Assessing the Risk of Identity and Access

Assessing the Risk of Identity and Access
Venkat Rajaji
VP Product Management and Marketing- Courion Corporation
@vrajaji
June 10, 2015

2
Courion Mission
Help customers
succeed in a world
of open access and
increasing threats.

3
Customer Need
Mobile AppsCloud Systems & Apps
Data
Resources
Assets
Systems & Apps
ACCESS
Ensure the Right People
have the Right Access
to the Right Resources
and are doing the Right Things

4
The Stresses and Strains of Access
Mobility
Cloud App Adoption
Virtualization
New App Roll outs
System Upgrades
New Infrastructure
INFRASTRUCTURE
Reorganization
New Product Intro
Union Strikes
Merger & Acquisitions
Geographic Expansion
New Partnerships
BUSINESS CHANGE
Hiring
Promotions
Transfers
Termination
Project Teams
Customer Acquisition
Customer Management
ROUTINE CHANGE

5
Sarbanes-Oxley Act (SOX) ~ PCAOB ~ SAS 94 ~ AICPA/CICA Privacy Framework ~ AICPA Suitable Trust Services Criteria ~ SEC Retention of Records, 17 CFR 210.2-06 ~ SEC Controls and Procedures, 17 CFR 240.15d-15 ~ SEC
Reporting Transactions and Holdings, 17 CFR 240.16a-3 ~ Basel II ~ BIS Sound Practices for the Management and Supervision of Operational Risk ~ Gramm-Leach-Bliley Act (GLB) ~ Standards for Safeguarding Customer Info., FTC 16
CFR 314 ~ Privacy of Consumer Financial Info. Rule ~ Safety and Soundness Standards, Appendix of 12 CFR 30 ~ FFIEC Info. Security ~ FFIEC Development Acquisition ~ FFIEC Business Continuity Planning ~ FFIEC Audit ~ FFIEC
Management ~ FFIEC Operations ~ NASD ~ NYSE ~ Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1 ~ Records to be made by exchange members, SEC 17 CFR 240.17a-3 ~ Records to be preserved by exchange
members, SEC 17 CFR 240.17a-4 ~ Recordkeeping, SEC 17 CFR 240.17Ad-6 ~ Record retention, SEC 17 CFR 240.17Ad-7 ~ HIPAA (Health Insurance Portability and Accountability Act) ~ HIPAA HCFA Internet Security Policy ~ NIST
Introductory Resource Guide for [HIPAA] (800-66) ~ CMS Core Security Requirements (CSR) ~ CMS Info. Security Acceptable Risk Safeguards (ARS) ~ CMS Info. Security Certification & Accreditation (C&A) ~ FDA Electronic Records;
Electronic Signatures 21 CFR Part 11+D1 ~ Federal Energy Regulatory Commission (FERC) ~ North American Electric Reliability Council (NERC) ~ VISA CISP (Cardholder Info. Security Program) ~ Mastercard SDP (Site Data Protection)
Program ~ American Express DSS (Data Security Standard) ~ PCI DSS (Payment Card Industry Data Security Standard) ~ FTC ESIGN (Electronic Signatures in Global and National Commerce Act) ~ Uniform Electronic Transactions Act
(UETA) ~ FISMA (Federal Info. Security Management Act) ~ FISCAM (Federal Info. System Controls Audit Manual) ~ FIPS Security Requirements for Cryptographic Modules 140-2 ~ FIPS Guideline for the Analysis of LAN Security 191 ~
FIPS Application Profile for GILS 192 ~ Clinger-Cohen Act (Info. Technology Management Reform Act) ~ National Strategy to Secure Cyberspace ~ GAO Financial Audit Manual ~ DOD ...Standard for Electronic Records Management
Software...5015-2 ~ CISWG Report on the Best Practices Subgroup ~ CISWG Info. Security Program Elements ~ NCUA Guidelines for Safeguarding Member Info. 12 CFR 748 ~ IRS Revenue Procedure: Retention of books and records 97-
22 ~ IRS Revenue Procedure: Record retention: automatic data processing… 98-25 ~ IRS Internal Revenue Code Section 501(c)(3) ~ Federal Rules of Civil Procedure ~ Uniform Rules of Civil Procedure ~ ISO 15489-1 Info. and
Documentation: Records mgmt.: General ~ ISO 15489-2 Info. and Documentation: Records management: Guidelines ~ DIRKS: A Strategic Approach to Managing Business Info. ~ Sedona Principles Addressing Elec. Document Production ~
