SlideShare a Scribd company logo

CIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji

CloudIDSummit, profile picture
CloudIDSummit

The document discusses the risks associated with identity and access management in light of increasing cyber threats and regulatory requirements. It emphasizes the importance of ensuring appropriate access controls, highlighting issues such as excessive access rights and the inability to detect credential misuse. Recommendations for improving access governance are outlined, including advancements towards more intelligent provisioning systems.

Technology
1 of 40
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Assessing the Risk of Identity and Access Venkat Rajaji VP Product Management and Marketing- Courion Corporation @vrajaji June 10, 2015
2 Courion Mission Help customers succeed in a world of open access and increasing threats.
3 Customer Need Mobile AppsCloud Systems & Apps Data Resources Assets Systems & Apps ACCESS Ensure the Right People have the Right Access to the Right Resources and are doing the Right Things
4 The Stresses and Strains of Access Mobility Cloud App Adoption Virtualization New App Roll outs System Upgrades New Infrastructure INFRASTRUCTURE   Reorganization New Product Intro Union Strikes Merger & Acquisitions Geographic Expansion New Partnerships BUSINESS  CHANGE   Hiring Promotions Transfers Termination Project Teams Customer Acquisition Customer Management ROUTINE  CHANGE  
5 Sarbanes-Oxley Act (SOX) ~ PCAOB ~ SAS 94 ~ AICPA/CICA Privacy Framework ~ AICPA Suitable Trust Services Criteria ~ SEC Retention of Records, 17 CFR 210.2-06 ~ SEC Controls and Procedures, 17 CFR 240.15d-15 ~ SEC Reporting Transactions and Holdings, 17 CFR 240.16a-3 ~ Basel II ~ BIS Sound Practices for the Management and Supervision of Operational Risk ~ Gramm-Leach-Bliley Act (GLB) ~ Standards for Safeguarding Customer Info., FTC 16 CFR 314 ~ Privacy of Consumer Financial Info. Rule ~ Safety and Soundness Standards, Appendix of 12 CFR 30 ~ FFIEC Info. Security ~ FFIEC Development Acquisition ~ FFIEC Business Continuity Planning ~ FFIEC Audit ~ FFIEC Management ~ FFIEC Operations ~ NASD ~ NYSE ~ Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1 ~ Records to be made by exchange members, SEC 17 CFR 240.17a-3 ~ Records to be preserved by exchange members, SEC 17 CFR 240.17a-4 ~ Recordkeeping, SEC 17 CFR 240.17Ad-6 ~ Record retention, SEC 17 CFR 240.17Ad-7 ~ HIPAA (Health Insurance Portability and Accountability Act) ~ HIPAA HCFA Internet Security Policy ~ NIST Introductory Resource Guide for [HIPAA] (800-66) ~ CMS Core Security Requirements (CSR) ~ CMS Info. Security Acceptable Risk Safeguards (ARS) ~ CMS Info. Security Certification & Accreditation (C&A) ~ FDA Electronic Records; Electronic Signatures 21 CFR Part 11+D1 ~ Federal Energy Regulatory Commission (FERC) ~ North American Electric Reliability Council (NERC) ~ VISA CISP (Cardholder Info. Security Program) ~ Mastercard SDP (Site Data Protection) Program ~ American Express DSS (Data Security Standard) ~ PCI DSS (Payment Card Industry Data Security Standard) ~ FTC ESIGN (Electronic Signatures in Global and National Commerce Act) ~ Uniform Electronic Transactions Act (UETA) ~ FISMA (Federal Info. Security Management Act) ~ FISCAM (Federal Info. System Controls Audit Manual) ~ FIPS Security Requirements for Cryptographic Modules 140-2 ~ FIPS Guideline for the Analysis of LAN Security 191 ~ FIPS Application Profile for GILS 192 ~ Clinger-Cohen Act (Info. Technology Management Reform Act) ~ National Strategy to Secure Cyberspace ~ GAO Financial Audit Manual ~ DOD ...Standard for Electronic Records Management Software... 5015-2 ~ CISWG Report on the Best Practices Subgroup ~ CISWG Info. Security Program Elements ~ NCUA Guidelines for Safeguarding Member Info. 12 CFR 748 ~ IRS Revenue Procedure: Retention of books and records 97-22 ~ IRS Revenue Procedure: Record retention: automatic data processing… 98-25 ~ IRS Internal Revenue Code Section 501(c)(3) ~ Federal Rules of Civil Procedure ~ Uniform Rules of Civil Procedure ~ ISO 15489-1 Info. and Documentation: Records mgmt.: General ~ ISO 15489-2 Info. and Documentation: Records management: Guidelines ~ DIRKS: A Strategic Approach to Managing Business Info. ~ Sedona Principles Addressing Elec. Document Production ~ NIST ...Principles and Practices for Securing IT Systems 800-14 ~ NIST ...Developing Security Plans for Federal Info. Systems 800-18 ~ NIST Security Self-Assessment Guide... 800-26 ~ NIST Risk Management Guide... 800-30 ~ NIST Contingency Planning Guide... 800-34 ~ NIST ...Patch and Vulnerability Management Program 800-40 ~ NIST Guidelines on Firewalls and Firewall Policy 800-41 ~ NIST Security Controls for Federal Info. Sys 800-53 ~ NIST ...Mapping...Info. and...Systems to Security Categories 800-60 ~ NIST Computer Security Incident Handling Guide 800-61 ~ NIST Security Considerations in...Info. Sys Development 800-64 ~ ISO 73:2002 Risk management -- Vocabulary ~ ISO 1335 Info. technology – Guidelines for management of IT Security ~ ISO 17799:2000 Code of Practice for Info. Security Management ~ ISO 27001:2005 ...Info. Security Management Systems -- Requirements ~ IT Info. Library (ITIL) Planning to Implement Service Management ~ IT Info. Library (ITIL) ICT Infrastructure Management ~ IT Info. Library (ITIL) Service Delivery ~ IT Info. Library (ITIL) Service Support ~ IT Info. Library (ITIL) App. Management ~ IT Info. Library (ITIL) Security Management ~ COSO Enterprise Risk Management (ERM) Framework ~ CobiT 3rd Edition ~ CobiT 4th Edition ~ ISACA