Compliance & Identity access management

Digital law and governance Identity & access management

Jacques Folon www.folon.com

Partner Edge Consulting

Maître de conférences Université de Liège Chargé de cours ICHEC Brussels Management School Professeur invité Université de Lorraine (Metz) ESC Rennes

http://www.nyls.edu/institute_for_information_law_and_policy/conferences/visualizing_law_in_the_digital_age/

IAM

1. IAM? 2. Preset context? 3. IAM & cloud computing 4. Why is it useful and

mandatory? 5. To do list 6. IAM & privacy 7. IAM & control 8. e-‐discovery 9. Conclusion

1. IAM ????

Provisioning

Single Sign On

PKIStrong

Authentication

Federation

Directories

Authorization

Secure Remote Access

Password Management

Web Services Security

Auditing &

Reporting

Role based Management

DRM

Source: Identity and Access Management: OverviewRafal Lukawiecki -‐ Strategic Consultant, Project Botticelli Ltd [email protected]

5 Questions to ask your CISO

Q: What’s posted on this monitor?

a – password to financial application b – phone messages c – to-do’s

Q: What determines your employee’s access?

a – give Alice whatever Wally has b – roles, attributes, and requests c – whatever her manager says

Q: Who is the most privileged user in your enterprise?

a – security administrator b – CFO c – the summer intern who is now working

for your competitor

Q: How secure is youridentity data?

a – It is in 18 different secured stores b – We protect the admin passwords c – Privacy? We don’t hold credit card

numbers

Q: How much are manual compliance controls costing your organization?

a – nothing, no new headcount b – don’t ask c – don’t know

Today’s IT Challenges

More Agile Business • More accessibility for employees, customers and partners • Higher level of B2B integrations • Faster reaction to changing requirements

More Secured Business • Organized crime • Identity theft • Intellectual property theft • Constant global threats

More Compliant Business • Increasing regulatory demands • Increasing privacy concerns • Business viability concerns

State Of Security In Enterprise

• Incomplete • Multiple point solutions from many vendors • Disparate technologies that don’t work together

• Complex • Repeated point-to-point integrations • Mostly manual operations

• ‘Non-compliant’ • Difficult to enforce consistent set of policies • Difficult to measure compliance with those policies

Identity Management Values

• Trusted and reliable security

• Efficient regulatory compliance

• Lower administrative and development costs

• Enable online business networks

• Better end-user experience

15

IAM MEANS MANAGING THE EMPLOYEES LIFECYCLE (HIRING, RECRUITING, PROMOTION, CHANGE, LEAVING) AND THE

IMPACTS ON THE INFORMATION MANAGEMENT SYSTEM

source clusif

IAM is a legal obligation !

• IAM IS DEFINED BY THE BUSINESS (RH, SCM, ETC.)

• AND • FOLLOWING THE LEGAL

FRAMEWORK • AND • TECHNICALLY IMPLEMENTED

16

IAM IS BUSINESS & ICT + LEGAL

source clusif

17

IAM INCLUDES

• DATABASE OF ALL AND EVERY USER •DATABASE OF ALL TYPE OF PROFILES & ROLES •DEFINITION BEFOREHAND •DEFINE WICH ROLE FOR WICH EMPLOYEE •DEFINITION OF LOGIN & PASSWORDS •AUDIT •REPORTING •ACCESS CONTROL

source clusif

• What is Identity Management ? “Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise)

• Identity Management in this sense is sometimes called “Identity and Access Management” (IAM)

Définition

19

Identity and Access Management is the process for managing the lifecycle of digital identities and access for people, systems and services. This includes:

User Management – management of large, changing user populations along with delegated- and self-service administration.

Access Management – allows applications to authenticate users and allow access to resources based upon policy.

Provisioning and De-Provisioning – automates account propagation across applications and systems.

Audit and Reporting – review access privileges, validate changes, and manage accountability.

CA

IAM : J. Tony Goulding CISSP, ITIL CA t [email protected]

IAM IN ESC…

• “MY NAME IS JULIE AND I AM A STUDENT.” (Identity)

• “this is my password.” (Authentification) • “I want an access to my account” (Authorization ok) • “I want to adapt my grade.” (Autorization rejected)

What are the questions ?

