threat-aware identity and access management - ibm · ibm security systems 3. iam analytics will...

IBM Security Systems

Threat-aware Identity and Access Management

© 2012 IBM Corporation© 2014 IBM Corporation


Sridhar Muppidi, PhDIBM Distinguished EngineerCTO, Identity and Access [email protected]


More than half a billion records of PII were leaked in 2013

© 2014 IBM Corporation2


Information Security is only as strong as its weakest link – Identity

of scam and phishing incidents

are campaigns enticing users

to click on malicious links55%

Criminals are

selling stolen or

fabricated accounts

Social media is fertile

ground for pre-attack

intelligence gathering

© 2014 IBM Corporation3 Source: IBM X-Force® Research 2013 Trend and Risk Report

Mobile and Cloud breaking down the traditional

perimeter

IAM becomes fist line of defense with Threat and

Context awareness

IBM Security

Information Security will require focus on Identity and Interactions

People

EMPLOYEES ATTACKERS OUTSOURCERS SUPPLIERS

CONSULTANTS PARTNES CONSUMERS

Data STRUCTURED UNSTRUCTURED AT REST IN MOTION

OUTSOURCERS

STRUCTURED

EMPLOYEES

UNSTRUCTURED

CONSUMERS

IN MOTION


DATACENTERS PCs LAPTOPS

Infrastructure

ApplicationsSYSTEMS

APPLICATIONSWEB

APPLICATIONSWEB 2.0

MOBILEAPPLICATIONS

PCs

SYSTEMS APPLICATIONS

NON-TRADITIONAL

CLOUDMOBILEMOBILE

WEB 2.0

CLOUD

MOBILEAPPLICATIONS

MOBILE

…and that is driving a new approach


1. Identity is a key security controls for a multi-perimeter world

• Operational management

• Compliance driven

• Static, Trust-based

Today: Administration


• Security risk management

• Business driven

• Dynamic, context-based

Tomorrow: Assurance


Online Banking

InvestmentAPI Services

Consume Apps and Services (SaaS)

Trusted Intranet DMZ Untrusted Internet

2. Cloud & Mobile will center around Identity + Protection + Insights

© 2014 IBM Corporation6 IBM Security Systems

Online Banking Application

Employee Application

Build and Deliver Apps, Services (PaaS)

Leverage Public Clouds (IaaS)

Apps, APIsServices


3. IAM Analytics will help control the risks across all security domains

Wave 1 Wave 2 Wave 3

Administration

• Cost savings

• Automation

• User lifecycle

Analytics

• Application usage

• Privileged activity

• Risk-based control

Governance

• Role management

• Access certification

• Extended enterprise –


IAM Analytics – Collect and Analyze Identity Data

• User lifecycle

• Key on premise

apps & employees

• Risk-based control

• Baseline normal behavior

• Employees, partners, consumers – anywhere

• Improved visibility into how access being utilized

• Risk-based insights for prioritized compliance actions

• Clear actionable dashboards for better business decision making

• Extended enterprise –

business partners

• On and off-premise

apps


IBM is executing to Threat-aware Identity and Access Management


Manage Enterprise Identity Context Across All Security Domains


Safeguardmobile, cloud and

social access

Prevent advanced

insider threats

Simplify cloud integrations and identity silos

Deliver actionable identity

intelligence

IBM Threat-aware Identity and Access Management

• Validate “who is • Manage and • Provide federated • Streamline identity management


• Validate “who is who” especially when users connect from outside the enterprise

• Proactively enforce access policies on cloud, social and mobile collaboration channels

• Manage and monitor privileged access across the enterprise

• Defend applications and data against unauthorized access

• Provide federated access to enable secure online business collaboration

• Unify “Universe of Identities” for efficient directory management

management across all security domains

• Manage and monitor user entitlements and activities with security intelligence

Key focus areas to address the security’s weakest links


Helping achieve secure transactions and risk-based enforcement

Safeguard mobile, cloudand social access

Access Management


Identity-aware application access on the mobile device

Strong Authentication, mobile SSO, session management for secure user interactions

Context-based access and stronger assurance for

transactions

Transparently enforce security policies for mobile applications

Enforce security polices without modifying the applications

DataApplications

On/Off-premiseResources

Cloud Mobile

Access Management

Internet


SaaS: Secure usage of business applications

Bluemix

Enable employees to connect securely to SaaS

• Identity federation

• SaaS access governance

Integrate identity into services and applications

Safeguard mobile, cloudand social access

Cloud Scenarios for managing identities & govern user access


IaaS: Securing infrastructure and workloads

PaaS: Secure service composition and apps

Bluemix Integrate identity into services and applications

• DevOps access management

• Authentication and authorization APIs

Manage cloud administration and workload access

• Privileged admin management

• Access management of web workloads


Prevent advanced insider threat

Address insider risks with Privileged Identity Management

Credential Vault

Administrative ID

Session Recording

IAM

Analytic

s &

Security In

tellig

ence

Governance


Strong authentication controls and SSO for high-risk account access

Audit privileged user activity and sensitive data access

Address compliance, regulatory and privacy requirements

Secure user access and content against targeted attacks

Eliminate the need to share passwords for privileged users and shared accounts with automated privileged identity management

Ensure compliance and audit support with session recording and replay support

Leverage common Identity management and support for applications and resources

Target Systems

IAM

Analytic

s &

Security In

tellig

ence


“Untangle” identity silos to support secure business expansion

Simplify identity silosand cloud integrations

Search

Directories, Databases, Files,

SAP, Web Services,

Applications

Directory Services


Universal directory to transform identity silos to support disparate identity sources

Scalable directory backbone leveraging existing infrastructure for enterprise-wide Identity and Access

Management

Sourcing of identities and attributes for enterprise applications, Cloud/SaaS integrations leveraging open standards.

In-depth user insight with reporting and SIEM integration

Directory Integration

Access


Deliver intelligent identitymanagement

Driving business driven compliance with Identity Management

On/Off-premiseResources


Empower Line of Business to manage and define the user access for governance, risk and compliance

Reduce cost of enterprise identity management with centralized policy, integrated role and identity lifecycle

management

Improve user assurance with strong authentication integration and closed-loop user activity monitoring

Effective and actionable compliance with centralized identity and access management across the enterprise

HR Systems/Identity Stores

DataApplications

Cloud Mobile

Risk Based

Access

Devices

AccountsUpdated

Access Certification

Access Policy

Identity Change

Detect and Correct Local Privilege Settings

Identity Management


Optimized

Security Intelligence:User activity monitoring, Anomaly detection, Identity Analytics & Reporting

IAM Integration with GRC

Fine-grained entitlements

Integrated Web & Mobile Access

Gateway

Risk / Context based Access

Governance of SaaS applications

IAM as a SaaS

IAM integration with GRC

Risk/ Context-based IAM Governance

Risk / Context-based Privileged

Identity Mgmt

Organizations using a maturity model to use IAM to support security


Proficient

Closed-loop Identity & Access

Mgmt

Strong Authentication

Strong Authentication (e.g. device based)

Web Application Protection

Bring your own ID

Integrated IAM for IaaS, PaaS & SaaS

(Enterprise)

Closed-loop Identity and Access Mgmt

Access Certification & fulfillment (Enterprise)

Closed-loop Privileged Identity

Mgmt

Basic

Request based Identity Mgmt

Web Access Management

Federated SSO

Mobile User Access Management

Federated access to SaaS (LoB)

User Provisioning for Cloud/SaaS

Access Certification(LoB)

Request based Identity Mgmt.

Shared Access and Password

Management

Compliance Mobile Security Cloud Security IAM Governance Privileged IdM

New from IBM


New from IBM


Launched IBM Threat-aware Identity and Access Management

Prevent

advanced

insider threats

Simplify

cloud integrations

and identity silos

Safeguard

mobile, cloud and

social access

Deliver

actionable identity

intelligence


Access Manager for Mobile

Access Manager for ESSO

Access Manager for Web

Privileged Identity Manager

Federated Identity Manager

Directory Integrator & Server

Identity Manager

Identity and Access Assurance

� Integrated capabilities to secure identity as a new perimeter


� Enable secure access to web and mobile applications with SSO, session management and built-in support for IBM Worklight

� Protect web and mobile applications against common attack vectors including the OWASP Top 10 web application risks with integrated X-Force

Web Access Management

IBM Security Access

Manager

IBM Security Access Manager 8.0“All-in-one” access management powered by X-Force, Trusteer and QRadar

Safeguarding mobile, cloud, and social accessNEW


10 web application risks with integrated X-Forcethreat protection

� Enforce context-aware access with mobile device fingerprinting, geo-location awareness, IP Reputation and integration with Trusteer Mobile SDK

� Enhance security intelligence and compliance through integration with QRadar Security Intelligence

� Reduce TCO and time to value with an “all-in-one” access appliance that allows flexible deployment of web and mobile capabilities as needed

Web Application Protection

Mobile Identity Assurance


Application Security: Centralized Policy Enforcement forContext-Aware Access, Threat Protection, and Fraud DetectionOut-of-the-box and seamless integration delivers unmatched end-to-end security

IBM Security Access Manager

11Enforce identity- and context-aware application access on

the mobile device


22Protect web facing

apps from risks associated with the

OWASP Top 10

33 Create risk-based access policies to protect

enterprise from fraud & malware without modifying

apps


New Cloud SSO Service on IBM BlueMix Cloud Platform

BETA

Easily add user authentication and single sign into applications

Allows developers to add access security for web and mobile apps

using “SSO with IBM ID”

Safeguarding mobile, cloud, and social access


Policy-based authentication service provides easy-to-use SSO capability

Lightweight identity proofing adds identity assurance for IBM ID

Flexible SSO options based on industry standards such as OpenID and OAuth

Cloud SSO

Service

IBM ID

(ibm.com)

Social ID


� Eliminate the need to share passwords for privileged users and shared accounts with an automated privileged identity management

� Ensure compliance and audit support with

IBM Security Privileged Identity Manager and Enterprise SSO

IBM Security Privileged

Identity Manager

Prevent insider threatand identity fraud

NEW


� Ensure compliance and audit support with session recording and replay support

� Improve ROI using common Identity management and support for applications and resources

� Strong authentication controls and SSO for high-risk account access

� Reduce TCO and time to value with a scalable virtual appliance deployment


Detect Anomalies - Privileged User Activity and Threat Intelligence


� Consolidated view of User/System Activities of a Typical Privileged User Logon via Privileged Identity Management


Simplify identity silosand cloud integrations

� Universal directory to transform identity silos and to support “virtual directory”-like deployments

� Scalable directory backbone leveraging existing infrastructure for enterprise-wide Identity and Access Management

White

Federated Directory

Services*

User

IBM Security

Directory Server and Integrator

IBM Security Directory Server and Integrator

NEW


� Simplified sourcing of identities and attributes for enterprise applications, Cloud/SaaS integrations

� Intelligent White Pages search with social networking feature to enable intuitive identity store browsing

� In-depth user insight with out of the box reports and IBM SIEM QRadar integration

White

Pages

Search

User

Management

in CloudFederate

Cache

Virtualize


IBM Security Identity

Manager

IBM Security Identity Manager

� Empower Line of Business to manage and define the user access for governance, risk and compliance

� Reduce cost of enterprise identity management with centralized policy, integrated role and identity lifecycle management

Deliver intelligent identityand access assurance

NEW


Re-designed, business friendly

user interface

Identity analytics

IAM integration with

Security Intelligence

lifecycle management

� Improve user assurance with strong authentication integration and closed-loop user activity monitoring

� Effective and actionable compliance with centralized identity and access management across the enterprise

� Real-time insider fraud detection with integrated IAM and Security Intelligence


New ISIM UI (Identity Service Center): Ability to select users and request access



Leading industry analysts recognized IBM IAM vision and strategy

� Recognizes IBM as market share leader in 2013

– WW Identity and Access Management

– Federation Identity Management and SSO MarketScape leader in 2014

� Recognizes IBM as a visionary in the new 2013 IAG MQ

� Recognizes IBM as a Leader in Mobile Identity and

Access Management Solutions in 2014


� Recognizes IBM as strong performer in their 2013 Wave report

– WW Identity and Access Management

� Recognizes IBM as a visionary in the new 2013 IAG MQ

– New ISIM 6.0 service center UI

– 2014 Roadmap focus on IAM Analytics, beyond today’s Governance solutions

� Recognizes IBM as leaders in key leadership compass reports

– Identity Provisioning, Privileged Identity Management

– Access Management & Federation, Enterprise SSO

IBM Security SystemsStatement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.


www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

threat-aware identity and access management - ibm · ibm security systems 3. iam analytics will...

Documents