IS Standards, Guidelines, and Procedures for Auditing and Control... ~ NFPA 1600 ...Disaster/Emergency Management and Business Continuity... ~ Info. Security Forum (ISF) Standard of Good Practice ~ Info. Security Forum (ISF) Security Audit of Networks ~ A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM ~ Business Continuity Institute (BCI) Good Practice Guidelines ~ IIA Global Technology Audit Guide - Info. Technology Controls ~ ISSA Generally Accepted Info. Security Principles (GAISP) ~ CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) ~ Cable Communications Privacy Act Title 47 § 551 ~ Telemarketing Sales Rule (TSR) amendment 16 CFR 310.4(b)(3)(iv) ~ CAN SPAM Act ~ Children's Online Privacy Protection Act (COPPA) 16 CFR 312 ~ Children's Online Privacy Protection Act (COPPA) 16 CFR 312 ~ Driver's Privacy Protection Act (DPPA) 18 USC 2721 ~ Family Education Rights Privacy Act (FERPA) 20 USC 1232 ~ Privacy Act of 1974 5 USC 552a ~ Telemarketing Sales Rule (TSR) 16 CFR 310 ~ Video Privacy Protection Act (VPPA) 18 USC 2710 ~ Specter-Leahy Personal Data Privacy and Security Act ~ AR Personal Info. Protection Act SB 1167 ~ AZ Amendment to Arizona Revised Statutes 13-2001 HB 2116 ~ CA Info. Practice Act SB 1386 ~ CA General Security Standard for Businesses AB 1950 ~ CA Public Records Military Veteran Discharge Documents AB 1798 ~ CA OPP Recommended Practices on Notification of Security Breach ~ CO Prohibition against Using Identity Info. for Unlawful Purpose HB 1134 ~ CO Consumer Credit Solicitation Protection HB 1274 ~ CO Prohibiting Inclusion of Social Security Number HB 1311 ~ CT Requiring Consumer Credit Bureaus to Offer Security Freezes SB 650 ~ CT Concerning Nondisclosure of Private Tenant Info. HB 5184 ~ DE Computer Security Breaches HB 116 ~ FL Personal Identification Info./Unlawful Use HB 481 ~ GA Consumer Reporting Agencies SB 230 ~ GA Public employees; Fraud, Waste, and Abuse HB 656 ~ HI Exempting disclosure of Social Security numbers HB 2674 ~ IL Personal Info. Protection Act HB 1633 ~ IN Release of Social Security Number, Notice of Security Breach SB 503 ~ LADatabase Security Breach Notification Law SB 205 Act 499 ~ ME To Protect ME Citizens from Identity Theft LD 1671 ~ MN Data Warehouses; Notice Required for Certain Disclosures HF 2121 ~ MO HB 957 ~ MT To Implement Individual Privacy and to Prevent Identity Theft HB 732 ~ NJ Identity Theft Prevention Act A4001/S1914 ~ NY A4254, A3492 [no title] ~ NV SB 347 [no title] ~ NC Security Breach Notification Law (Identity Theft Protection Act) SB 1048 ~ ND Personal Info. protection act SB 2251 ~ OH Personal Info. -- contact if unauthorized access HB 104 ~ RI Security Breach Notification Law H 6191 ~ TN Security Breach Notification SB 2220 ~ TX Identity Theft Enforcement and Protection Act SB 122 ~ VT Relating to Identity Theft HB 327 ~ VA Identity theft; penalty; restitution; victim assistance HB 872 ~ WA Notice of a breach of the security SB 6043 ~ EU Directive on Privacy and Electronic Communications 2002/58/EC ~ EU Directive on Data Protection 95/46/EC ~ US Department of Commerce EU Safe Harbor Privacy Principles ~ ...Consumer Interests in the Telecommunications Market Act No. 661 ~ Directive On Privacy And Electronic Communications 2002.58.EC ~ OECD Technology Risk Checklist ~ OECD Guidelines on...Privacy and Transborder Flows of Personal Data ~ UN Guidelines for the Regulation of Computerized Personal Data Files (1990) ~ ISACA Cross-border Privacy Impact Assessment ~ The Combined Code on Corporate Governance ~ Turnbull Guidance on Internal Control, UK FRC ~ Smith Guidance on Audit Comm. Combined Code, UK FRC ~ UK Data Protection Act of 1998 ~ BS 15000-1 IT Service Management Standard ~ BS 15000-2 IT Service Management Standard - Code of Practice ~ Canada Keeping the Promise for a Strong Economy Act Bill 198 ~ Canada Personal Info. Protection and Electronic Documents Act ~ Canada Privacy Policy and Principles ~ Argentina Personal Data Protection Act ~ Mexico Federal Personal Data Protection Law ~ Austria Data Protection Act ~ Austria Telecommunications Act ~ Bosnia Law on Protection of Personal Data ~ Czech Republic Personal Data Protection Act ~ Denmark Act on Competitive Conditions and Consumer Interests ~ Finland Personal Data Protection Act ~ Finland Amendment of the Personal Data Act ~ France Data Protection Act ~ German Federal Data Protection Act ~ Greece Law on Personal Data Protection ~ Hungary Protection of Personal Data and Disclosure of Data of Public Interest ~ Iceland Protection of Privacy as regards the Processing of Personal Data ~ Ireland Data Protection Act ~ Ireland Data Protection Amendment 2003 ~ Italy Personal Data Protection Code ~ Italy Protection of Individuals with Regard to...Processing of Personal Data ~ Lithuania Law on Legal Protection of Personal Data ~ Luxembourg Data Protection Law ~ Netherlands Personal Data Protection Act ~ Poland Protection of Personal Data Act ~ Slovak Republic Protection of Personal Data in Info. Systems ~ Slovenia Personal Data Protection Act ~ South Africa Promotion of Access to Info. Act ~ Spain Organic law on the Protection of Personal Data ~ Sweden Personal Data Act ~ Swiss Federal Act on Data Protection ~ Australian Business Continuity Management Guide ~ Australia Spam Act of 2003 ~ Australia Privacy Amendment Act ~ Australia Telecommunications Act ~ Australia Spam Act 2003: A Practical Guide for Business ~ Hong Kong Personal Data (Privacy) Ordinance ~ Hong Kong Personal Data (Privacy) Ordinance ~ India Info.Privacy Act ~ Japan Guidelines for Personal Data Protection in Electronic Commerce, ECOM ~ Japan Handbook Concerning Protection of Intl’Data, MITI ~ Japan Personal Info. Protection Act ~ Korea Act on the Promotion of Info....Protection ~ Korea Act on the Protection of Personal Info....by Public Agencies ~ Korea Use and Protection of Credit Info. Act ~ New Zealand Privacy Act ~ Taiwan Computer-Processed Personal Data Protection Law Along comes regulation
