5 reasons your iam solution will fail

1 © 2013 IBM Corporation

IBM Security Systems

Chris PoulinIBM Security Systems

July, 2014

5 Reasons your IAM Solution Will Fail

© 2014 IBM Corporation


2

In this era of Mobile, Cloud, & Social, security is a major concern

IBM Confidential

Mobile

Cloud

Social

50%of the employers will require BYOD

for work by 2017

55% of CIOs to source all their critical

applications in Cloud by 2020

54% of CIOs cited Social Media as one of the most disruptive technologies

90%of the top mobile apps have been

hacked

72%of organizations saw unauthorized access to cloud in past 12 months

75%of enterprises cited social media as

the top information security risk

Source: 1. Gartner – May 2013



3

more than

half a billion recordsof personally identifiable information (PII) were leaked in 2013



4

Enterprise Security is only as strong as its weakest link – Identity

of scam and phishing incidents are campaigns enticing users to click on malicious links

55%

Criminals are selling stolen or

fabricated accounts

Social media is fertileground for pre-attack intelligence gathering

Source: IBM X-Force® Research 2013 Trend and Risk Report

Mobile and Cloud breaking down the traditional

perimeter

IAM becomes fist line of defense with Threat and

Context awareness



5

Reason #1: Human Factors—User Behavior

Users will try to get around strict policies

Invest minimum effort in creating passwords

Lack of strength and variety

Across multiple authentication domains

Not enable out-of-band / multi-factor auth

Use 3rd party cloud services over enterprise provided ones

Store passwords in Evernote

….plus strong passwords can sometimes jeopardize safety



6

Reason #2: Identity Sprawl

Multiple internal authentication sources Microsoft Active Directory Legacy systems and directories Custom applications

…and external directories Cloud services Social media networks

Directories, Databases, Files, SAP, Web Services, Applications



7

Reason #3: Losing Control

Device ownership model is changing Mobile devices (smart phones & tablets) BYOD, including employee-owned laptops Not all devices have the concept of identity:

the holder is the owner



8

Reason #4: Rogue Privileged Insiders

Those with administrative privileges can abuse that trust for

Profit Revenge Convenience

“$348B a year in corporate losses can be tied directly to privileged user fraud.” – Raytheon, “Privileged Users” whitepaper, 2014



9

Reason #5: Lack of Visibility—If You Can’t See It...

...is it really a threat?

What are your users up to?

How do you know?

How do you prove it?

When you turn on the lights

the cockroaches skitter

under the fridge

=> Visibility, monitoring, auditing



10

Avoiding the 5 pitfalls of identity and access management

User Behavior

Identity Sprawl

Control / BYOD

Privileged ID

Visibility

Single Sign-on Context-based authentication Risk-based transaction context Directory integration Federated identity (inc SCIM) One-time registration Device fingerprinting Eliminate shared passwords Audit super users Record sessions Security intelligence Follow user activity Detect & report anomalous behavior

How to enable security through IAM

11

simplify their experience through context-based authentication

connect your directory stores, in-house, in the cloud, on the web

trust the device, trust the application, trust the transaction

Inventory, control, and track administrative users & credentials

User behavior

Identity sprawl

Mobile & BYOD

Privileged Users

Lack of visibility Security Intelligence



12

Single Sign-On to web based applications on mobile devices

Single sign-on & elimination of password entry using ESSO

Results: Users don’t need to remember multiple passwords,

improving access security



13

SSO

Enterprise Applications/Data

User accesses data from inside the corporate network1

User is only asked for User Id and Password to authenticate2

Corporate Network

User accesses confidential data from outside the corporate network3

User is asked for User Id /Password and OTP based on risk score4

Outside the Corporate Network

Audit Log

Strong Authentication

Security gateway for user access based on risk-level (e.g. permit, deny, step-up authenticate)

Risk scoring using user attributes and real-time context (e.g. device registration, geolocation, IP reputation, etc)

Supports built-in One-Time Password (OTP) and ability to integrate with 3 rd party strong authentication vendors

Software Development Kit (SDK) for 3rd integration and extensibility

Context-based authentication & access, based on risk

IBM Security Access Manager



14

Access Operations Grant/Deny

An authorized user requests access to the portal and SSO Grant

Password is stolen, session is hijacked and HTTP content is compromised Deny

HTTP content contains common vulnerabilities such as SQL Injection, Cross site scripting, Cross-site request forgery Deny

IP Address has a low IP Reputation score and Geo Location allowed Deny

Enforce step-up authentication or context-based access to restore authorized user access Grant

Portal, Web Applications (e.g. Java, .NET, more)

B2B Partners, Citizens, Mobile

users

Supply Chain

Secure access and protect content against targeted attacks

IBM Security Access Manager



15

Identity-aware application access on mobile devices

BeforeName/Password for

every app launchOne-time registration

codeIdentity-aware

application launch

After

Application Server IBM Security Access Manager

Eliminate user id and password based login on mobile apps

Assurance through one time registration code to link device with application and user identity

Identity and Device “Fingerprinting” - silent and consent based device registration

