Take Control of Identities & Data Loss Vipul Kumra
Security Risks - Results Whom you should fear the most when it comes to securing your environment? 4. 3. 2. 1. Hackers / script kiddies Insiders Ex-employees / Disgruntled Employees Organized Targeted Crime
Example Insider Abuse Ram the insider gets fired and Shyam the administrator forgets to void Ram s (login) credentials. Ram goes home, logins into his work machine and takes some malicious action (introduces bugs into source, deletes files and backups, etc ) Alternatively, Shyam might void Ram s credentials, but forget that Ram also uses a shared group account (phew!!!)
Why do employees become disgruntled? Corporate layoffs/downsizing Ex-Rage is now a major concern for industrial psychologists Smaller annual raises than anticipated Passed over for promotion and advancement Racial/sexual discrimination and harassment and many more What happens when they find new employment? What if the new employer is a competitor? All of these security issues must be dealt with proactively
Statistics Insider attacks account for as much as 80% of all computer and Internet related crimes [1] Majority of insiders are privileged users and majority of attacks are launched from remote machines [2] Sources: [1] Jim Carr. Strategies and issues: Thwarting insider attacks, 2002. [2] National Threat Assessment Center - Insider Threat Study, http://www.ustreas.gov/usss/ntac_its.shtml
Why Is This So Hard? Many Users Customers Employees Partners Contractors Many Applications Finance Email Sales CRM ERP Expenses Many Roles Incorrect privilege assignment Too many roles Users with too many roles Many Processes Provisioning Help desk Certification Approval Administration Compliance
Identity Lifecycle Management Identity Management Role and Compliance Management Identity Management > Assign users to roles > Apply role-based controls > Provision users with approved accounts and privileges > Manage change requests and approvals over time > User self service passwords & registration Role Management > Understand what roles exist in the enterprise > Establish role model that fits organisation > Analyse and maintain role model as business evolves Identity Compliance Management > User and Role Entitlement Certification > Real-time identity policy checking > Detect segregation of duties or other security violations > Compliance Reporting and Dashboards
The Application Security Silo Challenge High security administration costs Expensive coding and maintenance Poor user experience No centralized security enforcement No standardized security process No central auditing capability Customers Customer Self-Service E- Commerce Employees CRM ERP HR Partners Partner Extranet SCM Security Layer J_Doe 121196 0 John Doe A23JJ4 John Doe PKI Cert John_D Johnd Mobile Phone Applicatio n Layer User Store SunONE LDAP SQL 2000 LDAP Oracle OID Oracle RDBM S Active Directory Oracle Operatin g System
The Solution Centralized Web Access Management Reduced administrative costs Reduced development costs Single sign-on & sign-off for users Faster application deployment Reduced Risk/Increased security Eased regulatory compliance Security Layer Customers Customer Self-Service E- Commerce Employees CRM ERP HR Web Access Manager Partners Partner Extranet SCM Applicatio n Layer User Store SunONE LDAP SQL 2000 LDAP Oracle OID Oracle RDBM S Active Directory Oracle Operatin g System
Secure Web Business Enablement Web Access Management Federation Web Access Management > Web SSO > Authentication Management > Policy-based Authorization > Centralized Auditing/Reporting Identity Federation > Browser-based federation across domains > Flexible options for partner enablement SOA/Web Services Security > Authentication of requester based on message content > Policy-based authorization > XML threat prevention > WS Standards support
The Privileged User Challenge Normal User Is identified Access is controlled root Administrator Is anonymous Can bypass application security Can see and alter application data Can change system files Can change system configuration Can alter logs and erase records OS Security Application Security Customer Data Critical services Files & Logs Privileged User
OS Access Management Privileged Superuser Account Root on UNIX/Linux Administrator on Windows How is a Server Maintained? Administrators of different roles sharing access Issues Inability to segregate duties Lack of accountability Over-privileged users Outsider risk Before After
Access Control Without Data Loss Prevention Access to data is protected: OS Access Control Web Access Management No control over what can be done with data. OS Access Control End User WEB Access Management Server Application
