Embed Size (px)
DESCRIPTION
Identity managementAccess controlInformation Security
Citation preview
The business of identity, access and security
Theo NassiokasHead of Risk & Compliance, Information Security
Westpac Banking CorporationIdentity Management Forum 2007 – November 28 - 30th
What’s in it for me?
2
Overview
Compliance, risk & governance and identity management
Identity management convergence
Aligning IT projects to business
Minimising project risk
Conclusion
Regulatory focus – Access control or identity management?
Identity Management (IDM) – What is it?
Objective of identity management
Executive summary
3
Executive summary
Identity management (funny enough) is the management of identities – not the management of technology
The emerging global regulatory framework focuses on knowing your customer (KYC) and knowing your risk
Compliance, risk & governance all have a crucial role to play in the diligent management of identities
The objective of good identity management is to enable business – not to document processes and pass audits
Traditionally disparate identity databases (e.g. physical & logical access) are converging into one source of truth!
Aligning a proposed project to business objectives demonstrates its value proposition
Understanding your organisation’s culture and risk appetite will increase the chance of initial project funding approvals
4
Identity Management (IDM)What is it?
5
Identity management defined
Identity management is the management of the Identity Life Cycle of Entities (ILCE), which consists of identities being:
EstablishedA name (or number) is connected to the subject or object;
Re-establishedA new or additional name (or number) is connected to the subject or object;
DescribedOne or more attributes which are applicable to this particular subject or object may be assigned to the identity;
Newly describedOne or more attributes which are applicable to this particular subject or object may be changed; and
DestroyedSource: Wikipedia - http://en.wikipedia.org/wiki/Identity_management
6
Two perspectives of IDM
1. User Access paradigmAn integrated system of business processes, policies and technologies
that facilitate and control a users' access to critical online applications and resources
2. Service paradigmConverged services, covering all the resources of the company that are
used to deliver online services, including unified services and single customer view facilities
Source: Wikipedia - http://en.wikipedia.org/wiki/Identity_management
IDM
Convergence
7
Regulatory focusAccess control or identity management?
8
What comes 1st – The chicken or the egg?
Access control, as the name suggests, is a set of controls in governing access to information systems, including:
− Technology− User IDs and passwords− Tokens− Biometrics
− Processes− Issuing user IDs and passwords and technologies− Periodical user access revalidation reporting− On-boarding and off-boarding
Identity management is a process that provides the required degree of assurance that the holder of an identity is its rightful owner. It is therefore no surprise that this is the common regulatory thread…
9
The common regulatory thread
Identity management is the focus of an emerging regulatory framework:
− Anti Money Laundering (AML) and Counter Terrorism Financing (CTF) Act 2006 (Commonwealth of Australia) (banks and insurance)
− Basel II Capital Adequacy Accord 2005 – Bank for International Settlements (Basel, Switzerland) (banks)
− Public Company Accounting Reform and Investor Protection (Sarbanes Oxley) Act 2002 (USA) (SEC registered/NYSE or NASDAQ listed)
− Crimes Act 1914 (Commonwealth of Australia)− Uniting and Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism (USA PATRIOT) Act 2001 (USA)− Financial Modernization (Gramm-Leach-Bliley Act [GLB]) Act 1999 (USA) (US banking
& finance)− Data Protection Act 1998 (UK & USA)− Privacy Act 1988 (as amended) (Commonwealth of Australia)− Financial Transactions Reports Act 1988 (as amended) (Commonwealth of Australia)
The regulatory environment is the new DNA of identity management.
10
Compliance, risk & governanceand identity management
11
Regulatory compliance
Common benchmarks are:
1. Regulatory
Basel II Capital Adequacy Accord 2005 – Bank for International Settlements – Basel, Switzerland
Public Company Accounting Reform and Investor Protection (Sarbanes Oxley) Act 2002 (USA)
Privacy laws (local and foreign)
Anti-cybercrime laws (local and foreign)
12
Policy compliance
Common benchmarks are:
2. Policy
Technology Code of Use
Information Security Policy
Standard Operating Environment (SOE)
Architecture and Strategy
Standards (internal and external)
13
Business risk
Areas according to the Basel Accord are:
1. Credit Risk
2. Market Risk
3. Operational Risk
4. Interest Rate Risk (optional)
Focus on operational risk re: identity management
Likelihood and Consequence Quantitative vs Qualitative Scenario based
Ontology and Taxonomy
14
Risk is easy!?
Source: Dr Peter Tippett - ICSA Labs (Verizon Business), Mechanicsburg, Pennsylvania, USA
15
Governance
What is it?
It is the overall corporate oversight framework, consisting of:
i. Enterprise strategy & planningii. Service delivery capability requirementsiii. Management frameworksiv. Management structures
ii. Assurance that strategies are aligned to the business and that operational plans are aligned with strategic plans
iii. Assessment of future capabilities and innovations
i. Transparency of the enterprise capability and strategic risks across the enterprise
Governance is required to give the Board:
16
Governance
Corporate governance consists of five main areas
CORPORATE GOVERNANCE
Risk/SecurityGovernance
Administrative
and Financial
Governance
OperationalGovernance
Regulatory
and Legal
Governance
− Risk/Security and IT Governance are the main focus of areas of IDM.
IT Governance
17
Objective of identity management
18
Conservative corporate culture
Why is this relevant to identity management?
1. Conservative culture
‘Realistic’ valuation methods, eg NPV, Cost Benefit, IRR, etc Value perception limited to ‘passing audits’ Scope of work limited to ‘minimum compliance requirements’ Drivers are usually threats from regulator or ‘near death
experiences’
19
Innovative corporate culture
Why is this relevant to identity management?
