Upload
mike-c
View
140
Download
1
Embed Size (px)
Citation preview
© 2016 IBM Corporation
Vision and Strategy
Mike Chung | Associate Partner IBM Security
Identity & Access Management
2© 2016 IBM Corporation
DRAFTTable of contents
§ Common understanding of terms
§ Expectations and developments 2015 and beyond
• Access governance 2.0• Federation• Post-password era
§ IBM’s strategy
§ Contact details
3© 2016 IBM Corporation
DRAFTCommon understanding of terms
Users
Application/System B
Business role(Function-based)
IT role (IT system group-based)
Application/System C..
Application/System A
Permissions Permissions Permissions
Attributes
Entitlements
User
Application/System B
Authentication(Verification of identity claim)
Authorization(Access to allowed resources)
Application/System C..
Application/System A
Permissions Permissions Permissions
Monitoring & audit
Digital identity
4© 2016 IBM Corporation
DRAFTAccess governance 2.0: towards -as-a-service
Users
Application/System B
Business role(Function-based)
IT role (IT system group-based)
Application/System C..
Application/System A
Attributes
Entitlements
Heterogeneous group of users:• Internal employees• Consultants• Partners and suppliers• Consumers
Entitlements based on risk-based controls:• Rules and regulations• Segregation-of-duties• Security requirements• Use of resources
including licensing
Dynamic set of attributes: from static business function-based attributes to dynamic project/context/activity-based attributes
Access governance as a service:• As a managed service performed
by specialists• Fetched as a standardized service
from the cloud• Pay-as-you-go model
Increasing level of deperimeterization:• Move to SaaS• Merging-with-partners networks• Bring your own devices & ID
Complex, “invisible” ecosystem of applications:• Move to SaaS outside IT• Merging of private-social and
business applications• Control of access as part of risk
management
Basic assumption
2015 & beyond approach
Permissions Permissions Permissions
Partners and suppliers
5© 2016 IBM Corporation
DRAFTFederation: decentralized approach
User
Application/System B
Authentication(Verification of identity claim)
Authorization(Access to allowed resources)
Application/System C..
Application/System A
Permissions Permissions Permissions
Monitoring & audit
Digital identity
Proliferation of digital identities:• Organization-specific IDs• Social networking IDs• IDs provided by the government• Aliases
Wide acceptance of open standards and protocols: OpenID, OpenID Connect, Oauth, SAML, SPML, SCIM
Exchange of authentication and authorization data for SSO:• Federation using SAML 2.0• Architecture of identity providers
and service providers• For web services and across the
cloud
Delegated access: authorization based on delegated access using request and access tokens without sharing credentials
Decentralized identity provisioning: from static “centralized” identity stores to preferred OpenID providers to multiple relying parties
Basic assumption
2015 & beyond approach
Hybrid environment: • Applications both on-premise as
well as SaaS• Managed services with
vendor/cloud governance• Corporate devices and BYOD
6© 2016 IBM Corporation
DRAFTPost-password era: embracing complexity
User
Application/System B
Authentication(Verification of identity claim)
Authorization(Access to allowed resources)
Application/System C..
Application/System A
Permissions Permissions Permissions
Monitoring & audit
Digital identity
Ease of access required:• Seamless access to services• Privacy and security
High expectations raised on analytics: • Security big data• Integrated monitoring
of multiple service
Cloud monitoring:• Monitoring of the
cloud• Monitoring from
the cloud• Integration with
SIEM, data analytics and threat intelligence
Basic assumption
2015 & beyond approach
Biometrics combined with certificates:• Strong authentication with non-
intrusive biometrics and additional code
• Digital certificates for secure, transparent access to various resources
Secure cloud gateway concepts:• Single/limited point(s) towards
the cloud• Quality of service including
security
Compliance: • Rules and regulations more stringent
than ever• Balancing the act between privacy and
security• Dependency on third parties
7© 2016 IBM Corporation
DRAFTIBM’s strategy: access-governance-as-a-service
Users
Application/System B
Business role(Function-based)
IT role (IT system group-based)
Application/System C..
Application/System A
Attributes
Entitlements
Exhaustive access governance functionality:• Access request management• Access certification• Risk scoring• SoD management• Role discovery
Entitlements based on various variables:• Static policy and
rules• Context (location,
time, concurrent sessions, etc.)
• Ad hoc
Current solutions
Focus areas of roadmap
Permissions Permissions Permissions
Partners and suppliers
Access governance as a service from IBM’s cloud:• Exhaustive range of access governance services• Full identity life cycle managed by specialists• Private or public cloud depending on customer’s
situation
Integration with (third-party) SaaS:• Access governance connectivity with
SaaS based on open standards• Provisioning and deprovisioning to/from
SaaS
Access-as-a-service from multiple locations: More data center locations in Europe outside UK
Specific and industry’s unique features:• Visual role mining• Integration with SAP• Integration with Mainframes
8© 2016 IBM Corporation
DRAFTIBM’s strategy: federation including authorization
User
Application/System B
Authentication(Verification of identity claim)
Authorization(Access to allowed resources)
Application/System C..