6
7 Who has access to what? What does that access allow them to do? Why do they need that access?
8
9
10
11 § A broader and ever exploding attack surface and diversity of infrastructure § Super sophisticated attacker ecosystem •  Looking for weaknesses in the infrastructure •  Armed with an increasingly sophisticated and specialized tools and services Result…
12 Source: Verizon 2015 PCI Compliance Report
13 Source: PWC Global State of Information Security Survey, 2015
14 Top Audit Findings 0% 5% 10% 15% 20% 25% 30% 35% 40% Lack of sufficient segregation of duties Removal of access following a transfer or termination Excessive developers' access to production systems and data Excessive acess rights 30% 18% 22% 31% 31% 27% 31% 38% 28% 29% 29% 36% 2012 2010 2009 Source: Deloitte Global Financial Services Security Survey http://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/dttl-fsi-SecurityStudy2012.pdf
15 Source: Verizon Data Breach Investigations Report, 2015
16 Identity and Access Detection Agree Disagree Don't Know Our organization is able to detect if access credentials are misused, or stolen 42% 29%29% http://www.courion.com/company/pressreleases.html?id=1093
17 66 percent of board members are not confident of their companies' ability to defend themselves against cyberattacks. Only 4 percent said they were "very" confident. – CSOOnline.com
18 Less than 40% of cases organization identifies breach themselves Source: Verizon 2015 Data Breach Investigations Report Average time breached before noticed is 225 days Source: Ponemon Institute, 2015 HP Sponsored Security Survey
19 The Elements of Attack MALWARE, PHISHING COMMAND & CONTROL LATERAL MOVEMENT ACCESS TARGET PACKAGE & EXFILTRATE BREACH LIFECYCLE Anti-virus Anti-malware DLP SIEM Deep Packet Inspection
20 85%
21 Identity and Access Management Controls Provisioning Governance
22 The Compliance Process
23 So… Do you Really Need that Access? Overcoming the sometimes blind faith that recertification is a panacea.
24 Privileged accounts, unnecessary entitlements are the access risks that cause the most anxiety 10.4% 11.9% 31.1% 46.7% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% ORPHANED ACCOUNTS - accounts with no adminstrative oversight ABANDONED ACCOUNTS - accounts inactive for a time period exceeding policy UNNECESSARY ENTITLEMENTS - unneeded or excess access privileges, often in conflict with SoD practices PRIVILEGED ACCOUNTS - accounts with increased levels of permission that provide elevated access to critical networks, systems, applications or transactions http://www.courion.com/company/pressreleases.html?id=1093
25 The Big Data Issue of IAM Trillions of access relationships 100’s of policies & regulations POLICIES 1000’s of applications, file shares & resources RESOURCES Millions of actions ACTIVITY 100’s of thousands of access rights & roles RIGHTS 100,000’s of people, millions of identities IDENTITY
26
27
28
29 Before App A User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N App B App C App D App E
30 After App A App B App C App D App E User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N HR System App A App B App C App D App E
31 Intelligent Governance •  New account created outside provisioning system •  High risk application •  High risk set of entitlements •  Employee not in HR system …another …and another
32 Provisioning Today Provisioning Request Policy Evaluation Approval Fulfillment Reject Request
33 Intelligent Provisioning Provisioning Request Policy Evaluation Fulfillment Risk Scoring
34 Intelligent Provisioning Provisioning Request Approval Fulfillment Reject Request Policy Evaluation Risk Scoring
35 Intelligent Provisioning Provisioning Request Policy Evaluation Approval Fulfillment Additional Approval Reject Request Risk Scoring
36 IAM Evolution Benefits IAM Generation 1.0 Provisioning led Improved Service §  Efficiency §  Quality §  Transaction and event driven §  P/W mgmt. and user provisioning Improved Security §  Compliance §  Security §  Policy enforced §  Consistent process
37 IAM Evolution Benefits IAM Generation 1.0 Provisioning led 2.0 Governance led Improved Service §  Efficiency §  Quality §  Transaction and event driven §  P/W mgmt. and user provisioning §  Automated certification review §  Pleasant user experience Improved Security §  Compliance §  Security §  Policy enforced §  Consistent process §  Audit requirements §  Consistent process
38 IAM Evolution Benefits IAM Generation 1.0 Provisioning led 2.0 Governance led 3.0 Intelligence led Improved Service §  Efficiency §  Quality §  Transaction and event driven §  P/W mgmt. and user provisioning §  Automated certification review §  Pleasant user experience §  Evolutionary: Enables better decision making in real-time §  Revolutionary: See and act on things impossible to see before Improved Security §  Compliance §  Security §  Policy enforced §  Consistent process §  Audit requirements §  Consistent process
39 “By year-end 2020, identity analytics and intelligence (IAI) tools will deliver direct business value in 60% of enterprises, up from <5% today.” Intelligent IAM
40 Continuous Monitoring & Analytics GovernanceProvisioning Intelligent IAM Policy