2. Innovative culture
‘Perceived’ valuation methods, i.e. subjective SME valuations ‘Normative’ valuation methods, i.e. comparative ‘best practice' data Value perception broadened to ‘enabling business’ Scope of work broadened to ‘maximum value requirements’ Driver is future growth through innovation e.g. enhancing brand
through greater ‘customer trust’
20
Research re: IDM as enabler
CMO Council “Secure the Trust of Your Brand” – Aug 2006
21
Research re: IDM as enabler
“Secure the Trust of Your Brand” – Aug 2006
22
Research re: IDM as enabler
“Secure the Trust of Your Brand” – Aug 2006
65% of European and U.S. respondents, on average, have experienced computer security problems
1 in 6 respondents have had their personal information lost or compromised
40% of respondents have actually stopped a transaction due to a security incident
Over one third would consider taking their business elsewhere if personal information were compromised
25% would definitely take their business elsewhere if their personal information were compromised
23
Identity management convergence
24
Physical and logical convergence
What is identity management convergence?
Merger of disparate Identity Management capabilities It can be physical and/or intellectual
Physical: the sharing office facilities & space; and Intellectual: the sharing of knowledge
It can be project driven Implementation of staff smartcards for physical building and logical
information systems access
Why are physical and logical capabilities converging?
One holistic identity management strategy Easier to align with CIO and business strategies
One single point of contact (e.g. the CIO or the business) Increased information sharing between stakeholders Cross-train staff (comparative advantage) Lower total cost of ownership
25
Who are the stakeholders?
IDMGovernance
Physical
ITIT
Legal,Regulatory
Industry codes
IP
Data Protection Act (UK)
Sarbanes OxleyS302, 404, 409
USA PATRIOT Act
ISO 27001
California Senate Bill 1386
BCPfailure
Phishing
Cyber crime
Basel II
ISO 27002
Virus incidents
Physical TheftOf Info
UnauthorisedSoftware Usage
System Access Control
License Breach
Staff screeningChecks
Outsourced ServiceProvider Control
Information Access Control
Network domain access
UnauthorisedPhysical access
Targeted Attack – Mass Extinction Event
Privacy laws
26
IDM convergence is innovative
Strategy is “how the mission will be achieved” i.e. IDM convergence
Example – Convergence strategy
Strategic Planning is “how the strategy will be achieved” i.e. trajectory
Strategic Planning achieves strategy
•Identification of stakeholders
•Leveraging synergies
•Identification of Synergiesbetween stakeholders
achieved through:
Capability Today Capability Tomorrow
Trajectory is “the time required to deliver the strategy”
27
Is leading an innovation easy?
“Let it be noted that there is no more delicate matter to take in hand, nor more dangerous to conduct, nor more doubtful in its success, than to set up as a leader in the introduction of changes. For he who innovates will have for his enemies all those who are well off under the existing order, and only lukewarm supporters in those who might be better off under the new.”
− [Niccolò Machiavelli (1469-1527), The Prince, 1513, Chapter VI, para.5]
28
Aligning IT projects with business
29
Why is alignment to business important?
Example – Technology ‘line of sight’ to business
Assessment ofIdentity Management
Requirements
Vision and missionfor
Identity Management
Identity ManagementStrategy
Identity ManagementStrategic
Plan
Identity ManagementOperational Plans
And Budgets
Assessment oftechnology
Requirements
Vision and missionfor
technology
TechnologyStrategy
TechnologyOperational Plans
And Budgets
TechnologyStrategic Plan
Assessment ofthe Business
Vision and missionfor the
Business
BusinessStrategy
BusinessOperational Plans
and Budgets
BusinessStrategic Plan
30
Minimising project risk
31
The innovation effectiveness curve
32
The innovation value chain
33
Conclusion
“Identity management” isn’t a fancy term for “access control”. Get your processes right and then build the technology to support them.
The emerging global regulatory framework is the new DNA of identity management planning. Ignore this at your own peril!
Identity management processes should be designed within an effective compliance, risk & governance framework for effectiveness
To manage identities well is to ‘know your customer’ well and understand associated business risks – this enables business
Get to one source of truth, in terms of identity databases! It is far more effective and efficient and reduces total cost of ownership.
Get the business to ‘own’ a proposed project, so that it is promoted by the business. This makes ‘selling’ value straight forward!
Building the organisational culture and risk appetite into the project design will provide the right delivery trajectory and increase the likelihood of effective and timely execution and success.
34
Questions?
Contact details:
Theo NassiokasHead of Risk & Compliance, Information Security
Westpac Banking Corporation
[email protected]+61 (0)2 8254 2064 office+61 (0)419 885 930 mobile
Thank you for your time!
35
Appendix A – Security Convergence
Where is the evidence?
Spending on Converged Security Projects (per year in millions)
2004 2005 2006 2007 2008
Public sector $250 $500 $1,200 $2,600 $5,001
Physical/logical access control projects $30 $90 $248 $542 $994
Large-scale convergence projects $10 $36 $93 $202 $453
Small projects $10 $30 $81 $172 $277
Other projects performed jointly by IT and physical security departments
$10 $35 $92 $191 $315
Total $311 $691 $1,713 $3,707 $7,039
(Source: Forrester Research, "Trends 2005: Security Convergence Gets Real“)
Actual ‘security convergence’ project budgets, based on surveying 60 end users from Canada, Europe and the United States:
