iam trends - information assurance | isaca · p l i a n c e a s s u r a n c e a r e l t i o n s h i...
TRANSCRIPT
1 © Copyright 2016 S3 Corporation. All rights reserved.
IAM Trends The need for a Programmatic Approach to Identity, Security and eGRC
July, 2016
2 © Copyright 2016 S3 Corporation. All rights reserved.
Overview
• IAM Statistics: Current Environment
• The Cyber Approach
• Cyber Kill Chain®
• Use Cases
• IAM Constituents, Associations, Capabilities, and Control Framework
• Threat Response Maturity Evolution
3 © Copyright 2016 S3 Corporation. All rights reserved.
Identity Related Statistics
$7.7M
Average cost of a data breach
Cost to an organization per individual
compromised record (over 800m records exposed in 2015)
$230
72%
256 days
Percentage of incidents perpetrated
by internal resources
Average number of days until a breach is
detected
90%
% of IT professionals that
believe there is a skills
shortage in our industry
Ponemon Institute Cybercrime studies 2015 and 2016
4 © Copyright 2016 S3 Corporation. All rights reserved.
Prevention,
Detection, and
Mitigation
Breach
Prevention
Past
An Ounce of Prevention…
Future
5 © Copyright 2016 S3 Corporation. All rights reserved.
Cyber Kill Chain®
Weaponization
Based on Lockheed Martin’s Cyber Kill Chain
Reconnaissance Delivery
Exploitation Command & Control
Installation Action on Objectives
Hours to Months Seconds Months
6 © Copyright 2016 S3 Corporation. All rights reserved.
Sample Use Cases
• Social engineering/education of IAM constituents
• Enriched monitoring data
• Creation of a local accounts (uncorrelated identity)
• Recertification processes (file-share and application access)
• Data extraction volume
7 © Copyright 2016 S3 Corporation. All rights reserved.
IAM Constituents and Associations
A comprehensive program approach:
• Consider the objectives and use cases for
key constituents
• Focus on how they associate
• What does a successful outcome look like?
Key constituents have a symbiotic
relationship:
• Technology
• The delivery of information Busi
ness
Nee
ds &
Req
s/
Secure
Session
Routing
Use
r
Tech
nology
Enab
lem
ent
Inte
raction
Pro
cess
Transm
ission
Risk &
Com
pliance
Assurance
Relationship People
Devices
Apps
Data
8 © Copyright 2016 S3 Corporation. All rights reserved.
IAM Critical Capabilities
Functionality:
IAM policies, practices and tools must fulfill
critical capabilities. Inputs include:
• Forecasted business needs and goals
• Technology environment
• Regulations and legal requirements
• Industry practices and guidelines, and
• Significant threats and risks
Fitness for Use:
IAM must be user-friendly, risk-based,
adaptable, cost-effective, and manageable. Gov
ern
Acces
s
(De)
prov
ision
Man
age
Roles
Assig
n
Entitlem
ents
Manage A
ccess
Grant P
rivileges
Establish S
ession
Secure Com
m.
Key
s & C
erts
Cre
dent
ials
Iden
tify
Aut
hent
icat
e
Interaction Relat
ions
hip
Tran
smission
Process
Estab
lish
Affilia
tion
Exe
cute
Com
man
d Control E
ntry
Track Activity
Monitor R
isks
Com
pliance
Rem
ediation
Validate
Trust People
Devices
Apps
Data
9 © Copyright 2016 S3 Corporation. All rights reserved.
IAM Technical Control Framework
The IAM technology design should
encompass best-of-breed tools that:
• Integrate into the planned IT
infrastructure
• Provide necessary functionality, and
• Overcome IAM limitations, while reusing
value added components where
Iden
tity
Gov
erna
nce
&
Adm
inistra
tion
Digita
l Right
s M
gmt
Acc
ess &
Pas
swor
d Por
tal
eGRC S
olution
Log Managem
ent
Security
Information E
vent
Managem
ent
VPN C
lient
NAC/ W
AM
Enterprise
Encryption
Netw
ork
Segm
entation/
Tenant Partition
Key &
Cer
tificat
e
Mgm
t
Toke
n
Adm
inistra
tion
SSO S
olut
ion
Risk-
base
Authe
nticat
ion
Dire
ctor
y Ser
vice
s
Interaction Relat
ions
hip
Tran
smission
Process
En
dp
oin
t C
on
trols
Da
ta C
on
trols
Network Controls
People
Devices
Apps
Data
End User Controls
10 © Copyright 2016 S3 Corporation. All rights reserved.
Strategic Enterprise Maturity Evolution
Enterprise Risk maturity should evolve from firefighting to predictive analytics.
Success at the intersection of process evolution and technical enablement.
11 © Copyright 2016 S3 Corporation. All rights reserved.
Final Message
• IAM is the baseline component to your data protection and risk mitigation program
• Approach IAM initiatives as a strategic, organization-wide program with IT
enablement (project vs. program approach)
• A programmatic approach results in creating an integrated, sustainable lifecycle of
responsiveness, monitoring, and risk mitigation
12 © Copyright 2016 S3 Corporation. All rights reserved.
Contact Us
Johanna Thomas [email protected]
Paul Kohler [email protected]