More Related Content

PPTX
Assessing the Risk of Identity and Access
Courion Corporation
 
PDF
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CloudIDSummit
 
PDF
Technology Trends: Value Office
SSF Global
 
PDF
Examples of international privacy legislation
Ulf Mattsson
 
PPT
Infosec Law It Web (March 2006)
Lance Michalson
 
PDF
10 Things You Need To Know About Privacy
Now Dentons
 
PDF
CIS 2015 SCIM in the Real World - Kelly Grizzle
CloudIDSummit
 
PPTX
Malware Most Wanted: Security Ecosystem
Cyphort
 
Assessing the Risk of Identity and Access
Courion Corporation
 
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CloudIDSummit
 
Technology Trends: Value Office
SSF Global
 
Examples of international privacy legislation
Ulf Mattsson
 
Infosec Law It Web (March 2006)
Lance Michalson
 
10 Things You Need To Know About Privacy
Now Dentons
 
CIS 2015 SCIM in the Real World - Kelly Grizzle
CloudIDSummit
 
Malware Most Wanted: Security Ecosystem
Cyphort
 

Similar to CIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji (20)

PPTX
IQPC eDiscovery Goverment - Washington D.C.
J. David Morris
 
PPTX
EMC SourceOne for SharePoint
J. David Morris
 
PDF
Is it time for an IT Assessment?
Raffa Learning Community
 
PDF
2018-11-15 IT Assessment
Raffa Learning Community
 
PPT
Data Risks In A Digital Age
padler01
 
PDF
Data Integrity Protection
proitsolutions
 
PPTX
Technology Law: Regulations on the Internet and Emerging Technologies
Infinity Software Solutions
 
PPTX
Technology Law: Regulations on the Internet and Emerging Technologies
Infinity Software Solutions
 
PDF
2017 06-27 Time for an IT Assessment
Raffa Learning Community
 
PDF
2017 06-27 Time for an IT Assessment
Rachel Caldwell
 
PPTX
Implications of acts in organizations
Swarupa Rani Sahu
 
PPT
Protecting Donor Privacy
Raymond Cunningham
 
PPTX
egal, Ethical, and Professional Issues in Information Security.pptx
sania82678
 
