the business of identity, access and security v1.0
DESCRIPTION
Identity managementAccess controlInformation SecurityTRANSCRIPT
![Page 1: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/1.jpg)
The business of identity, access and security
Theo NassiokasHead of Risk & Compliance, Information Security
Westpac Banking CorporationIdentity Management Forum 2007 – November 28 - 30th
What’s in it for me?
![Page 2: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/2.jpg)
2
Overview
Compliance, risk & governance and identity management
Identity management convergence
Aligning IT projects to business
Minimising project risk
Conclusion
Regulatory focus – Access control or identity management?
Identity Management (IDM) – What is it?
Objective of identity management
Executive summary
![Page 3: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/3.jpg)
3
Executive summary
Identity management (funny enough) is the management of identities – not the management of technology
The emerging global regulatory framework focuses on knowing your customer (KYC) and knowing your risk
Compliance, risk & governance all have a crucial role to play in the diligent management of identities
The objective of good identity management is to enable business – not to document processes and pass audits
Traditionally disparate identity databases (e.g. physical & logical access) are converging into one source of truth!
Aligning a proposed project to business objectives demonstrates its value proposition
Understanding your organisation’s culture and risk appetite will increase the chance of initial project funding approvals
![Page 4: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/4.jpg)
4
Identity Management (IDM)What is it?
![Page 5: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/5.jpg)
5
Identity management defined
Identity management is the management of the Identity Life Cycle of Entities (ILCE), which consists of identities being:
EstablishedA name (or number) is connected to the subject or object;
Re-establishedA new or additional name (or number) is connected to the subject or object;
DescribedOne or more attributes which are applicable to this particular subject or object may be assigned to the identity;
Newly describedOne or more attributes which are applicable to this particular subject or object may be changed; and
DestroyedSource: Wikipedia - http://en.wikipedia.org/wiki/Identity_management
![Page 6: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/6.jpg)
6
Two perspectives of IDM
1. User Access paradigmAn integrated system of business processes, policies and technologies
that facilitate and control a users' access to critical online applications and resources
2. Service paradigmConverged services, covering all the resources of the company that are
used to deliver online services, including unified services and single customer view facilities
Source: Wikipedia - http://en.wikipedia.org/wiki/Identity_management
IDM
Convergence
![Page 7: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/7.jpg)
7
Regulatory focusAccess control or identity management?
![Page 8: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/8.jpg)
8
What comes 1st – The chicken or the egg?
Access control, as the name suggests, is a set of controls in governing access to information systems, including:
− Technology− User IDs and passwords− Tokens− Biometrics
− Processes− Issuing user IDs and passwords and technologies− Periodical user access revalidation reporting− On-boarding and off-boarding
Identity management is a process that provides the required degree of assurance that the holder of an identity is its rightful owner. It is therefore no surprise that this is the common regulatory thread…
![Page 9: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/9.jpg)
9
The common regulatory thread
Identity management is the focus of an emerging regulatory framework:
− Anti Money Laundering (AML) and Counter Terrorism Financing (CTF) Act 2006 (Commonwealth of Australia) (banks and insurance)
− Basel II Capital Adequacy Accord 2005 – Bank for International Settlements (Basel, Switzerland) (banks)
− Public Company Accounting Reform and Investor Protection (Sarbanes Oxley) Act 2002 (USA) (SEC registered/NYSE or NASDAQ listed)
− Crimes Act 1914 (Commonwealth of Australia)− Uniting and Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism (USA PATRIOT) Act 2001 (USA)− Financial Modernization (Gramm-Leach-Bliley Act [GLB]) Act 1999 (USA) (US banking
& finance)− Data Protection Act 1998 (UK & USA)− Privacy Act 1988 (as amended) (Commonwealth of Australia)− Financial Transactions Reports Act 1988 (as amended) (Commonwealth of Australia)
The regulatory environment is the new DNA of identity management.
