HOW MUCH RISK IS TOO MUCH?

LEVERAGING IDENTITY GOVERNANCE TO

MANAGE RISK
Sumner Blount, CA Technologies | 3 December 2015
WELCOME

• Have a question for the Use the Attachments Button

speaker? Text it in using the to find the following:
Ask A Question button!
• PDF Copy of today’s
• Audio is streamed over your presentation
computer
• Link to the Event Home
• Technical issues? Click the ? Page where ISACA
button members can find the CPE
Quiz
• Use the Feedback button to
share your feedback about • Upcoming ISACA Events
today’s event
• More assets from today’s
• Questions or suggestions? webcast
Email them to
elearning@isaca.org

2
TODAY’S SPEAKER

Sumner Blount
Director of Security Solutions
CA Technologies

3
AGENDA

1 THE APPLICATION ECONOMY – EFFECT ON SECURITY

2 THE RISE OF THE BUSINESS USER

3 FUNCTIONAL REQUIREMENTS FOR ID MGT & GOVERNANCE LIFECYCLE

4 DON’T FORGET PRIVILEGED USERS

5 KEY RECOMMENDATIONS

My Goal: To give you ideas (not answers) to take back to your own
environment.

4
THE APPLICATION ECONOMY IS HERE
Half of enterprises today say the application economy is significantly disrupting
their industry—while 44% say it is doing the same to their own organization.1
-- CA Technologies with Vanson Bourne

1.75B 25 50B >$100B

smartphone users Business apps per Connected in cloud
in 2014 1 device2 devices (IoT) by spending this
2020 3 year 4

Sources:
1. CA Vanson Bourne Study Apps are driving the business!
2. eMarketer study
3. McKinsey Global Institute, Disruptive Technologies, advances that will transform life, business and the global economy, May 2013
4. GMSA Intelligence, From Concept to Delivery, the M2M Market Today, Feb. 17, 2014

5
 Where does Security Fit?

#1 Security concerns the top

obstacle in app economy
6 © 2015 CA. ALL RIGHTS RESERVED.
-- CA Technologies with Vanson Bourne
© 2014 CA. ALL RIGHTS RESERVED.
 Traditional
Approach
to Security
Is Bad for
Business

7 © 2015 CA. ALL RIGHTS RESERVED.

NEW REALITY FOR SECURITY

Connected Apps / Devices

Customers / Citizens
Attacks will increasingly focus
on individuals
Partners

Employees /
Administrators

8
NEW REALITY FOR SECURITY

Connected Apps / Devices

Cloud Services

Customers / Citizens
Applications move outside the
perimeter to the cloud
Partners

On Premise Apps
Employees /
Administrators

9
NEW REALITY FOR SECURITY

Mobile / API / Web

Connected Apps / Devices

Cloud Services

Customers / Citizens
Existing and new applications
are mobile first
Partners

On Premise Apps
Employees /
Administrators

10
NEW REALITY FOR SECURITY

Mobile / API / Web

Connected Apps / Devices

Cloud Services

Customers / Citizens
User Experience will
determine success
Partners

On Premise Apps
Employees /
Administrators

11
NEW REALITY FOR SECURITY

Mobile / API / Web

Connected Apps / Devices

Cloud Services
Understanding and
Customers / Citizens managing the identity
context of the people and
resources involved is key to
Partners the future of security

On Premise Apps
Employees /
Administrators

12
IDENTITY IS AT THE CENTER OF THE OPEN ENTERPRISE

• Who has access today?

Connected Apps / Devices
• What can they do?
• How do we create new
accounts?
• Who approves new
access?
Customers
Citizens • How does a user update
their data?
• How does a user reset
credentials?

Employees /
Partners

13
THE WORLD OF
IDENTITY
MANAGEMENT &
GOVERNANCE…
…HAS GOTTEN MORE
COMPLEX
IDENTITY MANAGEMENT IS SHIFTING FROM BEING IT-CENTRIC TO
BUSINESS-CENTRIC…

Business users &

Customers
IT-aware users (Often mobile)

This evolution creates new

requirements for capabilities and user
experience

15
BRIDGING THE GAP BETWEEN IT AND BUSINESS USERS

Business
IT-aware users
users

16
FUNCTIONAL REQUIREMENTS TO MEET THESE NEEDS

One-Stop Certification
Shop for campaign
identity info workflow

Business
Entitlements Risk scoring
Catalog & simulation

User access Web &

requests & mobile
tracking launchpads

17
KEY CAPABILITY: BUSINESS ENTITLEMENT CATALOG
MOVING FROM IT TERMS….. ….TO BUSINESS TERMS

SVRFin33_Access Internet
Access
VPN_TANT01_GROUP23

DICTIONARY
SAP_View_Rep_BZ50
SAP
CRM
SAP_Portal_M45

HR_SEC_SYSJA01_
RPTA
HR
Portal
IM_PRVN_Portal_002

BIZOBJ_AUDIT_J100I
Online
AD_GROUP_002_All
Payroll

18
 ANOTHER KEY CAPABILITY:
CONTEXTUAL, RISK-BASED SIMULATION AND ANALYSIS

Two key areas for risk-based analysis:

