
• XML/XSL Handlers
13
Managing Insider Threats > Case study
IBM AND BUSINESS PARTNER INTERNAL USE ONLY
Access certification
Segregation of Duties
User lifecycle management & Access
Self Service• Market: Financial Services
• Customer profile: 100.000+ users,
running on top of CA Identity
Management
• Key drivers: High severity findings on
‘Provisioning policies’ and (lack of) SoD
controls on Treasury Apps.
• Solution: Implemented IGI for a)
reviews of provisioning rules and b)
Segregation of Duty (SoD) controls on
Treasury applications.
1
2
UNICREDIT
They started here
3
14 IBM AND BUSINESS PARTNER INTERNAL USE ONLY
Access certification
Segregation of Duties
User lifecycle management & Access Self Service
• Customer profile: 2000 employees,
3000+ contractors
• Key drivers: Compliance, IP
Protection
• Solution: IGI manage user
onboarding/off-boarding, access
request self service and access
review.
FERRARI
They started here
2
3
1
Managing Insider Threats > Case study
15
However…Today’s Data Protection regulations require way more than just IAM
Users
Sys Adms
DBAs/Appls
Govern who has access to
what
Ability to detect/prevent
risks (e.g. SoD violations)
Privileged Id
Management
Data Security
(Struct/Unstruct)
Identity
Governance
Check-in/out controls on
shared Credentials
Session recording &
monitoring
Data Classification
Data monitoring & alert
Behavioral analytics
SIE
M &
Th
rea
t R
es
po
ns
e M
an
ag
em
en
t
Correlates
events
Manage
threat
response
workflow
16
The integration use cases…
Privileged Id
Management
Data Security
(Structured and
Unstructured)
Identity
Governance &
Administration
PIM enforces access controls
on shared DBA admin
accounts (people and
applications)
Privileged accounts are collected
by the IGA platform, connected
to Identities, access review and
SoD controls can be applied
Data Classification is fed into
the IGA platform in order to
be able to understand who
has access to what type of
‘Data Risk’
17 IBM Security
Managing AccessWhy and how IBM Access Management is the enabler for the frictionless Enterprise
18
Password use is dropping rapidly
16 MARCH 2017: PEOPLE & Z SECURITY SALES BOOT CAMP: IBM AND BUSINESS PARTNER INTERNAL USE ONLY
Drop in use due to introduction of recognition technologies
55%
Drop in use of Passwords and tokens by 2019
*Gartner Strategic planning assumption –Ant Allan
(in medium-risk use cases)
19
The authentication challenge
Demand for Increased Assurance
Usability Expectations Increased Assurance
$$$
60%Of known data
breaches use weak or stolen passwords
Password:
xgGL$#!jjhh(*%!aAbc
Relying on passwords leaves one compromising on both
20
Use multiple authentication types for stronger security
Something you
knowCredentials
Something you
have
OTP, Token
Something you
are
Biometric
• User names
/ Passwords
• Knowledge
questions
• Active
Something you
do
Behavior-metric
• Generating
OTP and
tokens
• Social ID’s
• Active
• Fingerprint,
voice, face, and
signature
biometric
authentication
• Active
Move towards stronger, easier authentication
• Collecting and analyzing behavioral risk and fraud indicators
• Transparent
• Ongoing Authentication
16 MARCH 2017: PEOPLE & Z SECURITY SALES BOOT CAMP: IBM AND BUSINESS PARTNER INTERNAL USE ONLY
21
IBM Security Access Manager: risk based access supports five main context domains for adaptive access control
Identity:Groups, roles, credential attributes, organization
Endpoints:There are various unique attributes (device fingerprint).
Screen depth/resolution, Fonts, OS, Browser, Browser plug-in, device model & UUID
Environment:Geographic location, network, local time . . . etc
Resource / Action:The application being requested and what is being done.
Behavior:Analytics of user historical and current resource usage.
User activity monitoring, specific business activity monitoring
Something you
do
Behavior-metric
22
IBM Security Access Manager: Mobile 2 Factor Authentication
Enroll Touch
(Fingerprint)Confirm (Y/N)
Login
• Multi-modal: different types supported for different scenarios
• Integrated: Easily integrate flexible, intelligent multi-factor authentication into applications
• Policy driven: Permit access when risk is low and demand authentication challenges when risk is high
Confirm (Y/N)
Transaction
Face & Voice
Recognition**One Time
Password
Something you
haveOTP, Token
Something you
areBiometric
24 IBM Security
Industry analysts rank IBM Security
DOMAIN SEGMENT MARKET SEGMENT / REPORTANALYST
RANKINGS
Security Operations and Response
Security Intelligence Security Information and Event Management (SIEM) LEADER
Network and Endpoint Protection
Intrusion Prevention Systems (IPS) LEADER
Endpoint: Client Management Tools LEADER
Endpoint Protection Platforms (EPP) Strong Performer
Information Risk
and Protection
Identity Governance
and Access
Management
Federated Identity Management and Single Sign-On LEADER
Identity and Access Governance LEADER
Identity and Access Management as a Service (IDaaS) LEADER
Web Access Management (WAM) LEADER
Mobile Access Management LEADER
Identity Provisioning Management LEADER
Data Security Data Masking LEADER
Application Security Application Security Testing (dynamic and static) LEADER
Mobile Protection Enterprise Mobility Management (MaaS360) LEADER
Fraud Protection Web Fraud Detection (Trusteer) LEADER
Security
Transformation
Services
Consulting and
Managed Services
Managed Security Services (MSS) LEADER
Information Security Consulting Services LEADER
V2016-06-16Note: This is a collective view of top analyst rankings, compiled as of August, 2016
25 IBM Security
A Global Leader in Enterprise Security
• #1 in enterprise security
software and services*
• 7,500+ people
• 12,000+ customers
• 133 countries
• 3,500+ security patents
• 19 acquisitions since 2002*According to Technology Business Research, Inc. (TBR) 2016
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
FOLLOW US ON:
THANK YOU