NIST ...Principles and Practices for Securing IT Systems 800-14 ~ NIST ...Developing Security Plans for Federal Info. Systems 800-18 ~ NIST Security Self-Assessment Guide... 800-26 ~ NIST Risk Management Guide... 800-30 ~ NIST
Contingency Planning Guide... 800-34 ~ NIST ...Patch and Vulnerability Management Program 800-40 ~ NIST Guidelines on Firewalls and Firewall Policy 800-41 ~ NIST Security Controls for Federal Info. Sys 800-53 ~ NIST ...Mapping...Info.
and...Systems to Security Categories 800-60 ~ NIST Computer Security Incident Handling Guide 800-61 ~ NIST Security Considerations in...Info. Sys Development 800-64 ~ ISO 73:2002 Risk management -- Vocabulary ~ ISO 1335 Info.
technology – Guidelines for management of IT Security ~ ISO 17799:2000 Code of Practice for Info. Security Management ~ ISO 27001:2005 ...Info. Security Management Systems -- Requirements ~ IT Info. Library (ITIL) Planning to
Implement Service Management ~ IT Info. Library (ITIL) ICT Infrastructure Management ~ IT Info. Library (ITIL) Service Delivery ~ IT Info. Library (ITIL) Service Support ~ IT Info. Library (ITIL) App. Management ~ IT Info. Library (ITIL)
Security Management ~ COSO Enterprise Risk Management (ERM) Framework ~ CobiT 3rd Edition ~ CobiT 4th Edition ~ ISACA IS Standards, Guidelines, and Procedures for Auditing and Control... ~ NFPA 1600 ...Disaster/Emergency
Management and Business Continuity... ~ Info. Security Forum (ISF) Standard of Good Practice ~ Info. Security Forum (ISF) Security Audit of Networks ~ A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM ~ Business
Continuity Institute (BCI) Good Practice Guidelines ~ IIA Global Technology Audit Guide - Info. Technology Controls ~ ISSA Generally Accepted Info. Security Principles (GAISP) ~ CERT Operationally Critical Threat, Asset & Vulnerability
Evaluation (OCTAVE) ~ Cable Communications Privacy Act Title 47 § 551 ~ Telemarketing Sales Rule (TSR) amendment 16 CFR 310.4(b)(3)(iv) ~ CAN SPAM Act ~ Children's Online Privacy Protection Act (COPPA) 16 CFR 312 ~
Children's Online Privacy Protection Act (COPPA) 16 CFR 312 ~ Driver's Privacy Protection Act (DPPA) 18 USC 2721 ~ Family Education Rights Privacy Act (FERPA) 20 USC 1232 ~ Privacy Act of 1974 5 USC 552a ~ Telemarketing Sales
Rule (TSR) 16 CFR 310 ~ Video Privacy Protection Act (VPPA) 18 USC 2710 ~ Specter-Leahy Personal Data Privacy and Security Act ~ AR Personal Info. Protection Act SB 1167 ~ AZ Amendment to Arizona Revised Statutes 13-2001 HB
2116 ~ CA Info. Practice Act SB 1386 ~ CA General Security Standard for Businesses AB 1950 ~ CA Public Records Military Veteran Discharge Documents AB 1798 ~ CA OPP Recommended Practices on Notification of Security Breach ~
CO Prohibition against Using Identity Info. for Unlawful Purpose HB 1134 ~ CO Consumer Credit Solicitation Protection HB 1274 ~ CO Prohibiting Inclusion of Social Security Number HB 1311 ~ CT Requiring Consumer Credit Bureaus to
Offer Security Freezes SB 650 ~ CT Concerning Nondisclosure of Private Tenant Info. HB 5184 ~ DE Computer Security Breaches HB 116 ~ FL Personal Identification Info./Unlawful Use HB 481 ~ GA Consumer Reporting Agencies SB 230
~ GA Public employees; Fraud, Waste, and Abuse HB 656 ~ HI Exempting disclosure of Social Security numbers HB 2674 ~ IL Personal Info. Protection Act HB 1633 ~ IN Release of Social Security Number, Notice of Security Breach SB 503
~ LADatabase Security Breach Notification Law SB 205 Act 499 ~ ME To Protect ME Citizens from Identity Theft LD 1671 ~ MN Data Warehouses; Notice Required for Certain Disclosures HF 2121 ~ MO HB 957 ~ MT To Implement
