Business-Aligned Enterprise Security –Driving Success in the Face of Shiftingsands in Identity & Access Management

Gavin A. Grounds

Security: Security Management

Hewlett Packard Enterprise

Global Director, Information Risk Management. Enterprise Security Services

SCX16S

@gavingrounds

#CAWorld

Abstract

The global economy continues to exponentially change and develop,

shifting the focus and importance of identity – identity of both people and

“things.” As these changes continue, the real challenge is that the

classic approaches for identity and access management and governance

are becoming less effective, yet many organizations are still struggling

with the basics. With shifts towards adaptive authentication, continuous

authentication, contextual authorization and the need for more tighter

alignment with the business so as to both facilitate and protect, this

session will discuss effective strategies for success.

Gavin A. GroundsHewlett Packard Enterprise

Global Director, Information Risk Management –Enterprise Security Services

|

Agenda

3

SIZING THE PROBLEM

SIZING THE PROBLEM – LEGACY SYSTEMS

Q&A

SIZING THE PROBLEM – PROLIFERATION OF DISRUPTIVE TECHNOLOGY

SAMPLE USE CASE – RAPID CHANGES : LEGACY PLATFORMS

STRATEGIES FOR SUCCESS – FUNDAMENTAL ISSUES

1

2

3

4

5

6

|

Sizing The ProblemImplications of Rapidly Changing & Disruptive Technology

Primary challenges

Frequent, sophisticated attacks

(limited resources, threat intelligence)1

Extension of enterprise IT(new vulnerabilities, supplier risk)3

Traditional DC Mobility Big data Cloud

Delivery

A new type of adversary

Reactive postures, increasing regulatory

non-compliance risk, insufficient visibility,

overwhelmed and outpaced resources

Research Infiltration ExfiltrationDiscovery Capture

Governance and compliance

(limited visibility, disparate reporting)2

|

Legacy Systems Still a Key Risk FactorIdentity and Access Management – Status of “the Basics”

52% of organizations have

acknowledged the need to readdress

excessive user privilege

67% of access requests are

checked against security policies before

they are approved

88% of incidents were abuse

of privileged accounts

What the surveys

say:

60%of organizations don’t

know how many

orphaned accounts

exist in their business27%of organizations have re-aligned security

polices around user privilege since this

incident occurred

Yet only

of users say they cannot

remember all of their passwords

60%

|

Legacy Systems Still a Key Risk FactorImplications of Poor Identity & Access Management

|

Decreasing Effectiveness, Increasing RiskExponential waves of

technology change,

disruptive innovation & new

inter-connected, real-time

business models require an

intensive shift in the

approach to identity and

privilege management of

both people and “things.”

Classic approaches are

rapidly becoming less

effective.

With shifts towards adaptive

authentication, continuous

authentication and

contextual authorization,

many organizations are still

struggling with the basics.

I&AM

Effectiveness,

Governance

& Control

Enterprise

Business

RiskTypical

Maturity level

|

Sample Use Case – Rapid Changes : Legacy Platforms

8

Mainframe

Apps

Legacy System

User

Communities

Regulators

Audit

Compliance

Internet

Private Cloud

Public Cloud

Customers /

Citizens

(Self-service)

Employees /

Contractors

Partners

Suppliers

FSIs

Internet

Private Cloud

Public Cloud

Web Apps /

Gateways

Mobile Apps

/ Gateways

Enrichment /

Information

Sources

Internet

Private Cloud

Public Cloud

Internet

Private Cloud

Public Cloud

|

Sample Use Case – Rapid Changes : Legacy Platforms

9

Mainframe

Apps

Legacy System

User

Communities

Regulators

Audit

Compliance

Internet

Private Cloud

Public Cloud

Customers /

Citizens

(Self-service)

Employees /

Contractors

Partners

Suppliers

FSIs

Internet

Private Cloud

Public Cloud

Web Apps /

Gateways

Mobile Apps

/ Gateways

Enrichment /

Information

Sources

Internet

Private Cloud

Public Cloud

Internet

Private Cloud

Public Cloud

Lack end-to-end (adaptive) Identity &

authorization

|

Sample Use Case – Multi-vendor IT Service & Cloud Providers

10

Mainframe

Apps

User

Communities

Regulators

Audit

Compliance

Internet

Private Cloud

Public Cloud

Customers /

Citizens

(Self-service)

Employees /

Contractors

Partners

Suppliers

FSIs

Internet

Private Cloud

Public Cloud

Web Apps /

Gateways

Mobile Apps

/ Gateways

Enrichment /

Information

Sources

Internet

Private Cloud

Public Cloud

Internet

Private Cloud

Public Cloud

IT Support

Organizations

|

Sample Use Case – Multi-vendor IT Service & Cloud Providers

11

Compliance & Risk Issues are Exponential

|

Strategies for Success – Business-Aligned SecurityIdentity & Access Management

Fundamental Issues

– Exponential rapid proliferation of new and disruptive technologies

– Core identity & access management processes, policies and technology deployments not keeping pace

– Proliferation of intra- and inter-enterprise software APIs

– Lack of API security standards / practices

– Application connections assumed to be trust-worthy

– Legacy back-end technology, methodologies and processes

– Dependency on “service” or fixed process accounts

– Lack of end-to-end identity, authorization and auditability

– Actual user identity is not consistent throughout all inter- and intra-enterprise transactions

– Complex, rapidly evolving IT infrastructure and application landscapes

12

|

Strategies for Success – Business-Aligned SecurityIdentity & Access Management

Key Success Factors– Don’t “Boil the Ocean…”

– “… when all you want is a cup of tea.”

– “Follow the money”

– Return on Investment & Return on Capital :: Investment in change must result in:

– New Revenue Generation;

– Cost savings;

– Avoidance of penalties;

– Avoidance of un-planned spend; or

– Any & all of the above

– Critical Business Process Mapping

– Critical business processes, to

– Critical applications and data, to

– Critical business infrastructure

– No “silver bullet” – don’t hitch the wagon to a single technology

– Choose your partners wisely

13

|

Strategies for Success – Business-Aligned SecurityIdentity & Access Management

Suggested Techniques

– Align Strategic Decisions Around Business Risk Priorities

– Get the Basics Right

– Effective User Provisioning

– For managing risk & security, heavier focus on de-provisioning

– Access Compliance Management

– Compliance is invariably focused on infrastructure; most audit failures

– API Gateway

– Facilitates standardization of security in new Apps, without major changes in the legacy

– Allows for rapid password reset without impacting legacy app processes, partner apps and processes, etc.

– Application layer is invariably less secure, yet is key typical attack vector

– Strategy is not about product selection

– Must accommodate acquisition, divestiture, partner & 3rd-party variations

14

| 15

|

Q & A

|

For More Information

To learn more, please visit:

http://cainc.to/Nv2VOe

CA World ’15