• is this person the one she said she is?

• Is she a member of our group ? • Did she receive the necessary authorization ?

• Is data privacy OK?

Type of questions for a newcomer

– Which kind of password? – Which activities are accepted? – Which are forbidden? – To which category this person belongs? – When do we have to give the authorization?? – What control do we need ? – Could we demonstrate in court our procedure?

24

IAM triple A

AuthenticationWHO ARE YOU? Authorization / Access ControlWHAT CAN YOU DO? AuditWHAT HAVE YOU DONE?

24

Components of IAM

• Administration – User Management – Password Management – Workflow – Delegation

• Access Management – Authentication – Authorization

• Identity Management – Account Provisioning – Account Deprovisioning – Synchronisation

Reliable Identity Data

Adm

inistr

ation

Aut

horiza

tion

Aut

hent

icat

ion


2. Context in 2014

28

various identity co-‐exists

29

IRL & virtual identity

• Internet is based on IP identification • everybody has different profiles • Each platform has a different authentification system

• Users are the weakest link • Cybercrime increases • Controls means identification • Data privacy imposes controls & security • e-‐discovery imposes ECM

Welcome to a digital world

News…

Explosion of IDs

Pre 1980’s 1980’s 1990’s 2000’s

# of Digital IDs

Time

Applications

Mainframe

Client Server

Internet

Business Automation

Company (B2E)

Partners (B2B)

Customers (B2C)

Mobility


The Disconnected Reality

• “Identity Chaos” – Many users – Many ID – Many log in & passwords – Multiple repositories of identity information – Multiple user IDs, multiple passwords

Enterprise Directory

HR

Infra Application

Office

In-House Application

External app

Finance

employee Application

•Authentication•Authorization•Identity Data




•Authorization•Identity Data

•Authentication




Your COMPANY and your EMPLOYEES

Your SUPPLIERS

Your PARTNERSYour REMOTE and VIRTUAL EMPLOYEES

Your CUSTOMERS

Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization

Collaboration Outsourcing Faster business cycles; process automation Value chain

M&A Mobile/global workforce Flexible/temp workforce

Multiple Contexts


Trends Impacting Identity

Increasing Threat Landscape Identity theft costs banks and credit card issuers $1.2 billion in 1 yr

•$250 billion lost from exposure of confidential info

Maintenance Costs Dominate IT Budget On average employees need access to 16 apps and systems

•Companies spend $20-30 per user per year for PW resets

Deeper Line of Business Automation and Integration One half of all enterprises have SOA under development

•Web services spending growing 45%

Rising Tide of Regulation and Compliance SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …

•$15.5 billion spend on compliance (analyst estimate)

Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice

37

Business Owner

End UserIT Admin Developer Security/ Compliance

Too expensive to reach new partners, channels Need for control

Too many passwords Long waits for access to apps, resources

Too many user stores and account admin requests Unsafe sync scripts

Pain Points

Redundant code in each app Rework code too often

Too many orphaned accounts Limited auditing ability


3. IAM & Cloud computing

First, What the heck is Cloud Computing

First, what the heck is Cloud Computing?…in simple, plain English please!

Andy Harjanto I’m cloud confused http://www.andyharjanto.com

Let’s use a simple analogy Say you just moved to a city, and you’re looking for a nice

place to live


You can either

Build a house or Rent an apartment


If you build a house, there are a fewimportant decisions you have to make…


How big is the house? are you planning to grow a large

family? Andy Harjanto I’m cloud confused http://www.andyharjanto.com

Remodel, addition typically cost a lot more once the house is built


But, you get a chance to

customize itRoof


Once the house is built, you’re responsible for maintenance

Hire Landscaper

ElectricianPlumberPay property tax

ElectricityWater

Gutter CleaningHeating and Cooling House Keeping


How about renting?

Consider a builder in your city builds a Huge

number of apartment units Andy Harjanto I’m cloud confused http://www.andyharjanto.com

A unit can easily be converted into a 2,3,4 or more units


You make a fewer,

simpler decisions

You can start with one unit and grow later, or

downsize


But…You do not

havea lot of

options to customize your unit Andy Harjanto I’m cloud confuse

d http://www.andyharjanto.com

However, builders provide you with very high quality infrastructure

high speed Internet

high capacity electricity

triple pane windows

green materials

No need to worry about maintenance


Just pay your

rentand utilities

Pay as You Go


Let’s translate to Cloud Computing?