• Access requests and approvals
• Risk score tells user and manager how risky & atypical
this access request is.
• Example: “Bob is requesting access to the Payroll app,
but nobody else in Marketing has that access”

• User authentication
• Analyze current context (device, geolocation, ToD, user
history) to determine risk level of authentication attempt
• If risk is high, reject request or require step-up authentication

19
BUT, THE IT USER HAS NEEDS TOO!

Fast Policy
provisioning enforcement

Fast ROI Low TCO

Compliance
Application reporting &
connectivity auditing

20
THE IDENTITY MANAGEMENT & GOVERNANCE LIFECYCLE

Business-
Oriented User
Experience

Requirement: …with a simple,

Manage the entire intuitive, business-
user identity lifecycle, oriented user
across both on- IDENTITY
experience
MANAGEMENT
premise and Web &
apps... GOVERNANCE
LIFECYCLE

21
 KEY IDENTITY MANAGEMENT CAPABILITIES

Management Business-
Oriented User
Experience

CAPABILITIES Requirements:
 Automated provisioning… • Broad support for
 …to on-premise & cloud apps
provisioning connectors
 User self-service
IDENTITY to enterprise apps
MANAGEMENT • Simple user self-
& service across devices
GOVERNANCE
BUSINESS VALUE
LIFECYCLE
 Increased efficiencies
 Reduced Help Desk costs
 Maintain business agility for
cloud adoption

22
 KEY IDENTITY GOVERNANCE CAPABILITIES

Business- Governance
Oriented User
Experience
CAPABILITIES
 Role mining & analytics
Requirements:  Privilege clean-up
• Comprehensive role  Access requests
 Automated access certifications
mining and ongoing IDENTITY
privilege cleanup… MANAGEMENT
• Intuitive access requests &
and approvals GOVERNANCE
LIFECYCLE BUSINESS VALUE
 Simplify user management
 Highlights improper
entitlements
 Simplified compliance
 Prevents policy violations

23
WE ALSO GOVERN PRIVILEGED IDENTITIES?
BECAUSE…BREACHES ARE BECOMING MORE FREQUENT AND
DESTRUCTIVE
Cybercrime
Target—70 million credit cards stolen
Home Depot—56 million credit cards stolen
JP Morgan Chase—76 million account records stolen

Material Impact to Operations

CodeSpaces—forced out of business
Sony Pictures—extensive disruption
German Steel Mill—physical damage
Saudi Aramco—physical systems damage and business disruption

Cyberespionage
Anthem—80 million personal records stolen
Forbes.com and unidentified health insurer—targeted (defense contractors, government workers)
information gathering of individual data

24
PRIVILEGED IDENTITIES ARE THE PRIMARY
ATTACK POINT

“Stealing and
exploiting
privileged
accounts is a
critical success
factor for
attackers in 100
percent of all
advanced
attacks,
regardless of
attack origin.”
- Cybersheath Security
Report, 2014

25
A DEFENSE-IN-DEPTH MODEL FOR BREACH PREVENTION

Proxy-based Privileged Access Mgt

Fine-grained Server Controls
Identity Governance
Access Requests

 Simple deployment
 In-depth protection for critical servers
Risk Analytics
Certifications

 Check-out/in of privileged passwords

 Highly-granular access controls
 Controls which commands can be
 Controls access to system resources
used
such as files, folders, processes and
 Session recording for forensic analysis
registries




Proxy-based security
Host-based security

DEFENSE IN DEPTH

26
Recommendations
ENGAGE WITH THE BUSINESS TO HELP DRIVE ADOPTION

Sell the Business in the language they

speak (SSO, access to apps, etc)
Good user experience  high adoption
 increased consistency and efficiency
across organization.
Capture business value and document
the ROI
Put User
Experience
First!

28
MAKE BUSINESS USERS RESPONSIBLE FOR GOVERNANCE

Keeps employees educated and vigilant

about governance
But, keep them focused on the higher
risk access issues. Helps avoid fatigue
errors for low-risk access certification.

Help them “do

the right thing”

29
EXTEND GOVERNANCE TO PRIVILEGED USERS

Adopt “least privileged access” model

Consider defense in depth approach:
• Proxy model: simplest to deploy; provides
good security
• Server-based controls: Strong, fine-grained
controls for access to key servers
Start with Proxy; evaluate more Privileged
sensitive systems for server controls
accounts are
your biggest
risk!

30
LET THE BUSINESS GOVERN THE PROCESS

Implement automated certification

campaigns
• The business knows best what access each user
needs

Have a partner certify their user accounts

as well
• Unused partner accounts create risk
The Business
Watch out for contractors Cares About
• Common attack point for privileged access
Protecting the
Brand!

31
CONSIDERATIONS SUMMARY

 Engage with the business to help drive

adoption
 Make usiness users responsible for
governance
 Extend governance to privileged users
 Let the business govern the process

And, be prepared for increasing scale!

32
 QUESTIONS?

33
 THANK YOU
FOR ATTENDING
THIS WEBINAR
LEARN MORE @
WWW.ISACA.ORG/WEBINARS