Upload
nguyentram
View
218
Download
0
Embed Size (px)
Citation preview
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 2
The Problem Space We Fix
Do you know WHERE your (sensitive) data is?
Do you know WHO has access?
Is it APPROPRIATE?
Can you PROVE it?
$158 is the average cost
per lost or stolen record
2016 Cost of Data Breach Study:
Global Analysis - Ponemon Institute©
Research Report
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 3
40% International
Business
750+Customers and
Growing
IAM Market Leader
Gartner IGA MQ 2017, Continued Leader
Forrester IMG Wave 2016, Continued Leader
95% Customer
Satisfaction
Founded
in 2005
by IAM
veterans
World’s
LARGESTDedicated Identity
& Access
Management
Vendor
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 4
What we have heard from CIOs & CISOs1
2
3
4
Easy to use & effective User Access Certification / Review to meet internal & external
compliance without wasting labour i.e. Orphaned & Rogue Accounts! Top 5 internal audit issue!
A unified approach covering Applications & Unstructured sensitive data, which allows proactive
detection & control against inappropriate activity
The need for a consolidated “Single Source of Truth”, to enable enforcement of access
request & provisioning policies, to mitigate SoD violations & toxic combinations
Timely & Accurate granting, changing & removal of users & access. Manual processes
introduces inefficiencies (duplicate effort) & human errors
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 5
Wanna what? – Some Facts
• The main exploit utilized by WannaCry was
preemptively patched by Microsoft on March 14, 2017
(MS-17-010)
• Strong encryption (RSA-2048) & also simultaneously
replicates itself onto as many systems as possible via the
Windows network file sharing protocol (SMB)
• WannaCry Ransomware is Evolving Rapidly – needing a
solution in place that can detect ransomware in ways that
are not specific to any particular malware variant.
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 6
SailPoint’s Identity Management
Governance-based approach
First open identity platform
Optimized for hybrid
environments
Extends to structured
& unstructured data
Cloud
AppsOn-Premises
Apps
Device
s
Unstructured
Data
Directories Structured
Data
Web
Apps
Infrastructure
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 7
SailPoint: The Open Identity PlatformCore Identity Platform for the entire IT environment – Now & Future Advancement
SIEM
& UBA
Firewalls, Anti-X,
Threat Detection
Governance, Risk,
& Compliance
Data
Governance
IT Service
Management
Mobile Device
Management
Privileged User
Management
Applications &
Infrastructure
Identity+
Security
Identity+
GRC
Identity+
Access
Management
Identity+
Ops
SQLSCIM XMLREST
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 8
Integration Partnership
• Combines industry leading Microsoft
Azure AD Premium Identity and
Access Management with industry
leading SailPoint Identity Governance
• Improves security and reduces risk
• Improves productivity over the user’s
lifecycle
• Cloud and on-premises awareness
eliminates access blindspots
+
Microsoft Azure
Active Directory
Premium
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 9
Azure AD Access Management + SailPoint Identity Governance
Access Certification
Access Request
Fine-grained & Life Cycle Provisioning
Compliance & Audit Reporting
Password Reset Extension
Policy-based Workflow & Approvals
Conditional Access and Multi-factor Authentication
Self-Service Password Reset
Single Sign-On
User and Group Management and Provisioning
B2B Collaboration
Risk-based Identity Protection
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 11
SailPoint: The First Open Identity Platform
Users • Applications • Data
Compliance
ControlsAccess
RequestPassword
ManagementData Access
GovernanceSingle
Sign-On
Automated
Provisioning
Integration Framework
Cloud
apps
On-prem
apps
Structured
data
Unstructured
data
3rd Party
Integrations
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 12
FULFILLMENTProvisioning
Management
Guaranteeing the Appropriateness of Access
REQUESTBusiness
Interface
Management
VALIDATION
Policy and Risk
Enforcement
Sustainable
Identity
Governance
Process
Identity Lifecycle
Management Process
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 13
Step 1: ‘Visibility’ of the Current State
Identity Warehouse
System &
Service
Accounts
Privileged
Accounts
Orphan
Accounts
Account
Classification
Account,
Entitlement
& Permission
Data
Legacy Applications
Unstructured Content
Provisioning Systems
Cloud Services
Security Systems
Directories
HR Systems
Contractor Databases
External User Sources
Authoritative
Identity Data
Access CertificationReportingAnalytics
Critical Remediation
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 14
Step 2: ‘Planning’ the Desired State
OwnershipPolicy ModelBusiness
RolesIdentity Risk
Identity Warehouse
System &
Service
Accounts
Privileged
Accounts
Orphan
Accounts
Account
Classification
Account,
Entitlement
& Permission
Data
Legacy Applications
Unstructured Content
Provisioning Systems
Cloud Services
Security Systems
Directories
HR Systems
Contractor Databases
External User Sources
Authoritative
Identity Data
Access CertificationReportingAnalytics
Critical Remediation
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 15
Step 3: ‘Managing’ the Changing State
OwnershipPolicy ModelBusiness
RolesIdentity Risk
Identity Warehouse
System &
Service
Accounts
Privileged
Accounts
Orphan
Accounts
Account
Classification
Account,
Entitlement
& Permission
Data
Legacy Applications
Unstructured Content
Provisioning Systems
Cloud Services
Security Systems
Directories
HR Systems
Contractor Databases
External User Sources
Authoritative
Identity Data
Access CertificationReportingAnalytics
Critical Remediation
Lifecycle
Management
Single Sign-
on
Enhanced Provisioning
Copyright © SailPoint Technologies, Inc. 2016. All rights reserved. 16
Wanna what? – Back to the $300 question …
• Live identification and monitoring of unstructured data access and use (anomalous or not) on network and cloud-based file shares
• Applying the principles of “least privilege” to minimize access rights and decrease the potential impact of any single infection
• Initiate actions to terminate any behavior deemed malicious, stopping ransomware in its tracks and limiting damage to sensitive systems before it builds momentum (i.e. Disable users AD account, forced logout, shutdown workstation)
• Suspend the identity and its accounts and re-certify all access for that specific identity immediately