Individual Privacy and to Prevent Identity Theft HB 732 ~ NJ Identity Theft Prevention Act A4001/S1914 ~ NY A4254, A3492 [no title] ~ NV SB 347 [no title] ~ NC Security Breach Notification Law (Identity Theft Protection Act) SB 1048 ~ ND
Personal Info. protection act SB 2251 ~ OH Personal Info. -- contact if unauthorized access HB 104 ~ RI Security Breach Notification Law H 6191 ~ TN Security Breach Notification SB 2220 ~ TX Identity Theft Enforcement and Protection Act
SB 122 ~ VT Relating to Identity Theft HB 327 ~ VA Identity theft; penalty; restitution; victim assistance HB 872 ~ WA Notice of a breach of the security SB 6043 ~ EU Directive on Privacy and Electronic Communications 2002/58/EC ~ EU
Directive on Data Protection 95/46/EC ~ US Department of Commerce EU Safe Harbor Privacy Principles ~ ...Consumer Interests in the Telecommunications Market Act No. 661 ~ Directive On Privacy And Electronic Communications
2002.58.EC ~ OECD Technology Risk Checklist ~ OECD Guidelines on...Privacy and Transborder Flows of Personal Data ~ UN Guidelines for the Regulation of Computerized Personal Data Files (1990) ~ ISACA Cross-border Privacy Impact
Assessment ~ The Combined Code on Corporate Governance ~ Turnbull Guidance on Internal Control, UK FRC ~ Smith Guidance on Audit Comm. Combined Code, UK FRC ~ UK Data Protection Act of 1998 ~ BS 15000-1 IT Service
Management Standard ~ BS 15000-2 IT Service Management Standard - Code of Practice ~ Canada Keeping the Promise for a Strong Economy Act Bill 198 ~ Canada Personal Info. Protection and Electronic Documents Act ~ Canada
Privacy Policy and Principles ~ Argentina Personal Data Protection Act ~ Mexico Federal Personal Data Protection Law ~ Austria Data Protection Act ~ Austria Telecommunications Act ~ Bosnia Law on Protection of Personal Data ~ Czech
Republic Personal Data Protection Act ~ Denmark Act on Competitive Conditions and Consumer Interests ~ Finland Personal Data Protection Act ~ Finland Amendment of the Personal Data Act ~ France Data Protection Act ~ German
Federal Data Protection Act ~ Greece Law on Personal Data Protection ~ Hungary Protection of Personal Data and Disclosure of Data of Public Interest ~ Iceland Protection of Privacy as regards the Processing of Personal Data ~ Ireland
Data Protection Act ~ Ireland Data Protection Amendment 2003 ~ Italy Personal Data Protection Code ~ Italy Protection of Individuals with Regard to...Processing of Personal Data ~ Lithuania Law on Legal Protection of Personal Data ~
Luxembourg Data Protection Law ~ Netherlands Personal Data Protection Act ~ Poland Protection of Personal Data Act ~ Slovak Republic Protection of Personal Data in Info. Systems ~ Slovenia Personal Data Protection Act ~ South Africa
Promotion of Access to Info. Act ~ Spain Organic law on the Protection of Personal Data ~ Sweden Personal Data Act ~ Swiss Federal Act on Data Protection ~ Australian Business Continuity Management Guide ~ Australia Spam Act of
2003 ~ Australia Privacy Amendment Act ~ Australia Telecommunications Act ~ Australia Spam Act 2003: A Practical Guide for Business ~ Hong Kong Personal Data (Privacy) Ordinance ~ Hong Kong Personal Data (Privacy) Ordinance ~
India Info.Privacy Act ~ Japan Guidelines for Personal Data Protection in Electronic Commerce, ECOM ~ Japan Handbook Concerning Protection of Intl’Data, MITI ~ Japan Personal Info. Protection Act ~ Korea Act on the Promotion of
Info....Protection ~ Korea Act on the Protection of Personal Info....by Public Agencies ~ Korea Use and Protection of Credit Info. Act ~ New Zealand Privacy Act ~ Taiwan Computer-Processed Personal Data Protection Law
Along comes regulation

