Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Size: px

Start display at page:

Download "Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015"

Ruby Banks
8 years ago
Views:

1 Identity & Management The Cloud Perspective Andrea Themistou 08 October 2015

2 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud Platforms with IAM IAM Deployment Models Deloitte MCS Limited. All rights reserved

Applications with IAM Securing Cloud Platforms with

Enterprise IT Evolution Cloud computing: a model for enabling ubiquitous, convenient, on-demand access to a shared pool of configurable computing resources.

3 Enterprise IT Evolution Cloud computing: a model for enabling ubiquitous, convenient, on-demand access to a shared pool of configurable computing resources. 3 Desktops Mobile from anywhere with any device Elasticity Datacentre apps Datacentre servers Cloud (SaaS) Cloud (PaaS, IaaS) Reduced development and administration cost Reduced Time-to value Reduced capital expenditure on IT hardware Low development and maintenance costs Deloitte MCS Limited. All rights reserved

3 Desktops Mobile from anywhere with any device Elasticity Datacentre apps Datacentre servers Cloud (SaaS) Cloud (PaaS,

4 Cloud Adoption Risks Architecture Lack of proper isolation for sensitive data due to multi-tenancy in cloud Data Management Unauthorized access or inappropriate use of sensitive data Compliance Limitations on ability to monitor compliance of cloud components Application Security Failure to secure interfaces between cloudbased and traditional applications Cloud Security Risks Management Inability to restrict access or implement segregation of duties for cloud provider Business Processes Malicious insiders with administrative access to cloud components Governance Failure to evaluate and monitor usage of cloud Encryption Lack of controls to prevent cloud provider from accessing encryption keys Deloitte MCS Limited. All rights reserved

Security Risks Management Inability to restrict access or implement segregation of duties for cloud provider Business Processes Malicious insiders with administrative access to cloud

Latest Security Breaches Top Data Breach Incidences By Source [1st Jan 30th Sep] Malicious outsider (60%) Accidental loss (23%) Malicious insider (13%) Hacktivist (2%) State sponsored (2%) Ebay

5 Latest Security Breaches Top Data Breach Incidences By Source [1st Jan 30th Sep] Malicious outsider (60%) Accidental loss (23%) Malicious insider (13%) Hacktivist (2%) State sponsored (2%) Ebay Identity Theft 145 million records stolen Ashleymadisson.com Identity Theft 37 million record stolen Gmail Account 5 million records stolen Facebook Account 6 million records stolen Hacking Team Existential Data 400GB data stolen Deloitte MCS Limited. All rights reserved

6 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud Platforms with IAM IAM Deployment Models Deloitte MCS Limited. All rights reserved

7 Security Architecture Evolution Security perimeter surrounds organisation Old Architecture Security based on identity and data, not on perimeter New Architecture - IAM Trusted Untrusted - Trusted Deloitte MCS Limited. All rights reserved

data, not on perimeter New Architecture - IAM Trusted

8 IAM Capabilities Identity & Management is the security discipline that enables the right people to access the right resources at the right time. User Lifecycle Management: Centralised administration of users, user account provisioning, role based access controls. Governance: Audit and regulatory compliance through access reviews and policy enforcement. Management: Authentication mechanisms, Single Sign-On, administration of access, password management. Federation: Enabling access to internal / external systems without creating identities (based on virtual trust model). Privileged Management: control and monitoring for privileged accounts Deloitte MCS Limited. All rights reserved

Governance: Audit and regulatory compliance through access reviews and policy enforcement.

9 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud Platforms with IAM IAM Deployment Models Deloitte MCS Limited. All rights reserved

10 Traditional IAM IAM solution example Requestor Approver System Admin. User Manager Business Apps Governance Identity Manager Certification Segregation of Duties Centralised User Administration User Account (De)Provisioning User Target Systems Automatic Revocation Reporting Request and Approval Role Based Provisioning User Identities Permissions for business Apps Identity Store Internal/ External users Deloitte MCS Limited. All rights reserved

Administration User Account (De)Provisioning User Target Systems Automatic Revocation Reporting Request and

11 Securing Cloud Applications with IAM IAM solution example Build level of trust with Cloud provider Audit log for cloud application access Governance Certification Segregation of Duties Automatic Revocation Reporting Requestor Approver Identity Manager Centralised User Administration User Account (De)Provisioning Request and Approval Role Based Provisioning System Admin. User Manager/Federation User Cloud User User Identities Secure data access with Business resource level Apps access control Reduce Cloud licence costs by automated deprovisioning Target Systems Permissions for business Apps Identity Store Internal/ External users Cloud Systems Permissions for SaaS Apps Deloitte MCS Limited. All rights reserved

User authentication Application Service Provider (e.g. Cloud SaaS) 2. Application Redirects user to IdP 4.

12 Federation Set of policies, processes and technologies that establish a level of trust between enterprises to allow users to access online applications & services 1. User accesses application URL 5. User is logged in the application 3. User authentication Application Service Provider (e.g. Cloud SaaS) 2. Application Redirects user to IdP 4. IdP sends federation message (includes user ID, name, etc.) Trust relationship Identity Provider (owner of identity and credentials) Deloitte MCS Limited. All rights reserved

13 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud Platforms with IAM IAM Deployment Models Deloitte MCS Limited. All rights reserved

14 Securing Cloud Platforms with IAM IAM solution example Use advanced authentication to prevent password breaches Use session recording to deter and detect malicious activities Developer / DBA MFA Auditor Privileged Identity Manager Policy Based Restriction Activity Monitoring IT Personnel Privileged SSO Biometrics One-time password Secure Storage - Password Vault Eliminating Hard-coded Passwords External Vendors Business Systems Privileged Accounts Eliminate Cloud provider shared accounts Eliminate Cloud provider default passwords Deloitte MCS Limited. All rights reserved

Privileged SSO Biometrics One-time password Secure Storage - Password Vault Eliminating Hard-coded Passwords External Vendors Business Systems

15 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud Platforms with IAM IAM Deployment Models Deloitte MCS Limited. All rights reserved

17 Conclusion 80% of data breaches would have been stopped or forced to change tactics if a "suitable password replacement (such as MFA) had been used. Verizon 48% of data breaches were caused by privileged misuse Cyberark 29% of data breaches caused by internal employees due to lack of internal controls Online Trust Alliance Deloitte MCS Limited. All rights reserved

Verizon 48% of data breaches were caused by privileged misuse Cyberark 29% of data breaches

Deloitte MCS Limited Stonecutter Court 1 Stonecutter Street London EC4A 4TR Andrea Themistou Consulting Cyber Risk Services Tel. +442079363000 Mob. +442075831198 www.deloitte.com athemistou@deloitte.

19 Deloitte MCS Limited Stonecutter Court 1 Stonecutter Street London EC4A 4TR Andrea Themistou Consulting Cyber Risk Services Tel Mob athemistou@deloitte.com Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms. Deloitte MCS Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte MCS Limited would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte MCS Limited accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication Deloitte MCS Limited. All rights reserved. Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Registered in England No

independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.

Introductions. KPMG Presenters: Jay Schulman - Managing Director, Advisory - KPMG National Leader Identity and Access Management

Introductions. KPMG Presenters: Jay Schulman - Managing Director, Advisory - KPMG National Leader Identity and Access Management Introductions KPMG Presenters: Jay Schulman - Managing Director, Advisory - KPMG National Leader Identity and Access Management Agenda 1. Introduction 2. What is Cloud Computing? 3. The Identity Management