PDF
Don't let them take a byte
lgcdcpas
 
PPT
George Gavras 2010 Fowler Seminar
Don Grauel
 
PPTX
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
PPTX
2011 hildebrandt institute cio forum data privacy and security presentation...
David Cunningham
 
PPT
MA Privacy Law
travismd
 
PDF
How to Build and Implement your Company's Information Security Program
Financial Poise
 
PPT
DieboldFinal_adlerp0408
Aspiration Software LLC
 
IQPC eDiscovery Goverment - Washington D.C.
J. David Morris
 
EMC SourceOne for SharePoint
J. David Morris
 
Is it time for an IT Assessment?
Raffa Learning Community
 
2018-11-15 IT Assessment
Raffa Learning Community
 
Data Risks In A Digital Age
padler01
 
Data Integrity Protection
proitsolutions
 
Technology Law: Regulations on the Internet and Emerging Technologies
Infinity Software Solutions
 
Technology Law: Regulations on the Internet and Emerging Technologies
Infinity Software Solutions
 
2017 06-27 Time for an IT Assessment
Raffa Learning Community
 
2017 06-27 Time for an IT Assessment
Rachel Caldwell
 
Implications of acts in organizations
Swarupa Rani Sahu
 
Protecting Donor Privacy
Raymond Cunningham
 
egal, Ethical, and Professional Issues in Information Security.pptx
sania82678
 
Don't let them take a byte
lgcdcpas
 
George Gavras 2010 Fowler Seminar
Don Grauel
 
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
2011 hildebrandt institute cio forum data privacy and security presentation...
David Cunningham
 
MA Privacy Law
travismd
 
How to Build and Implement your Company's Information Security Program
Financial Poise
 
DieboldFinal_adlerp0408
Aspiration Software LLC
 
Ad

More from CloudIDSummit (20)

PPTX
CIS 2016 Content Highlights
CloudIDSummit
 
PPTX
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
PDF
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
PDF
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
PDF
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
PDF
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
PDF
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
PDF
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
PDF
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
PDF
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
PDF
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
PDF
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
PDF
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
PDF
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
PDF
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
PDF
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
PDF
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
PDF
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 
CIS 2016 Content Highlights
CloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 
Ad

Recently uploaded (20)

PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Modernising the Digital Integration Hub
Daniel Toomey
 

