GOVERNMENTWARE Identity Management in an Ever-Changing Environment

Transcription

1 GOVERNMENTWARE 2010 Strategic Security: Finding the Right Balance Identity Management in an Ever-Changing Environment Winston Chew CISM, CISSP, GCIH, OPST Page 1

2 About the Speaker Winston Chew Background 15 years in the industry Experience includes perimeter defence, security/risk assessment, consultancy, incident management, identity management, forensics investigation, security operations, security product and service evaluation, vendor management and regulatory compliance. Education / Certification National University of Singapore Master degree in Management of Technology Nanyang Technological University Bachelor degree Computer Engineering CISM, CISSP, GCIH and OPST Work History Barclays (Global Retail Bank) - Current Application Security Manager, responsible for global application security program Merrill Lynch (ML) - Bank of America Vice President, responsible for Information Security and Privacy in Singapore United Overseas Bank Head of IT Security Surveillance, responsible for monitoring external and insider threats Deutsche Bank Regional Head of Identity Management (Security Operations), looking after Asia Pacific Keppel-Tat Lee Bank OCBC Security Manager DSO National Laboratories research in Information Security for MINDEF Page 2

3 Identity Management Simple and yet Complicated Every information security technology revolves around protecting information from unauthorized access and providing access to authorized personal. Identity Management is vital to protecting data Simple Objective Giving the right people the right access at the right time! Not so simple solution An issue in almost every audit report! So simple and basic? How complicated can it be? Negligence? Overlooked? Unimportant? No value add to business? What are the challenges? Nobody trips over mountains, it is the small pebble that causes you to stumble Page 3

4 Ever-Changing Enterprise Environment Merger and Acquisition Part of corporate world How many thousand accounts do you want deleted? Outsourcing / Off-shoring Business / Non-core functions / Operations Managing external party access? Restructuring / Right sizing New Management / New Business Strategy Changes in roles? Service not required? Identity Life Cycle Staff Turnover - 10%-20% or more? Joiners/Leavers/Transfer/Extended Leave Local / Regional / Global offices Identity management of remote users Time difference challenge Giving the right people the right access at the right time! Right People How many people do you have? Who are the right people? Right Access How many system do you have? Are the access authorized? Who can authorize? What is the right access? Right Time Is the people inventory up-to-date? Is your system inventory up-to-date? Should the access be granted at this time? Timely disabling / deletion Page 4

5 Identity Management In the Real World Hypothetical Scenario Banking Environment 6,000 staff in region Acquire and sell business entity, restructuring, off-shoring, outsourcing, etc Spans across 15 countries, different time zones 400 business applications Operating System / Database / Network SLA/OLA Consideration Critical business apps immediate, 1 hr, 1-3 days User ID/Application ID/Support ID/System ID/ Admin ID/Certificates Creation / Deletion / Modify ACL / Password Reset / Enable 50,000 accounts 8,000 12,000 account admin operations monthly Still a simple Identity Management problem? What about your organization? How big is your Identity Management Challenge? Page 5

6 People Strategy Management Support Policy / Standard responsibility enforcement at different levels users, managers, information owners Accountability Carrot / Stick Management support to follow through Awareness Training Communicate Policy / Standards / Regulations Sharing of Password? Sticky Pads? Periodic basis Handling Different Parties Insider Threats / External Threats negligence/malice Internal ( Perm / Contractors ) Security briefing, employment letters, regulations Malicious Administrators External ( Vendors / Partners / Customers ) External Threat, Legal Contract Controlled vendor access, per approval, etc. Role Based Control Access Control Matrix Role Definition and Assignment Segregation of Duties Maker / Checker Dual Control Independent Monitoring Need to have basis Major Organization Changes Merger & Acquisition, etc. Taking over vendors Taking over systems Taking over new users Outsource / Internal / Automate Outsource You can t outsource responsibility Internal admin team - A substantial team size Managing human aspects Business Case Cost / Benefit business case Demonstrate return on investment Up-front and on-going cost Resource is limited, where to invest? Page 6

7 Process Strategy Leaver / Joiner / Transfer Process Network ID, how about other accounts? HR system feed? Transfer notification? Registration / Authorisation Process Key control function HR / Line Manager? System Owner / Data Owner? Tracking approver changes? Password / Certificate Refresh Admin/application/service/support account Certificate Recertification / Re-accreditation Role Change? Internal Transfers? Generate user access listing periodically for revalidation. Time / Resource involvement Identity Management Model Centralized Consistent Control, Economy of Scale Distributed - Know the system better, faster turnaround Country Regulatory / Privacy Laws Can you remotely administer Korea, Indonesia, Switzerland, Russia, etc. Effective SLA / OLA management Timely Tracking and reporting Resources to support SLA/OLA Privileged Access Admin/Application/Service/Support Developers access to production? How many administrators do you have? Limit exposure window Separate Account for administration Audit Readiness How many audits do you have a year? Almost every audit is an identity management audit Regulatory (x number of countries) Internal, External, Compliance Formalize account admin procedure Plan resource to manage audit Demonstrate compliance, be audit ready! Page 7

8 Technology Strategy Automation Don t automate a broken process Relook/Streamline Request workflow automation Automate account creation/removal Application/OS/ Password Self-Service reset / auto re-enable Recertification / Re-accreditation user listing and access control revalidation for system and applications major exercise Tracking how many accounts Influence a standardized naming convention? Stale account disable / remove Robust Simple and easy to maintain No single point of failure Have a backup plan and test it! Scalable Regional / Global / Remote site New Applications / Systems, Upgrades, etc Privileged Access Control Gateway Access - Access control / monitoring Privileged Password Repository Limit exposure window Lodge / Draw / Reset Directory Services Influence application development NIS+, AD, etc. Enterprise Single Sign On Benefit - One account, lower overhead, etc. Risk - Single point of failure, focal point of attack Client-side SSO, Server-side SSO Strong Authentication Upstream/Downstream Integration HR system, org chart, leavers / joiners Inventory system, new system / decommission SIEM, Fraud, CIRT Page 8

9 Finding the Right Balance Giving the right people the right access at the right time! Environment Ever Changing Merger and Acquisition Outsourcing / Off-shoring Restructuring / Right sizing Identity Life Cycle Local / Regional / Global offices People Management Support Awareness Training Handling Different Parties Role Based Control Segregation of Duties Major Organization Changes Outsource / Internal / Automate Business Case Process Leaver / Joiner / Transfer Process Registration / Authorisation Process Password / Certificate Refresh Recertification / Re-accreditation Identity Management Model Country Regulatory / Privacy Laws Effective SLA / OLA management Privileged Access Audit Readiness Technology Automation Robust Scalable Privileged Access Control Directory Services Enterprise Single Sign On Upstream/Downstream Integration Page 9