As an end-consumer, believe it or not

you’ve been using Cloud for long times


most of them are

Free

In return, you’re willing to give away

your information for ads and other purposes

But you’ve been enjoying High Reliability Service

Limited Storage

Connecting, Sharing

OK, Now tell that to the business owner

Give up your data, then

you can use this infrastructure for free

Are You crazy?will answer the CEO

My Business Needs…

SecurityPrivacy

ReliabilityHigh Availability

Building EnterpriseSoftware

Stone WallFire-proofMoatArmy Death Hole

is like…. Building Medieval

Castle


Let’s Hire an Army of IT Engineers

Software Upgrade Support

Backup/Restore

Service Pack

Development

Network issues


Let’s BuildHuge Data

Center

Capacity Planning

Disaster Plan

Cooling Management

Server Crashes


Your data is replicated3 or 4 times in their data

center

High Availability

Adding “servers” is a click away. Running in just minutes, not days

Hig

h Tr

affi

c?

It can even load balance your server traffic

Expect your Cloud

Networkis always up

Yes, you can even pick where your data

and “servers” reside

Don’t forget data privacy issues

So we know what Cloud is and the choice we have

Cloud Computing: Definition

• No Unique Definition or General Consensus about what Cloud Computing is …

• Different Perspectives & Focuses (Platform, SW, Service Levels…)

• Flavours: – Computing and IT Resources Accessible Online – Dynamically Scalable Computing Power – Virtualization of Resources – Access to (potentially) Composable & Interchangeable Services – Abstraction of IT Infrastructure ! No need to understand its implementation: use Services & their APIs – Some current players, at the Infrastructure & Service Level: SalesfoRce.com, Google Apps, Amazon, Yahoo, Microsoft, IBM, HP, etc.

The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont [email protected] HP Labs Systems Security Lab Bristol, UK - EEMA e-‐Identity Conference, 2009

Cloud Computing: Implications

• Enterprise: Paradigm Shift from “Close & Controlled” IT Infrastructures and Services to

Externally Provided Services and IT Infrastructures

• Private User: Paradigm Shift from Accessing Static Set of Services to Dynamic & Composable

Services

• General Issues: – Potential Loss of Control (on Data, Infrastructure, Processes, etc.) – Data & Confidential Information Stored in The Clouds – Management of Identities and Access (IAM) in the Cloud – Compliance to Security Practice and Legislation – Privacy Management (Control, Consent, Revocation, etc.) – New Threat Environments – Reliability and Longevity of Cloud & Service Providers


Identity in the Cloud: Enterprise Case

Enterprise

Data Storage Service

Office Apps

On Demand CPUsPrinting

Service

Cloud Provider #1

Cloud Provider #2

Internal Cloud

CRM Service

…

Service 3

Backup Service ILM

ServiceService

Service

Service

Business Apps/Service

Employee

……

… The Internet

Identity & Credentials







Authentication Authorization Audit




User Account Provisioning/ De-‐provisioning




Data & Confidential Information




IAM Capabilities and Services Can be Outsourced in The Cloud …



Issues and Risks [1/2]

• Potential Proliferation of Required Identities & Credentials to Access Services ! Misbehaviours when handling credentials (writing down, reusing, sharing, etc.)

• Complexity in correctly “enabling” Information Flows across boundaries ! Security Threats (Enterprise ! Cloud & Service Providers, Service Provider ! Service Provider, …_

• Propagation of Identity and Personal Information across Multiple Clouds/Services ! Privacy issues (e.g. compliance to multiple Legislations, Importance of Location, etc.) ! Exposure of business sensitive information (employees’ identities, roles, organisational structures, enterprise apps/services, etc.) ! How to effectively Control this Data?

• Delegation of IAM and Data Management Processes to Cloud and Service Providers ! How to get Assurance that these Processes and Security Practice are Consistent with Enterprise Policies? -‐ Recurrent problem for all Stakeholders: Enterprise, Cloud and Service Providers … ! Consistency and Integrity of User Accounts & Information across various Clouds/Services ! How to deal with overall Compliance and Governance issues?