CIS 2015- Assessing the Risk of Identity and Access- Venkat Rajaji

  • 1. Assessing the Risk of Identity and Access Venkat Rajaji VP Product Management and Marketing- Courion Corporation @vrajaji June 10, 2015
  • 2. 2 Courion Mission Help customers succeed in a world of open access and increasing threats.
  • 3. 3 Customer Need Mobile AppsCloud Systems & Apps Data Resources Assets Systems & Apps ACCESS Ensure the Right People have the Right Access to the Right Resources and are doing the Right Things
  • 4. 4 The Stresses and Strains of Access Mobility Cloud App Adoption Virtualization New App Roll outs System Upgrades New Infrastructure INFRASTRUCTURE   Reorganization New Product Intro Union Strikes Merger & Acquisitions Geographic Expansion New Partnerships BUSINESS  CHANGE   Hiring Promotions Transfers Termination Project Teams Customer Acquisition Customer Management ROUTINE  CHANGE  
  • 5. 5 Sarbanes-Oxley Act (SOX) ~ PCAOB ~ SAS 94 ~ AICPA/CICA Privacy Framework ~ AICPA Suitable Trust Services Criteria ~ SEC Retention of Records, 17 CFR 210.2-06 ~ SEC Controls and Procedures, 17 CFR 240.15d-15 ~ SEC Reporting Transactions and Holdings, 17 CFR 240.16a-3 ~ Basel II ~ BIS Sound Practices for the Management and Supervision of Operational Risk ~ Gramm-Leach-Bliley Act (GLB) ~ Standards for Safeguarding Customer Info., FTC 16 CFR 314 ~ Privacy of Consumer Financial Info. Rule ~ Safety and Soundness Standards, Appendix of 12 CFR 30 ~ FFIEC Info. Security ~ FFIEC Development Acquisition ~ FFIEC Business Continuity Planning ~ FFIEC Audit ~ FFIEC Management ~ FFIEC Operations ~ NASD ~ NYSE ~ Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1 ~ Records to be made by exchange members, SEC 17 CFR 240.17a-3 ~ Records to be preserved by exchange members, SEC 17 CFR 240.17a-4 ~ Recordkeeping, SEC 17 CFR 240.17Ad-6 ~ Record retention, SEC 17 CFR 240.17Ad-7 ~ HIPAA (Health Insurance Portability and Accountability Act) ~ HIPAA HCFA Internet Security Policy ~ NIST Introductory Resource Guide for [HIPAA] (800-66) ~ CMS Core Security Requirements (CSR) ~ CMS Info. Security Acceptable Risk Safeguards (ARS) ~ CMS Info. Security Certification & Accreditation (C&A) ~ FDA Electronic Records; Electronic Signatures 21 CFR Part 11+D1 ~ Federal Energy Regulatory Commission (FERC) ~ North American Electric Reliability Council (NERC) ~ VISA CISP (Cardholder Info. Security Program) ~ Mastercard SDP (Site Data Protection) Program ~ American Express DSS (Data Security Standard) ~ PCI DSS (Payment Card Industry Data Security Standard) ~ FTC ESIGN (Electronic Signatures in Global and National Commerce Act) ~ Uniform Electronic Transactions Act (UETA) ~ FISMA (Federal Info. Security Management Act) ~ FISCAM (Federal Info. System Controls Audit Manual) ~ FIPS Security Requirements for Cryptographic Modules 140-2 ~ FIPS Guideline for the Analysis of LAN Security 191 ~ FIPS Application Profile for GILS 192 ~ Clinger-Cohen Act (Info. Technology Management Reform Act) ~ National Strategy to Secure Cyberspace ~ GAO Financial Audit Manual ~ DOD ...Standard for Electronic Records Management Software... 5015-2 ~ CISWG Report on the Best Practices Subgroup ~ CISWG Info. Security Program Elements ~ NCUA Guidelines for Safeguarding Member Info. 12 CFR 748 ~ IRS Revenue Procedure: Retention of books and records 97-22 ~ IRS Revenue Procedure: Record retention: automatic data processing… 98-25 ~ IRS Internal Revenue Code Section 501(c)(3) ~ Federal Rules of Civil Procedure ~ Uniform Rules of Civil Procedure ~ ISO 15489-1 Info. and Documentation: Records mgmt.: General ~ ISO 15489-2 Info. and Documentation: Records management: Guidelines ~ DIRKS: A Strategic Approach to Managing Business Info. ~ Sedona Principles Addressing Elec. Document Production ~ NIST ...Principles and Practices for Securing IT Systems 800-14 ~ NIST ...Developing Security Plans for Federal Info. Systems 800-18 ~ NIST Security Self-Assessment Guide... 800-26 ~ NIST Risk Management Guide... 800-30 ~ NIST Contingency Planning Guide... 800-34 ~ NIST ...Patch and Vulnerability Management Program 800-40 ~ NIST Guidelines on Firewalls and Firewall Policy 800-41 ~ NIST Security Controls for Federal Info. Sys 800-53 ~ NIST ...Mapping...Info. and...Systems to Security Categories 800-60 ~ NIST Computer Security Incident Handling Guide 800-61 ~ NIST Security Considerations in...Info. Sys Development 800-64 ~ ISO 73:2002 Risk management -- Vocabulary ~ ISO 1335 Info. technology – Guidelines for management of IT Security ~ ISO 17799:2000 Code of Practice for Info. Security Management ~ ISO 27001:2005 ...Info. Security Management Systems -- Requirements ~ IT Info. Library (ITIL) Planning to Implement Service Management ~ IT Info. Library (ITIL) ICT Infrastructure Management ~ IT Info. Library (ITIL) Service Delivery ~ IT Info. Library (ITIL) Service Support ~ IT Info. Library (ITIL) App. Management ~ IT Info. Library (ITIL) Security Management ~ COSO Enterprise Risk Management (ERM) Framework ~ CobiT 3rd Edition ~ CobiT 4th Edition ~ ISACA IS Standards, Guidelines, and Procedures for Auditing and Control... ~ NFPA 1600 ...Disaster/Emergency Management and Business Continuity... ~ Info. Security Forum (ISF) Standard of Good Practice ~ Info. Security Forum (ISF) Security Audit of Networks ~ A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM ~ Business Continuity Institute (BCI) Good Practice Guidelines ~ IIA Global Technology Audit Guide - Info. Technology Controls ~ ISSA Generally Accepted Info. Security Principles (GAISP) ~ CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) ~ Cable Communications Privacy Act Title 47 § 551 ~ Telemarketing Sales Rule (TSR) amendment 16 CFR 310.4(b)(3)(iv) ~ CAN SPAM Act ~ Children's Online Privacy Protection Act (COPPA) 16 CFR 312 ~ Children's Online Privacy Protection Act (COPPA) 16 CFR 312 ~ Driver's Privacy Protection Act (DPPA) 18 USC 2721 ~ Family Education Rights Privacy Act (FERPA) 20 USC 1232 ~ Privacy Act of 1974 5 USC 552a ~ Telemarketing Sales Rule (TSR) 16 CFR 310 ~ Video Privacy Protection Act (VPPA) 18 USC 2710 ~ Specter-Leahy Personal Data Privacy and Security Act ~ AR Personal Info. Protection Act SB 1167 ~ AZ Amendment to Arizona Revised Statutes 13-2001 HB 2116 ~ CA Info. Practice Act SB 1386 ~ CA General Security Standard for Businesses AB 1950 ~ CA Public Records Military Veteran Discharge Documents AB 1798 ~ CA OPP Recommended Practices on Notification of Security Breach ~ CO Prohibition against Using Identity Info. for Unlawful Purpose HB 1134 ~ CO Consumer Credit Solicitation Protection HB 1274 ~ CO Prohibiting Inclusion of Social Security Number HB 1311 ~ CT Requiring Consumer Credit Bureaus to Offer Security Freezes SB 650 ~ CT Concerning Nondisclosure of Private Tenant Info. HB 5184 ~ DE Computer Security Breaches HB 116 ~ FL Personal Identification Info./Unlawful Use HB 481 ~ GA Consumer Reporting Agencies SB 230 ~ GA Public employees; Fraud, Waste, and Abuse HB 656 ~ HI Exempting disclosure of Social Security numbers HB 2674 ~ IL Personal Info. Protection Act HB 1633 ~ IN Release of Social Security Number, Notice of Security Breach SB 503 ~ LADatabase Security Breach Notification Law SB 205 Act 499 ~ ME To Protect ME Citizens from Identity Theft LD 1671 ~ MN Data Warehouses; Notice Required for Certain Disclosures HF 2121 ~ MO HB 957 ~ MT To Implement Individual Privacy and to Prevent Identity Theft HB 732 ~ NJ Identity Theft Prevention Act A4001/S1914 ~ NY A4254, A3492 [no title] ~ NV SB 347 [no title] ~ NC Security Breach Notification Law (Identity Theft Protection Act) SB 1048 ~ ND Personal Info. protection act SB 2251 ~ OH Personal Info. -- contact if unauthorized access HB 104 ~ RI Security Breach Notification Law H 6191 ~ TN Security Breach Notification SB 2220 ~ TX Identity Theft Enforcement and Protection Act SB 122 ~ VT Relating to Identity Theft HB 327 ~ VA Identity theft; penalty; restitution; victim assistance HB 872 ~ WA Notice of a breach of the security SB 6043 ~ EU Directive on Privacy and Electronic Communications 2002/58/EC ~ EU Directive on Data Protection 95/46/EC ~ US Department of Commerce EU Safe Harbor Privacy Principles ~ ...Consumer Interests in the Telecommunications Market Act No. 661 ~ Directive On Privacy And Electronic Communications 2002.58.EC ~ OECD Technology Risk Checklist ~ OECD Guidelines on...Privacy and Transborder Flows of Personal Data ~ UN Guidelines for the Regulation of Computerized Personal Data Files (1990) ~ ISACA Cross-border Privacy Impact Assessment ~ The Combined Code on Corporate Governance ~ Turnbull Guidance on Internal Control, UK FRC ~ Smith Guidance on Audit Comm. Combined Code, UK FRC ~ UK Data Protection Act of 1998 ~ BS 15000-1 IT Service Management Standard ~ BS 15000-2 IT Service Management Standard - Code of Practice ~ Canada Keeping the Promise for a Strong Economy Act Bill 198 ~ Canada Personal Info. Protection and Electronic Documents Act ~ Canada Privacy Policy and Principles ~ Argentina Personal Data Protection Act ~ Mexico Federal Personal Data Protection Law ~ Austria Data Protection Act ~ Austria Telecommunications Act ~ Bosnia Law on Protection of Personal Data ~ Czech Republic Personal Data Protection Act ~ Denmark Act on Competitive Conditions and Consumer Interests ~ Finland Personal Data Protection Act ~ Finland Amendment of the Personal Data Act ~ France Data Protection Act ~ German Federal Data Protection Act ~ Greece Law on Personal Data Protection ~ Hungary Protection of Personal Data and Disclosure of Data of Public Interest ~ Iceland Protection of Privacy as regards the Processing of Personal Data ~ Ireland Data Protection Act ~ Ireland Data Protection Amendment 2003 ~ Italy Personal Data Protection Code ~ Italy Protection of Individuals with Regard to...Processing of Personal Data ~ Lithuania Law on Legal Protection of Personal Data ~ Luxembourg Data Protection Law ~ Netherlands Personal Data Protection Act ~ Poland Protection of Personal Data Act ~ Slovak Republic Protection of Personal Data in Info. Systems ~ Slovenia Personal Data Protection Act ~ South Africa Promotion of Access to Info. Act ~ Spain Organic law on the Protection of Personal Data ~ Sweden Personal Data Act ~ Swiss Federal Act on Data Protection ~ Australian Business Continuity Management Guide ~ Australia Spam Act of 2003 ~ Australia Privacy Amendment Act ~ Australia Telecommunications Act ~ Australia Spam Act 2003: A Practical Guide for Business ~ Hong Kong Personal Data (Privacy) Ordinance ~ Hong Kong Personal Data (Privacy) Ordinance ~ India Info.Privacy Act ~ Japan Guidelines for Personal Data Protection in Electronic Commerce, ECOM ~ Japan Handbook Concerning Protection of Intl’Data, MITI ~ Japan Personal Info. Protection Act ~ Korea Act on the Promotion of Info....Protection ~ Korea Act on the Protection of Personal Info....by Public Agencies ~ Korea Use and Protection of Credit Info. Act ~ New Zealand Privacy Act ~ Taiwan Computer-Processed Personal Data Protection Law Along comes regulation