Application/System A
Permissions Permissions Permissions
Monitoring & audit
Digital identity
Enterprise-wide SSO:• Federation with on-premise
applications• Federation with cloud applications• Federation with mobile apps
Adoption of open standards:• OpenID (Connect)• Oauth• SAML• SPML• SCIM
Current solutions
Focus areas of roadmap
Cloud-based identity management:• Identity life-cycle management
supporting multiple authoritative sources of identity data
• Connected with cloud and on-premise applications
• Provisioning and deprovisioning
Seamless integration with strong authentication concepts:• X.509 Certificates-based
federation• Smartcard-based federation
Fine-grained authorization:• Control over a wide array of
cloud and mobile applications• Based on dynamic attributes• Coupled with (strong)
authentication
Further integration with access governance capabilities to cloud and mobile applications• Detection of
violations with automated actions
• Role-mining
9© 2016 IBM Corporation
DRAFTIBM’s strategy: security integration
User
Application/System B
Authentication(Verification of identity claim)
Authorization(Access to allowed resources)
Application/System C..
Application/System A
Permissions Permissions Permissions
Monitoring & audit
Digital identity
Detection and identification of cloud applications:
Security data intelligence -Security big data analysis from various sources
Integration of SIEM and threat intelligence• Monitoring of the
cloud• (Near) real-time
alerts and instant response
Current solutions
Focus areas of roadmap
Compliant with stringent standards:• EU Privacy Directive• ISO27001/2• ISAE3402• PCI-DSS• HIPAA
Secure gateway service:• Single/limited point(s) towards the
cloud• Quality of service including
security• SSL offloading/DLP
Strong R&D investment in authentication technology:• Encryption• Biometrics
10© 2016 IBM Corporation
DRAFTIBM’s solutions
Users
Application/System B
Business role(Function-based)
IT role (IT system group-based)
Application/System C..
Application/System A
Permissions Permissions Permissions
Attributes
Entitlements
User
Application/System B
Authentication(Verification of identity claim)
Authorization(Access to allowed resources)
Application/System C..
Application/System A
Permissions Permissions Permissions
Monitoring & audit
Digital identity
Cloud Identity Service
Cloud Enforcer
11© 2016 IBM Corporation
DRAFTAlso..
§ Preparing for the rise of non-corporate IDs for business services
§ Participating actively in new and innovative developments:
• FIDO• XACML-ish concepts• Homomorphic encryption• FreeIPA
12© 2016 IBM Corporation
DRAFTIBM Security: investing in best-of-breed technologies
IBM Security Investment
• 6,000+ IBM Security experts worldwide
• 1,700+ IBM security patents
• 4,000+ IBM managed security services clients worldwide
• 25 IBM Security labs worldwide
Security services
and network security
Enterprisesingle-sign-on
Mainframeand server
security
Identity management
Directory integration
Endpoint managementand security
Application security
Data management
Database monitoring
and protection
Access management
SOA management and security
1976 1999 2002 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Incident forensics
Secure mobile management
Cloud-enabledidentity
managementIdentity
governanceSecurity
intelligenceIBM Security
is created
13© 2016 IBM Corporation
DRAFTIBM Security: latest analyst report rankings
Domain Market Segment / ReportGartner
Magic Quadrant (MQ)Market Share (MS)
Forrester Wave
IDCMarket Share
Identity and Access Management
Federated Identity Management and Single Sign-On
Leader
2014
Identity and Access Governance Leader2015 MQ / 2015 MS
Strong Contender
2013Identity and Access Management as a Service (IDaaS) Visionary
2015 MQ
Web Access Management (WAM)Leader
‘13 MarketScope, ‘15 MS
Mobile Access Management Leader, 2014 Customer Value, Frost & Sullivan
Identity Provisioning Management Leader, 2014 Leadership Compass, KuppingerCole
Security Intelligence Security Information and Event Management (SIEM)Leader
2015 MQ / 2015 MS
Leader
2015
Consulting and Managed Services
Managed Security Services (MSS)Leader
2014 MQ (NA, WW)
Leader
2014 (NA)
Leader
2014
Information Security Consulting ServicesLeader
2013
14© 2016 IBM Corporation
DRAFTIBM Security: exhaustive coverage of security domains
DataPower Web Security Gateway
AppScan
BigFixMobileFirst Protect(MaaS360)
QRadar SIEM
QRadar Vulnerability Manager
Key LifecycleManager
IBM X-Force Research
QRadar Incident Forensics
QRadar Log Manager
Guardium
zSecure
Trusteer Mobile
TrusteerPinpoint
Trusteer Rapport
ConsultingServices
ManagedServices
Network
AdvancedFraud
Data
Mobile
Applications
Endpoint
Identityand
Access
Security Intelligence
SiteProtector
Network Protection XGS
Trusteer ApexQRadar Risk Manager
Identity ManagerAccess Manager Identity Governance and Intelligence
Privileged Identity Manager
15© 2016 IBM Corporation
DRAFTIBM Security: global reach
monitored countries (MSS)
service delivery experts
endpoints protected+
events managed per day+
IBM Security by the Numbers+
+
16© 2016 IBM Corporation
DRAFTContact details
Drs. Mike Chung RE CISSP
Associate Partner IBM Security
+31 6 2565 7593
+82 10 3521 7754 (South Korea)