Identity and Access Management in the Commonwealth

Transcription

1 Identity and Access Management in the Commonwealth Erik Avakian, CISSP, CISA, CISM, CGCIO Chief Information Security Officer Commonwealth of Pennsylvania William (Bill) Harrod, CISSP Cyber-Security Advisor, Public Sector CA Technologies

2 What s the Big Deal? 20% of all the malware ever created appeared 43% of all companies experienced a data breach Cyber security finally becomes personal 2014 and 15 were epic years for data breaches

3 Notable 2015 Cyber Events

4 Trending Phishing Attacks Remains the top worldwide online threat and remains a big issue for state government Tricks users into revealing information that can be used against them Conducted over , over phone, in person Key component of identity theft: Worldwide losses more than $7 billion in 2015 Spear Phishing on the rise with data breaches and used to carry out extremely sophisticated attacks

5 Classic Real Phishing Example

6 Classic Real Phishing Example

7 Ramifications for the User

8 First Lines of Defense End users are our first lines of defense. Every day, hackers attack our end users with phishing s luring them to click. If users fall victim, passwords and data can be compromised or systems infected. While we have protection in place, some malicious s make it through.

9 To the Insider Threat 59% of employees steal proprietary corporate data when they quit or are fired End users continue to be the first layer of defense & weakness

10 Trending - Online Extortion Ransomware & Online Extortion Code is delivered via phishing attacks or illegitimate downloads or compromised websites Malware locks screens, encrypts files and extorts a fee before giving users the key needed to get their data back. CryptoWall, CryptoLocker, CoinVault, Bitcryptor

11 Trending - Online Extortion Ransomware & Online Extortion

12 Trending - Online Extortion

13 IAM Strategy Strategy: Implement enterprise access services to enhance services and bolster security Three Focus Areas Risk Based Authentication Multi Factor Implementation Unified Directory Services (Single Face of Government) Privileged User Management 13

14 Alignment with the Business Security Governance Build a culture of situational and risk awareness Enhance enterprise security services and posture Develop robust enterprise security situational awareness and response

15 What is Multi-Factor Authentication?

16 Multi-Factor Authentication Current Status: TBC by June 30th Second Factor Authentication methods: Soft Token with secondary authentication with two choices Security Question & Answer Security One-Time Password (OTP) Over SMS 16

17 Multi-Factor Authentication

18 Unified Directory Services Objectives Provide streamlined and efficient access to online services by using a single secure online credential across programs. Reduce fraud and false, stolen and outdated identities by identity verification and identity proofing users. Benefits: Enables seamless and secure access for citizens to access government services online. Enables citizen interaction to increase trust and embrace transparency Building block for enabling a one stop shopping experience for the citizens One user credential across many apps

19 The Problem a Silo d Approach Duplication of effort and cost: Agency applications developed with own custom-built security models Reinventing the same basic IAM service at agency or application level = paying for it over and over leads to increased cost Multiple userids and passwords: One set for one agency and a different set for another agency Registration of users to a given agency or to a given application Maintaining multiple copies of same basic/common data over and over Security implementations: Inconsistent levels depending on skill of developer Inconsistent application of enterprise policies and standards (userid, password, data protection, etc.) 19

20 Current State

21 Unified Directory Services Current State: Silo ed Hard to enforce security standards Multiple identities Duplication of data 67+ separate user repositories Future: Unified and Manageable Single multi-agency use of digital identity Shared identity data across all agencies Identity is verified

22 The Solution Enterprise Services Consolidation of effort and lower cost: Agency applications developed with standardized security models Application development simplified by integrating with existing enterprise services, less custom development needed lower cost Maintaining single instance of the basic IAM service resulting in lower cost Shared userids and passwords: Single sign on Authentication controlled at enterprise for all applications; authorization controlled by the agency Registration of users once with sharing of same basic/common data Security implementations: Enterprise-level security implementation Consistent application of enterprise policy and standards (userid, password, data protection, etc.)

23 Enterprise Strategy Goals/Strategy: Shared Enterprise Directories (e.g. employees, business partners and citizens) Shared Enterprise Account Management (provisioning, password management, deprovisioning, verification, etc.) Shared Authentication Model with Multi-Factor Authentication 23

24 CoE Managed SiteMinder, Risk Based MFA Governance Provisioning/de-provisioning User management Password change/account recovery Identity verification Multi-factor authentication Agency (NewApp ) New applications are to be developed with these Existing /Legacy applications will be required to integrate with at their next technology refresh cycle Agency (NewApp ) Agency (NewApp ) Agency (Legacy ) Agency (Legacy ) Directory Services (GOTIME Initiative) Phase 1

25 CoE Managed SiteMinder, Risk Based MFA Governance Provisioning/de-provisioning User management Password change/account recovery Identity verification Multi-factor authentication Agency (NewApp ) New applications are to be developed with these Existing /Legacy applications will be required to integrate with at their next technology refresh cycle Agency (NewApp ) Agency (NewApp ) Agency (Legacy ) Agency (Legacy ) Directory Services (GOTIME Initiative) Phase 2

26 Unified Directory Services Why is this important? Unified Directory Services streamlines citizen access to services and will help get Pennsylvania closer to the single checkout Amazon-like shopping experience

27 So again From this.

28 CoE Managed SiteMinder, Risk Based MFA Governance Agency (NewApp ) Agency (NewApp ) Agency (NewApp ) Agency (Legacy ) Agency (Legacy ) Directory Services Phase 2

29 Final Thoughts What can we expect going forward? Much more cyber crime! Higher frequency of breaches due to the Internet of Things (IoT) Attacks will get much more sophisticated & targeted State Governments are a target.

30 28 INAMOIBW?

31 28 Months

32 28 Months is the Average Tenure for a Large Agency CISO

33 I N A M O I B W

34 IT S NOT A MATTER OF IF BUT WHEN It s not a matter of if but when That you will be attacked NOT, that the bad guys will succeed

35 How to Protect your Enterprise Move from NO to KNOW KNOW who your users are and what they can access Stronger User Authentication Passwords are dead Risk based Authentication Risk Score Behavior Based Authentication Is this typical Stronger user Identity Governance Limit Scope and clean up ghost accounts

36 Be Flexible, Nimble, and Adapt KNOW the Impact of Changing & Emerging Technologies Cloud, Mobility, AaaS (anything as a service) Security Frameworks are good, but not enough be compliant, but more dynamic adaptive, adjusted controls are the new normal Beware of Shadow IT Dropbox, AWS, Next App

37 3 Things you can do tomorrow KNOW your greatest risks and ACT 1. filter / block rules DMARC* Reduces spam and phishing attacks by 80-90% 2. Set up an Inter-Agency ISAC information sharing & analysis center - work together to share threat and vulnerability information 3. Adopt a risk management driven security posture *

38 Q&A?