  • 6. 6
  • 7. 7 Who has access to what? What does that access allow them to do? Why do they need that access?
  • 8. 8
  • 9. 9
  • 10. 10
  • 11. 11 § A broader and ever exploding attack surface and diversity of infrastructure § Super sophisticated attacker ecosystem •  Looking for weaknesses in the infrastructure •  Armed with an increasingly sophisticated and specialized tools and services Result…
  • 12. 12 Source: Verizon 2015 PCI Compliance Report
  • 13. 13 Source: PWC Global State of Information Security Survey, 2015
  • 14. 14 Top Audit Findings 0% 5% 10% 15% 20% 25% 30% 35% 40% Lack of sufficient segregation of duties Removal of access following a transfer or termination Excessive developers' access to production systems and data Excessive acess rights 30% 18% 22% 31% 31% 27% 31% 38% 28% 29% 29% 36% 2012 2010 2009 Source: Deloitte Global Financial Services Security Survey http://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/dttl-fsi-SecurityStudy2012.pdf
  • 15. 15 Source: Verizon Data Breach Investigations Report, 2015
  • 16. 16 Identity and Access Detection Agree Disagree Don't Know Our organization is able to detect if access credentials are misused, or stolen 42% 29%29% http://www.courion.com/company/pressreleases.html?id=1093
  • 17. 17 66 percent of board members are not confident of their companies' ability to defend themselves against cyberattacks. Only 4 percent said they were "very" confident. – CSOOnline.com
  • 18. 18 Less than 40% of cases organization identifies breach themselves Source: Verizon 2015 Data Breach Investigations Report Average time breached before noticed is 225 days Source: Ponemon Institute, 2015 HP Sponsored Security Survey
  • 19. 19 The Elements of Attack MALWARE, PHISHING COMMAND & CONTROL LATERAL MOVEMENT ACCESS TARGET PACKAGE & EXFILTRATE BREACH LIFECYCLE Anti-virus Anti-malware DLP SIEM Deep Packet Inspection
  • 21. 21 Identity and Access Management Controls Provisioning Governance
  • 23. 23 So… Do you Really Need that Access? Overcoming the sometimes blind faith that recertification is a panacea.
  • 24. 24 Privileged accounts, unnecessary entitlements are the access risks that cause the most anxiety 10.4% 11.9% 31.1% 46.7% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% ORPHANED ACCOUNTS - accounts with no adminstrative oversight ABANDONED ACCOUNTS - accounts inactive for a time period exceeding policy UNNECESSARY ENTITLEMENTS - unneeded or excess access privileges, often in conflict with SoD practices PRIVILEGED ACCOUNTS - accounts with increased levels of permission that provide elevated access to critical networks, systems, applications or transactions http://www.courion.com/company/pressreleases.html?id=1093
  • 25. 25 The Big Data Issue of IAM Trillions of access relationships 100’s of policies & regulations POLICIES 1000’s of applications, file shares & resources RESOURCES Millions of actions ACTIVITY 100’s of thousands of access rights & roles RIGHTS 100,000’s of people, millions of identities IDENTITY
  • 26. 26
  • 27. 27
  • 28. 28
  • 29. 29 Before App A User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N App B App C App D App E
  • 30. 30 After App A App B App C App D App E User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N User 1 User 2 User 3 User 4 User 5 …. User 11,243 User 11,244 User 11,255 …. User N HR System App A App B App C App D App E
  • 31. 31 Intelligent Governance •  New account created outside provisioning system •  High risk application •  High risk set of entitlements •  Employee not in HR system …another …and another
  • 36. 36 IAM Evolution Benefits IAM Generation 1.0 Provisioning led Improved Service §  Efficiency §  Quality §  Transaction and event driven §  P/W mgmt. and user provisioning Improved Security §  Compliance §  Security §  Policy enforced §  Consistent process
  • 37. 37 IAM Evolution Benefits IAM Generation 1.0 Provisioning led 2.0 Governance led Improved Service §  Efficiency §  Quality §  Transaction and event driven §  P/W mgmt. and user provisioning §  Automated certification review §  Pleasant user experience Improved Security §  Compliance §  Security §  Policy enforced §  Consistent process §  Audit requirements §  Consistent process
  • 38. 38 IAM Evolution Benefits IAM Generation 1.0 Provisioning led 2.0 Governance led 3.0 Intelligence led Improved Service §  Efficiency §  Quality §  Transaction and event driven §  P/W mgmt. and user provisioning §  Automated certification review §  Pleasant user experience §  Evolutionary: Enables better decision making in real-time §  Revolutionary: See and act on things impossible to see before Improved Security §  Compliance §  Security §  Policy enforced §  Consistent process §  Audit requirements §  Consistent process
  • 39. 39 “By year-end 2020, identity analytics and intelligence (IAI) tools will deliver direct business value in 60% of enterprises, up from <5% today.” Intelligent IAM