![Page 10: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/10.jpg)
10
Compliance, risk & governanceand identity management
![Page 11: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/11.jpg)
11
Regulatory compliance
Common benchmarks are:
1. Regulatory
Basel II Capital Adequacy Accord 2005 – Bank for International Settlements – Basel, Switzerland
Public Company Accounting Reform and Investor Protection (Sarbanes Oxley) Act 2002 (USA)
Privacy laws (local and foreign)
Anti-cybercrime laws (local and foreign)
![Page 12: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/12.jpg)
12
Policy compliance
Common benchmarks are:
2. Policy
Technology Code of Use
Information Security Policy
Standard Operating Environment (SOE)
Architecture and Strategy
Standards (internal and external)
![Page 13: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/13.jpg)
13
Business risk
Areas according to the Basel Accord are:
1. Credit Risk
2. Market Risk
3. Operational Risk
4. Interest Rate Risk (optional)
Focus on operational risk re: identity management
Likelihood and Consequence Quantitative vs Qualitative Scenario based
Ontology and Taxonomy
![Page 14: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/14.jpg)
14
Risk is easy!?
Source: Dr Peter Tippett - ICSA Labs (Verizon Business), Mechanicsburg, Pennsylvania, USA
![Page 15: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/15.jpg)
15
Governance
What is it?
It is the overall corporate oversight framework, consisting of:
i. Enterprise strategy & planningii. Service delivery capability requirementsiii. Management frameworksiv. Management structures
ii. Assurance that strategies are aligned to the business and that operational plans are aligned with strategic plans
iii. Assessment of future capabilities and innovations
i. Transparency of the enterprise capability and strategic risks across the enterprise
Governance is required to give the Board:
![Page 16: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/16.jpg)
16
Governance
Corporate governance consists of five main areas
CORPORATE GOVERNANCE
Risk/SecurityGovernance
Administrative
and Financial
Governance
OperationalGovernance
Regulatory
and Legal
Governance
− Risk/Security and IT Governance are the main focus of areas of IDM.
IT Governance
![Page 17: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/17.jpg)
17
Objective of identity management
![Page 18: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/18.jpg)
18
Conservative corporate culture
Why is this relevant to identity management?
1. Conservative culture
‘Realistic’ valuation methods, eg NPV, Cost Benefit, IRR, etc Value perception limited to ‘passing audits’ Scope of work limited to ‘minimum compliance requirements’ Drivers are usually threats from regulator or ‘near death
experiences’
![Page 19: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/19.jpg)
19
Innovative corporate culture
Why is this relevant to identity management?
2. Innovative culture
‘Perceived’ valuation methods, i.e. subjective SME valuations ‘Normative’ valuation methods, i.e. comparative ‘best practice' data Value perception broadened to ‘enabling business’ Scope of work broadened to ‘maximum value requirements’ Driver is future growth through innovation e.g. enhancing brand
through greater ‘customer trust’
![Page 20: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/20.jpg)
20
Research re: IDM as enabler
CMO Council “Secure the Trust of Your Brand” – Aug 2006
![Page 21: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/21.jpg)
21
Research re: IDM as enabler
“Secure the Trust of Your Brand” – Aug 2006
![Page 22: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/22.jpg)
22
Research re: IDM as enabler
“Secure the Trust of Your Brand” – Aug 2006
65% of European and U.S. respondents, on average, have experienced computer security problems
1 in 6 respondents have had their personal information lost or compromised
40% of respondents have actually stopped a transaction due to a security incident
Over one third would consider taking their business elsewhere if personal information were compromised
25% would definitely take their business elsewhere if their personal information were compromised
![Page 23: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/23.jpg)
23
Identity management convergence
![Page 24: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/24.jpg)
24
Physical and logical convergence
What is identity management convergence?
Merger of disparate Identity Management capabilities It can be physical and/or intellectual
Physical: the sharing office facilities & space; and Intellectual: the sharing of knowledge
It can be project driven Implementation of staff smartcards for physical building and logical
information systems access
Why are physical and logical capabilities converging?
One holistic identity management strategy Easier to align with CIO and business strategies
One single point of contact (e.g. the CIO or the business) Increased information sharing between stakeholders Cross-train staff (comparative advantage) Lower total cost of ownership
![Page 25: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/25.jpg)
25
Who are the stakeholders?
