business-aligned enterprise security – driving success in the face of shifting sands in identity...
TRANSCRIPT
Business-Aligned Enterprise Security –Driving Success in the Face of Shiftingsands in Identity & Access Management
Gavin A. Grounds
Security: Security Management
Hewlett Packard Enterprise
Global Director, Information Risk Management. Enterprise Security Services
SCX16S
@gavingrounds
#CAWorld
Abstract
The global economy continues to exponentially change and develop,
shifting the focus and importance of identity – identity of both people and
“things.” As these changes continue, the real challenge is that the
classic approaches for identity and access management and governance
are becoming less effective, yet many organizations are still struggling
with the basics. With shifts towards adaptive authentication, continuous
authentication, contextual authorization and the need for more tighter
alignment with the business so as to both facilitate and protect, this
session will discuss effective strategies for success.
Gavin A. GroundsHewlett Packard Enterprise
Global Director, Information Risk Management –Enterprise Security Services
|
Agenda
3
SIZING THE PROBLEM
SIZING THE PROBLEM – LEGACY SYSTEMS
Q&A
SIZING THE PROBLEM – PROLIFERATION OF DISRUPTIVE TECHNOLOGY
SAMPLE USE CASE – RAPID CHANGES : LEGACY PLATFORMS
STRATEGIES FOR SUCCESS – FUNDAMENTAL ISSUES
1
2
3
4
5
6
|
Sizing The ProblemImplications of Rapidly Changing & Disruptive Technology
Primary challenges
Frequent, sophisticated attacks
(limited resources, threat intelligence)1
Extension of enterprise IT(new vulnerabilities, supplier risk)3
Traditional DC Mobility Big data Cloud
Delivery
A new type of adversary
Reactive postures, increasing regulatory
non-compliance risk, insufficient visibility,
overwhelmed and outpaced resources
Research Infiltration ExfiltrationDiscovery Capture
Governance and compliance
(limited visibility, disparate reporting)2
|
Legacy Systems Still a Key Risk FactorIdentity and Access Management – Status of “the Basics”
52% of organizations have
acknowledged the need to readdress
excessive user privilege
67% of access requests are
checked against security policies before
they are approved
88% of incidents were abuse
of privileged accounts
What the surveys
say:
60%of organizations don’t
know how many
orphaned accounts
exist in their business27%of organizations have re-aligned security
polices around user privilege since this
incident occurred
Yet only
of users say they cannot
remember all of their passwords
60%
|
Decreasing Effectiveness, Increasing RiskExponential waves of
technology change,
disruptive innovation & new
inter-connected, real-time
business models require an
intensive shift in the
approach to identity and
privilege management of
both people and “things.”
Classic approaches are
rapidly becoming less
effective.
With shifts towards adaptive
authentication, continuous
authentication and
contextual authorization,
many organizations are still
struggling with the basics.
I&AM
Effectiveness,
Governance
& Control
Enterprise
Business
RiskTypical
Maturity level
|
Sample Use Case – Rapid Changes : Legacy Platforms
8
Mainframe
Apps
Legacy System
User
Communities
Regulators
Audit
Compliance
Internet
Private Cloud
Public Cloud
Customers /
Citizens
(Self-service)
Employees /
Contractors
Partners
Suppliers
FSIs
Internet
Private Cloud
Public Cloud
Web Apps /
Gateways
Mobile Apps
/ Gateways
Enrichment /
Information
Sources
Internet
Private Cloud
Public Cloud
Internet
Private Cloud
Public Cloud
|
Sample Use Case – Rapid Changes : Legacy Platforms
9
Mainframe
Apps
Legacy System
User
Communities
Regulators
Audit
Compliance
Internet
Private Cloud
Public Cloud
Customers /
Citizens
(Self-service)
Employees /
Contractors
Partners
Suppliers
FSIs
Internet
Private Cloud
Public Cloud
Web Apps /
Gateways
Mobile Apps
/ Gateways
Enrichment /
Information
Sources
Internet
Private Cloud
Public Cloud
Internet
Private Cloud
Public Cloud
Lack end-to-end (adaptive) Identity &
authorization
|
Sample Use Case – Multi-vendor IT Service & Cloud Providers
10
Mainframe
Apps
User
Communities
Regulators
Audit
Compliance
Internet
Private Cloud
Public Cloud
Customers /
Citizens
(Self-service)
Employees /
Contractors
Partners
Suppliers
FSIs
Internet
Private Cloud
Public Cloud
Web Apps /
Gateways
Mobile Apps
/ Gateways
Enrichment /
Information
Sources
Internet
Private Cloud
Public Cloud
Internet
Private Cloud
Public Cloud
IT Support
Organizations
|
Sample Use Case – Multi-vendor IT Service & Cloud Providers
11
Compliance & Risk Issues are Exponential
|
Strategies for Success – Business-Aligned SecurityIdentity & Access Management
Fundamental Issues
– Exponential rapid proliferation of new and disruptive technologies
– Core identity & access management processes, policies and technology deployments not keeping pace
– Proliferation of intra- and inter-enterprise software APIs
– Lack of API security standards / practices
– Application connections assumed to be trust-worthy
– Legacy back-end technology, methodologies and processes
– Dependency on “service” or fixed process accounts
– Lack of end-to-end identity, authorization and auditability
– Actual user identity is not consistent throughout all inter- and intra-enterprise transactions
– Complex, rapidly evolving IT infrastructure and application landscapes
12
|
Strategies for Success – Business-Aligned SecurityIdentity & Access Management
Key Success Factors– Don’t “Boil the Ocean…”
– “… when all you want is a cup of tea.”
– “Follow the money”
– Return on Investment & Return on Capital :: Investment in change must result in:
– New Revenue Generation;
– Cost savings;
– Avoidance of penalties;
– Avoidance of un-planned spend; or
– Any & all of the above
– Critical Business Process Mapping
– Critical business processes, to
– Critical applications and data, to
– Critical business infrastructure
– No “silver bullet” – don’t hitch the wagon to a single technology
– Choose your partners wisely
13
|
Strategies for Success – Business-Aligned SecurityIdentity & Access Management
Suggested Techniques
– Align Strategic Decisions Around Business Risk Priorities
– Get the Basics Right
– Effective User Provisioning
– For managing risk & security, heavier focus on de-provisioning
– Access Compliance Management
– Compliance is invariably focused on infrastructure; most audit failures
– API Gateway
– Facilitates standardization of security in new Apps, without major changes in the legacy
– Allows for rapid password reset without impacting legacy app processes, partner apps and processes, etc.
– Application layer is invariably less secure, yet is key typical attack vector
– Strategy is not about product selection
– Must accommodate acquisition, divestiture, partner & 3rd-party variations
14
|
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15