7
Who has
access to
what?
What does that
access allow
them to do?
Why do they
need that
access?

10
 A broader and ever exploding attack surface and diversity of infrastructure
 Super sophisticated attacker ecosystem
• Looking for weaknesses in the infrastructure
• Armed with an increasingly sophisticated and specialized tools and services
Result…

11
Source: Verizon 2015 PCI Compliance Report

12
Source: PWC Global State of Information Security Survey, 2015

13
Top Audit Findings
0% 5% 10% 15% 20% 25% 30% 35% 40%
Lack of sufficient segregation of duties
Removal of access following a transfer or termination
Excessive developers' access to production systems and data
Excessive acess rights
30%
18%
22%
31%
31%
27%
31%
38%
28%
29%
29%
36%
2012 2010 2009
Source: Deloitte Global Financial Services Security Survey
http://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/dttl-fsi-SecurityStudy2012.pdf

14
Source: Verizon Data Breach Investigations Report, 2015

15
Identity and Access Detection
Agree
Disagree
Don't Know
Our organization is able to detect if access
credentials are misused, or stolen
42%
29%29%
http://www.courion.com/company/pressreleases.html?id=1093

16
66 percent of board members are not
confident of their companies' ability to defend
themselves against cyberattacks. Only 4
percent said they were "very" confident.
– CSOOnline.com

17
Less than 40% of cases organization identifies breach
themselves
Source: Verizon 2015 Data Breach Investigations Report
Average time breached before noticed is 225 days
Source: Ponemon Institute, 2015 HP Sponsored Security Survey

18
The Elements of Attack
MALWARE,
PHISHING
COMMAND
&
CONTROL
LATERAL
MOVEMENT
ACCESS
TARGET
PACKAGE
&
EXFILTRATE
BREACH
LIFECYCLE
Anti-virus
Anti-malware
DLP
SIEM
Deep Packet
Inspection

19
Companies and large organization still
devote most of their security resources to
defending networks from external attack,
said Chiu. That means once an attacker
gets access within a network
environment, there is “little or no security
on the inside stopping them.”
-csmonitor.com

21
Identity and Access Management Controls
Provisioning
Governance

23
So… Do you Really Need that Access?
Overcoming the sometimes blind faith that recertification is a panacea.

24
Privileged accounts, unnecessary entitlements
are the access risks that cause the most anxiety
10.4%
11.9%
31.1%
46.7%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
ORPHANED ACCOUNTS - accounts with no adminstrative
oversight
ABANDONED ACCOUNTS - accounts inactive for a time
period exceeding policy
UNNECESSARY ENTITLEMENTS - unneeded or excess
access privileges, often in conflict with SoD practices
PRIVILEGED ACCOUNTS - accounts with increased levels
of permission that provide elevated access to critical
networks, systems, applications or transactions
http://www.courion.com/company/pressreleases.html?id=1093

25
The Big Data Issue of IAM
Trillions of access
relationships
100’s of policies
& regulations
POLICIES
1000’s of
applications,
file shares &
resources
RESOURCES
Millions of
actions
ACTIVITY
100’s of
thousands of
access rights &
roles
RIGHTS
100,000’s of
people, millions
of identities
IDENTITY