Issues and Risks [2/2]

• Migration of Services between Cloud and Service Providers

! Management of Data Lifecycle

• Threats and Attacks in the Clouds and Cloud Services ! Cloud and Service Providers can be the “weakest links” in Security & Privacy ! Reliance on good security practice of Third Parties


4.Why do we need IAM?

•Security

•Compliance

•Cost control •Audit support •Access control

Source: ftp://ftp.boulder.ibm.com/software/uk/productnews/tv/vh_-‐_access_and_identity_management.pdf

cost reduction• Directory Synchronization

“Improved updating of user data: $185 per user/year” “Improved list management: $800 per list” -‐ Giga Information Group

• Password Management “Password reset costs range from $51 (best case) to $147 (worst case) for labor alone.” – Gartner

• User Provisioning “Improved IT efficiency: $70,000 per year per 1,000 managed users” “Reduced help desk costs: $75 per user per year” -‐ Giga Information Group

Can We Just Ignore It All?

• Today, average corporate user spends 16 minutes a day logging on

• A typical home user maintains 12-‐18 identities

• Number of phishing sites grew over 1600% over the past year

• Corporate IT Ops manage an average of 73 applications and 46 suppliers, often with individual directories

• Regulators are becoming stricter about compliance and auditing

• Orphaned accounts and identities lead to security problems

Source: Microsoft’s internal research and Anti-‐phishing Working Group

IAM Benefits

Benefits to take you forward (Strategic)

Benefits today (Tactical)

Save money and improve operational efficiency

Improved time to deliver applications and service

Enhance Security

Regulatory Compliance and Audit

New ways of working

Improved time to market

Closer Supplier, Customer, Partner and Employee relationships


5. IAM to do list

• Automatic account management

• Archiving • Data privacy • Compliance • Securiry VS Risks • user identification • E-‐business • M2M

52

the triangle

6. Data protection

Source : https://www.britestream.com/difference.html.

need to check

legal limits

data controller responsibility

teleworking

data theft

89

7. IAM & control

data transfer

• limitation of control

• Private email

• penalties

• who controls

• security is mandatory !

• technical security – Risk analysis – Back-‐up – desaster recovery – identity management – Strong login & passwords

• legal security – information in the employment contracts

– Contracts with subcontractors

– Code of conduct

– Compliance

– Control of the employees

Control ?

8. E-‐discovery

Definition of e-‐discovery

• Electronic discovery (or e-‐discovery) refers to discovery in civil litigation which deals with information in electronic format also referred to as Electronically Stored Information (ESI).

• It means the collection, preparation, review and production of electronic documents in litigation discovery.

• Any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case

• This includes e-‐mail, attachments, and other data stored on a computer, network, backup or other storage media. e-‐Discovery includes metadata.

Recommandations

Organizations should update and/or create information management policies and procedures that include: – e-‐mail retention policies, On an individual level, employees tend to

keep information on their hard drives “just in case” they might need it.

– Work with users to rationalize their storage requirements and decrease their storage budget.

– off-‐line and off-‐site data storage retention policies, – controls defining which users have access to which systems andunder

what circumstances, – instructions for how and where users can store data, and • backup

and recovery procedures. – Assessments or surveys should be done to identify business functions,

data repositories, and the systems that support them. – Legal must be consulted. Organizations and their legal teams should

work together to create and/or update their data retention policies and procedures for managing litigation holds.

9. Conclusion

• IAM is a legal question, not only business & IT

• compliance is important

• More security due to

– Cloud computing

– Virtualisation

– Data privacy

– archiving

• Transparency

• E-‐discovery

IAM could be an opportunity

• Rethink security

• risks reduction

• costs reduction

• precise roles & responsibilities

104http://www.novell.com/docrep/2013/09/The_Forrester_Wave_IAM_9_4_13.pdf

105

http://ts.fujitsu.com/rl/Fujitsu_Forum_2013/documentation/BOSB110a_20131030_v3_final_Security.pdf

Any question?

Jacques Folon [email protected]

Education

Compliance & Identity access management