Access Control With Data Loss Prevention Access to data is protected: OS Access Control OS Access Control Web Access Management Server Data Loss Prevention End User Controls what end users can do with data that they have legitimately accessed Policy WEB Access Management Data Loss Prevention Application
DLP Protect Data Everywhere Network Email (SMTP), Files (FTP), IM, Web (HTTP), and others Endpoint (desktops, laptops) Email, Web use, Saving Files, Printing Files, Launching Programs ENDPOINT NETWORK MESSAGE SERVER STORED DATA Message Server Message servers (Exchange, Domino) Stored Data Shared folders, file and document repositories, public folders and other
Data & Resource Protection Comprehensive Approach Server Access Management Data Loss Prevention Fine-grained access control Policy-based management Secure policy-based reporting Host protection against data loss Server Access Management Data at Rest (Stored Data) Data in Motion (Email, Web ) Data in Use (Saving, Printing ) Data to Supervise (Review, Tag )
Why Log Management Matters to Compliance It is Mandatory! Why? SOX Section 404: Demands controls and consistent processes NIST 800-53 AU-6 regular audit review AU-9 protects audit info from unauthorized access, changes, deletion Cobit Use logging and monitoring to detect abnormal activity activities PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data ISO17799 10.10.1 establish and maintain audit logs 10.10.3 protect logging facilities and log data Logs show how critical data is used and who uses it Who created that user? When was privileged access granted? When was privileged access removed? Who has accessed this data? Did someone delete the security log? Logs help to investigate why performance is degraded or failed Did the configuration change? When was the configuration changed? Who changed the configuration? Why can t the app server connect to db? When did the route change? What error is the web server giving?
Security Information Management Enterprise-wide IT Activity Visibility and Awareness Enterprise Log Management > Collect Log Data > Aggregate and Analyze Logs > Visualize Compliance, Security and Risk Posture > Prove Compliance > Deliver Rapid Time-to-Value > Provide Lower Total Cost of Ownership
Content Aware Identity and Access Management Content Aware IAM allows Controlling identities, their access & how they can use the information they access Control Identities Control Access Control Information Content Aware Identity and Access Management The control you need to confidently drive business forward
Content Aware adds additional checks based on the content within the application Traditional Web Access Management Content Aware IAM User AuthorizationCheck Requests User AuthorizationCheck Content Check Requests Web Content Web Content Traditional WAM examines if the user is authorized for the application Content Aware examines if the Content within the app is appropriate for this user
Cloud Adoption & Security 1 Extend Security To the Cloud 2 3 Security For the Cloud Security From the Cloud Trust Models Will Need to Change
extend enterprise security to the cloud Enterprises want... to increasingly use more SaaS applications & cloud services Enterprise LAN Public Corporate Directory Identity Provider Remote User User IAM Single Sign-On Provisioning Dir Attestation Information control Dir In-house Applications Auditing Dir
security for the cloud Organizations & Service Providers will build their own clouds leveraging virtualization Security & management of virtualization will be critical Manage complexity with automation and extended policy management Public Cloud On-Premise Private Cloud App 3 App 3 App 3 App 1 Customer 1 App 1 Customer 2 App 2 Customer n App 3 App 1 App 2 App 3 App 3 Hyper Visor Hyper Visor IAM IAM
security from the cloud Cloud-based Identity Management Services will emerge as trust model changes & cloud relationships become more complex Id Verification IAM as a Service Enterprise LAN Strong Auth Public Corporate Directory Identity Provider Remote User User IAM Single Sign-On Provisioning Dir Attestation Information control Dir In-house Applications Auditing Dir
In Summary Of course, this does not cover everything. Traditional security e.g. Backups, Business Continuity, Disaster Recovery, Antivirus, firewalls still exist. Identity Management Data Protection Access Control Strong Authentication Governance Really it comes down to two aspects TRUST & RISK and finding the right balance.
thank you