Identity, Governance and Administration as forefront of IT Security model: European and North...
-
Upload
ahmad-henry -
Category
Documents
-
view
219 -
download
5
Transcript of Identity, Governance and Administration as forefront of IT Security model: European and North...
Identity, Governance and Administration as forefront of IT Security model: European
and North American Experience
Vladislav ShapiroDirector of Identity Practice – IGA
Dell/Immersion Consulting
Established in 1995, Orient Logic is a leading IT company and system integrator in Georgia.
Discussion points
• Current state of affairs in IT Security
• Basics of Identity Governance Administration
• Connecting the dots: agile I-G-A
• Use cases – Government of Austria, Bayern Department of Justice and State of Alabama
Current State of Affairs in IT Security
IT Security realities of today
• Change of focus: from protection the perimeter (external only) to the governance of the whole infrastructure (internal and external)
• Change of mentality: from “castle under siege” to “enemy is already here”
• Main external goal: advanced threat protection
• Main internal goal: IGA – Identity Governance and Administration
• Shift from pure technical-based to business and human factor focused solutions
WHO ARE THE “BAD GUYS”?
ATTACKS ALWAYS RELY ON INTERNAL PROCESS FLAWS
• No established business process for granting rights to individuals• Lack of governance, access controls and monitoring• No actionable reporting
IGA SHOULD BE READY FOR ADVANCED THREATS
IGA
ATR
Best response practice: ATR+ IGA
9
Pre-Incident Preparation Detect Triage
Collect Data: - Volatile Data- Forensic Dup. - Network Traffic
Perform Analysis
Take Action: Admin and
LegalReporting
Incident Occurs: Point-In-Time or Ongoing
Remediation: Technical Recovery from the Incident
Status Reporting
Identity Governance and Administration central authority
Data feed
Data feed
Data feed
Data feed
Targets/Applications/Devices
Account checks Access freeze Risk-based provisioning
Notifications, access restore and provisioning
Identity DataSync
Data feed
Basics of Identity Governance andAdministration (IGA)
Three dimensions of IGA
• I - Identity Management
• G - Governance, Risk and Compliance (GRC)
• A – Administration – Access Management and Provisioning
Main challenge: Make all three components connected to work as one
Three forces of IGA in your enterprise
• Identity owners (HR, Identity suppliers) - I–Responsibilities: manage identities, organization charts–Goal: make sure that identity and organization information is up to date
• Business owners (C-level managers, PM, compliance officers) - G–Responsibilities: manage all business-related matters, including
governance, risk and compliance–Goal: make business successful and customers happy
• Technology owners (System admins, DB admins, etc.) - A–Responsibilities: support business with technology–Goal: All systems should be up and running 24-7 with no downtime
Identity Posture - how to evaluate
• Identity Posture is about how connected and in-sync three forces are – Three forces collaboration– Maturity of each force
• Identity Posture is about measuring maturity of– Identity model– Governance model– Administration model
• Identity Posture is about how enterprise can handle CHANGES – Identity updates – Governance processes restructuring– Administration redesigning
Connecting the dots – agile IGA
15
Connected I-G-A goal – be agile
• All elements are connected into one solution where each responsible person is a contributor to the system
• Each contributor has means to configure his/her own IGA elements within his knowledge • IGA project should have short length phases with clear achievable milestones
I G
GG
AA
Identity Governance Administration
Managers should easily see all the entitlements of an employee in one clear view
• Actionable
• All logical, physical systems, resources and assets.
Identity - Identity Goal - Enterprise Visibility
Identity goal – separate business and technical views
• Business view • Technical view
Governance goal – give dashboard views for current status visibility
Managers should easily find the overall and specific status of requests and processes in the system
Governance goal - Access granting history audit
People responsible for auditing should be able to see the history of assigning access and entitlements to the individuals
Governance goal – Approval Workflow builder
Approval workflows should be built by the same people who are responsible for the granting process using regular tools, not scripts
Use Cases
Government of Austria
• Central portal for Austrian citizens requests
• Central business workflow engine for handling requests
• Monitoring automation and actionable reports
Bayern Department of Justice
• Internal personnel IGA: access control, governance and attestation
• Centralized Policy engine
• Advanced threat protection: external and internal
• Constant activity monitoring and actionable reports
State of Alabama
• State of Alabama was breached in 2012
– Millions of data records were stolen – State Web site was disabled– IT operations was paralyzed
• IT Security and IGA solution– Advanced threat detection software– IGA full suite solution– Privileged access manager
• Security and IGA education of the personnel