29
Before
App A
User 1
User 2
User 3
User 4
User 5
….
User 11,243
User 11,244
User 11,255
….
User N
User 1
User 2
User 3
User 4
User 5
….
User 11,243
User 11,244
User 11,255
….
User N
User 1
User 2
User 3
User 4
User 5
….
User 11,243
User 11,244
User 11,255
….
User N
User 1
User 2
User 3
User 4
User 5
….
User 11,243
User 11,244
User 11,255
….
User N
User 1
User 2
User 3
User 4
User 5
….
User 11,243
User 11,244
User 11,255
….
User N
App B App C App D App E

30
After
App A App B App C App D App E
User 1
User 2
User 3
User 4
User 5
….
User 11,243
User 11,244
User 11,255
….
User N
User 1
User 2
User 3
User 4
User 5
….
User 11,243
User 11,244
User 11,255
….
User N
User 1
User 2
User 3
User 4
User 5
….
User 11,243
User 11,244
User 11,255
….
User N
User 1
User 2
User 3
User 4
User 5
….
User 11,243
User 11,244
User 11,255
….
User N
User 1
User 2
User 3
User 4
User 5
….
User 11,243
User 11,244
User 11,255
….
User N
HR System
App A App B App C App D App E

31
Intelligent Governance
• New account created
outside provisioning system
• High risk application
• High risk set of entitlements
• Employee not in HR system
…another
…and another

32
Provisioning Today
Provisioning
Request
Policy
Evaluation
Approval Fulfillment
Reject
Request

33
Intelligent Provisioning
Provisioning
Request
Policy
Evaluation
Fulfillment
Risk
Scoring

34
Provisioning
Request
Reject
Request
Policy
Evaluation
Risk
Scoring

35
Provisioning
Request
Policy
Evaluation
Additional
Approval
Reject
Request
Risk
Scoring

36
IAM Evolution
Benefits
IAM Generation
1.0
Provisioning led
Improved Service
 Efficiency
 Quality
 Transaction and event driven
 P/W mgmt. and user
provisioning
Improved Security
 Compliance
 Security
 Policy enforced
 Consistent process

37
IAM Evolution
Benefits
IAM Generation
1.0
Provisioning led
2.0
Governance led
Improved Service
 Efficiency
 Quality
 Transaction and
event driven
 P/W mgmt. and
user provisioning
 Automated
certification review
 Pleasant user
experience
Improved Security
 Compliance
 Security
 Policy enforced
 Audit requirements

38
IAM Evolution
Benefits
IAM Generation
1.0
Provisioning led
2.0
Governance led
3.0
Intelligence led
Improved Service
 Efficiency
 Quality
 Transaction
and event
driven
 P/W mgmt.
and user
provisioning
 Automated
certification
review
 Pleasant user
experience
 Evolutionary:
Enables better
decision
making in
real-time
 Revolutionary:
See and act
on things
impossible to
see before
Improved Security
 Compliance
 Security
 Policy
enforced
 Consistent
process
 Audit
requirements
 Consistent
process

39
“By year-end 2020, identity analytics
and intelligence (IAI) tools will deliver
direct business value in 60% of
enterprises, up from <5% today.”
Intelligent IAM

40
Continuous
Monitoring
& Analytics
GovernanceProvisioning
Intelligent IAM
Policy

41
Are you looking for more visibility into your
company’s identity and access risk?
Our Identity and Access Governance Buyer’s Guide is designed to help you
define requirements for an Identity and Access Governance solution for your
enterprise. It can also help you compare products during an evaluation phase.
If you would like more information on what a Quick Scan can do for your company,
contact us today at 1-866-COURION or at info@courion.com.
Get My Copy

42
Are you looking for more visibility into your company’s
identity and access risk?
With a Quick Scan assessment of your organization’s access risk we can help
you take a quick look into your security measures and provide you with a plan of
what you can do to mitigate those risks.
Start My Quick Scan
If you would like more information on what a Quick Scan can do for your
company, contact us today at 1-866-COURION or at info@courion.com.

Assessing the Risk of Identity and Access

More Related Content

Viewers also liked (20)

Similar to Assessing the Risk of Identity and Access (20)

More from Courion Corporation (7)

Recently uploaded (20)

Assessing the Risk of Identity and Access