IDMGovernance
Physical
ITIT
Legal,Regulatory
Industry codes
IP
Data Protection Act (UK)
Sarbanes OxleyS302, 404, 409
USA PATRIOT Act
ISO 27001
California Senate Bill 1386
BCPfailure
Phishing
Cyber crime
Basel II
ISO 27002
Virus incidents
Physical TheftOf Info
UnauthorisedSoftware Usage
System Access Control
License Breach
Staff screeningChecks
Outsourced ServiceProvider Control
Information Access Control
Network domain access
UnauthorisedPhysical access
Targeted Attack – Mass Extinction Event
Privacy laws
![Page 26: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/26.jpg)
26
IDM convergence is innovative
Strategy is “how the mission will be achieved” i.e. IDM convergence
Example – Convergence strategy
Strategic Planning is “how the strategy will be achieved” i.e. trajectory
Strategic Planning achieves strategy
•Identification of stakeholders
•Leveraging synergies
•Identification of Synergiesbetween stakeholders
achieved through:
Capability Today Capability Tomorrow
Trajectory is “the time required to deliver the strategy”
![Page 27: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/27.jpg)
27
Is leading an innovation easy?
“Let it be noted that there is no more delicate matter to take in hand, nor more dangerous to conduct, nor more doubtful in its success, than to set up as a leader in the introduction of changes. For he who innovates will have for his enemies all those who are well off under the existing order, and only lukewarm supporters in those who might be better off under the new.”
− [Niccolò Machiavelli (1469-1527), The Prince, 1513, Chapter VI, para.5]
![Page 28: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/28.jpg)
28
Aligning IT projects with business
![Page 29: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/29.jpg)
29
Why is alignment to business important?
Example – Technology ‘line of sight’ to business
Assessment ofIdentity Management
Requirements
Vision and missionfor
Identity Management
Identity ManagementStrategy
Identity ManagementStrategic
Plan
Identity ManagementOperational Plans
And Budgets
Assessment oftechnology
Requirements
Vision and missionfor
technology
TechnologyStrategy
TechnologyOperational Plans
And Budgets
TechnologyStrategic Plan
Assessment ofthe Business
Vision and missionfor the
Business
BusinessStrategy
BusinessOperational Plans
and Budgets
BusinessStrategic Plan
![Page 30: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/30.jpg)
30
Minimising project risk
![Page 31: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/31.jpg)
31
The innovation effectiveness curve
![Page 32: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/32.jpg)
32
The innovation value chain
![Page 33: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/33.jpg)
33
Conclusion
“Identity management” isn’t a fancy term for “access control”. Get your processes right and then build the technology to support them.
The emerging global regulatory framework is the new DNA of identity management planning. Ignore this at your own peril!
Identity management processes should be designed within an effective compliance, risk & governance framework for effectiveness
To manage identities well is to ‘know your customer’ well and understand associated business risks – this enables business
Get to one source of truth, in terms of identity databases! It is far more effective and efficient and reduces total cost of ownership.
Get the business to ‘own’ a proposed project, so that it is promoted by the business. This makes ‘selling’ value straight forward!
Building the organisational culture and risk appetite into the project design will provide the right delivery trajectory and increase the likelihood of effective and timely execution and success.
![Page 34: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/34.jpg)
34
Questions?
Contact details:
Theo NassiokasHead of Risk & Compliance, Information Security
Westpac Banking Corporation
[email protected]+61 (0)2 8254 2064 office+61 (0)419 885 930 mobile
Thank you for your time!
![Page 35: The Business Of Identity, Access And Security V1.0](https://reader033.vdocument.in/reader033/viewer/2022052523/556ae513d8b42a86218b481f/html5/thumbnails/35.jpg)
35
Appendix A – Security Convergence
Where is the evidence?
Spending on Converged Security Projects (per year in millions)
2004 2005 2006 2007 2008
Public sector $250 $500 $1,200 $2,600 $5,001
Physical/logical access control projects $30 $90 $248 $542 $994
Large-scale convergence projects $10 $36 $93 $202 $453
Small projects $10 $30 $81 $172 $277
Other projects performed jointly by IT and physical security departments
$10 $35 $92 $191 $315
Total $311 $691 $1,713 $3,707 $7,039
(Source: Forrester Research, "Trends 2005: Security Convergence Gets Real“)
Actual ‘security convergence’ project budgets, based on surveying 60 end users from Canada, Europe and the United States: