Upload
trinhhanh
View
216
Download
0
Embed Size (px)
Citation preview
IAM challenges are growing incomplexity and volume
3
• “7 Any”• De-perimeterisation• Web 2 App consistency• “API economy”• Cloud, Shadow IT• 24/7 cybercrime profs• Growing privacy concerns• Increasing regulatory pressure
(GDPR, PSD II)• IAM becomes relevant for almost all
aspects of life
IAM trends
IAM awareness grows as digitisation reaches boardrooms of ancient institutions
4
IAM trends
• Chief Digital Officer• Chief Innovation Officer• Experiments lab• Hackatons• Start-up partners• Innovation Boards• Startup Friday• Design Thinking• Tribes and clans
Identity of Things,CIAM. “Branded identities” User accounts expandinto full user profiles
Smart dustNetworked sensorsDrone deliverySmart citiesMobilityChaining across domainsBig data
Identity
Flexible real time entitlement granting: ABAC
Attribute Based Access Control
Resource
Type: FinancialDepartment ZAuthor XNot yet approvedObsoletePublicEtcetera
Subject
Name xRole YDepartment ZCost Centre 123Manager AEtcetera
Action
Check outReviewEditAlter contentsCheck inPhysical actionsEtcetera
Environment
Night timeLocationHome networkOffice wifiRegistered deviceEtcetera
Authorisation
at 3:00 amSubject ObjectEnvironment
Preferred at a bar in Utrechtlogged on via PIN5
50 euro
Retailfrom current account
can
trans
fer
via an iPhone iOS 7.1
to Rabobank Accountof Facebook friend
Netherlands
Daa
n Ko
ning
Client
at home
Subject ObjectEnvironment
manager on new year’s dayPrivate Banking while using a tablet Private Banking
customer dataregion Utrecht
Nieuwegeincan
upda
te
Ale
x Pr
ins
…..
Subject ObjectPrivate Banking Manager
can updatecustomer dataAlex Prins can view
…..…..
ABAC
RBAC
AuthorisationRBAC versus ABAC
Object approach / attributes
Content Classes (client data, employee data, payment data, etc.)
Sensitivity (customer critical, business operation, near-public, etc.)
Confidentiality & Integrity rating
Time (creation, last access)
Data Ownership (e.g. BU)
Creator
Type (spreadsheet, Powerpoint, textdocument, e-mail, etc.)
Content-Based Approach Query-Based Approach
Content Classes (client data, employee data, payment data, etc.)
Sensitivity (customer critical, business operation, near-public, etc.)
Confidentiality & Integrity rating
Time (creation, last access)
Data Ownership
Is Golden Source or Copy?
Limit (Number of query results)
Analytics-Based Approach
Content Classes (client data, employee data, payment data, etc.)
Sensitivity (customer critical, business operation, near-public, etc.)
Confidentiality & Integrity rating
Maximum Usage Period (how long is it allowed to use the data)
Sources (from which systems does the data originate)
From Golden Source or Copy? (quality)
Inherited attributes (from sources)
Authorisation
framework for interaction and governance of rulesets
Finegrained context aware access mmnt - building blocks
Identity federation
Profile repository Trust level framework
Rulesets in rule engines
ABAC building blocks
PDP Policy Decision PointsPAP Policy Administration PointsPIP Policy Information PointsPEP Policy Enforcement PointsXACML
Attributes:Data qualityData managementRules: Ownership in the business
session integrator
connectors, interfacestoken management
data classifier
Attribute Based Access Control - Summary
• Context Based, Rule Based• Step-up authentication• Adjusted trust-level per context, per transaction• Trustlevel on dataset or transaction, fine-grained, datacentric• More flexible than Role Based Acces Control (RBAC)• Configuration within IAM tools instead of coding within applications• Trustlevel on transaction request context• Trustlevel framework enables immediate intervention when compromised• Migrate from RBAC to ABAC as a strategy (a role is also a rule!)
Focus on governance and business involvement
Authorisation
Authentication @ work
identity+
properties authentication
AuthorisationEntitlements
for the ID
PasswordTokenPINMultifactor
pre-linkedto
authenticationclaim ID
Biometrics
access to
Data & transactions
Transaction request
Authentication
“New” methods of authentication
14
• Biometrics, voice, fingerprint, facial• Behaviour patterns • From “knowing” to “being”• Rule based authentication• Artificial Intelligence & data analysis recognize you• Out-of-Band technologies across registered devices
• Challenge: How to use non-PII data and still ensure the right trust level?• “Undentification”
Continuous enrolment Continuous authenticationContinuous identity proofing
Authentication
Transactionrequest
Identity +
properties
Authentication & Identity converging
AuthorisationEntitlements
for the ID
PasswordTokenPINMultifactorOut Of Band (OOB)
Device typingContextEndpoint info
pre-linkedto Data &
transactions
access to
NetworkMeta dataNavigationUse patternsBiometrics
Authentication
Continuous ID proofing,AuthenticationEnrollment
Transaction request
Machine learningFraud blacklistSOC data
Authentication
Preventative, Detective, Reactive controls converging
start Wish Instruction / Request Transaction (Payment
settlement)
SecurityOperationsCentre
IAM Fraud Detection
Infra:Device, network, etc.
..
BCM