Self-service user interface for device registration and access revocation



16

Risk-based access and stronger authentication for transactions

User attempts high-value transaction

Strong authentication challenge Transaction completes

Reduce risk associated with mobile user and service transactionsExample: transactions less than $100 are allowed with no additional authenticationUser attempts transfer of amount greater than $100 – requires an OTP for strong authentication



17

Migrate or co-exist

Join multiple directories

Enrich withdata from

other sources

Federate authentication back to original source

Selective“writes” of

changes to theoriginal source

Create a single source of truth for identity information using Federated Directory Services

SCIM REST interface for LDAP server

“Untangle” identity silos with directory integration and federation



18

Privileged User Activity Monitoring:• Recording and logging of user activity in sessions accessed through a shared ID• Discourage users with privilege from abusing their rights

Find, control, and track privileged & shared identity activity



19

Full visibility and accountability with closed-loop IAM analytics

IAM Analytics & Security Intelligence

AccountsUpdated

Access Certification

Access Policy

Identity Change

Detect and Correct Local Privilege Settings

HR Systems/Identity StoresDataApplications

On/Off-premiseResources

Cloud Mobile

Identity Management

Real-time insider fraud detection with integrated IAM Analytics and Security Intelligence

Risk BasedAccess



20

Detect threats, monitor user activity and detect anomalies

• Identity and Access Manager event logs offers rich insights into actual users and their roles

• IAM integration with QRadar SIEM provides detection of break-ins tied to actual users & roles


© 2013 IBM Corporation21 IBM Security Systems

Manage Enterprise Identity Context Across All Security Domains

Compete Threat-aware Identity and Access Management



22

Identity is a key security control for a multi-perimeter world

• Operational management

• Compliance driven

• Static, Trust-based

• Security risk management

• Business driven

• Dynamic, context-based

Today: Administration

Tomorrow: Assurance

IAM is centralized and internal

Enterprise IAM

Cloud IAM

BYO-IDs

SaaS

Device-IDs

App IDs

IAM is decentralized and external

Enterprise IAM

IaaS, PaaS



23

Optimized

Security Intelligence:User activity monitoring, Anomaly detection, Identity Analytics & Reporting

IAM Integration with GRC

Fine-grained entitlements

Integrated Web & Mobile Access

GatewayRisk / Context based

Access

Governance of SaaS applications

IAM as a SaaS

IAM integration with GRC

Risk/ Context-based IAM Governance

Risk / Context-based Privileged

Identity Mgmt

Proficient

Closed-loop Identity & Access

MgmtStrong

Authentication

Strong Authentication (e.g. device based)

Web Application Protection

Bring your own IDIntegrated IAM for

IaaS, PaaS & SaaS (Enterprise)

Closed-loop Identity and Access Mgmt

Access Certification & fulfillment (Enterprise)

Closed-loop Privileged Identity

Mgmt

BasicRequest based Identity MgmtWeb Access Management

Federated SSO Mobile User Access

Management

Federated access to SaaS (LoB)

User Provisioning for Cloud/SaaS

Access Certification(LoB)

Request based Identity Mgmt.

Shared Access and Password

Management

Compliance Mobile Security Cloud Security IAM Governance Privileged IdM

Organizations use a maturity model for IAM to support security



24

Landscape of Identity & Access Management market is evolving

By 2020,

70% of enterprises will use attribute-based access control as the dominant mechanism to protect critical assets ...

... and

80% of user access will be shaped by new mobile and non-PC architectures that service all identity types regardless of origin.1

With the growing adoption of

mobile, adaptive authentication &

fine-grained authorization, traditional

Web Access Managementis being replaced by a

broader “access management.”1

A clear need exists in the market for a

converged solution2 that is able to provide or

integrate with MDM, authentication, federation, and fraud detection solutions.3

1 Gartner, Predicts 2014: Identity and Access Management, November 26, 20132 Gartner, MarketScope for Web Access Management, November 15, 20133 Forrester, Predictions 2014: Identity and Access Management, January 7, 2014



25

Deliver actionable identity

intelligence

Safeguardmobile, cloud and social

access

Simplify cloud integrations and

identity silos

Prevent advanced

insider threats

• Validate “who is who” especially when users connect from outside the enterprise

• Proactively enforce access policies on web, social and mobile collaboration channels

• Manage and audit privileged access across the enterprise

• Defend applications and data against unauthorized access

• Provide federated access to enable secure online business collaboration

• Unify “Universe of Identities” for efficient directory management

• Streamline identity management across all security domains

• Manage and monitor user entitlements and activities with security intelligence

Threat-aware Identity and Access Management becomes the first line of defense for securing multi perimeter world



26

Connect with IBM Security

IBM Security Insights blog at . .www SecurityIntelligence com

. . / -www ibm com Identity Ac-cess Management

Follow us at @ibmsecurity

http://securityintelligence.com/

http://www.ibm.com/Identity-Access-Management

http://www.ibm.com/Identity-Access-Management

http://www.twitter.com/ibmsecurity

http://www.twitter.com/ibmsecurity

http://www.twitter.com/

http://www.twitter.com/

http://securityintelligence.com/




www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

http://www.ibm.com/security

Technology

5 reasons your iam solution will fail