Abstract image of a woman sitting on books and studying on a laptop

Identity & Access Management Day 2022.pdf

C
Chinatu Uzuegbu

The document discusses resiliency in identity and access management and commemorates Identity Management Day 2022. It provides an introduction and biography of the speaker, Chinatu Uzuegbu, who is a cyber security consultant. The document outlines the agenda for the event which includes discussions on identity management definitions, frameworks, best practices, and trends. It aims to educate organizations on securely managing digital identities and access to protect against cyber threats like data breaches.

Technology
1 of 25
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Resiliency in Identity & Access Management to Commemorate The Identity Management Day, 2022 Tuesday, April 12, 2022 Chinatu Uzuegbu CCISO, CISSP, CISM, CISA, CEH, MSc. Managing Cyber Security Consultant RoseTech Cybercrime Solutions Ltd.
Chinatu Uzuegbu’s BIO Chinatu Uzuegbu is The Managing Cyber Security Consultant with RoseTech Cybercrime Solutions Ltd. A Cyber Security firm running with the vision of assisting Entities to proactively Combat Cyber Crimes, proffering Cyber Security solutions and facilitating Cyber Security workshops. Her concern about the rate of frauds and abuse emanating with Technology gave birth to RoseTech. She is The Founding and immediate Past President of (ISC)2 Nigeria Chapter, running with the vision of promoting a Safe and Secure Cyber Space of Nigeria. (ISC)2 Nigeria Chapter has enjoyed the (ISC)2 Global Chapter award Recognition in Europe, Middle East and Africa for the global award years 2020 and 2021. She is also a Member of the global (ISC)2 Chapter Advisory Committee(CAC) running with the vision of providing strategies to improve the governance and structure of (ISC)² Chapters, promoting chapter leadership development, enhancing the engagement and experience of (ISC)² chapter membership and providing insight, resources and guidance for the (ISC)² Chapter Programs. She is a Cyber Security Mentor with the Open Cyber Security Mentorship Program(OCMP), an initiative of AfriHathon and Cyber in Africa with the vision of mentoring and developing the young minds in Cyber Security. Chinatu was in the Top 50 Women in Cyber Security Finalist by Cyber in Africa, 2020 accolade. She is recently recognized as a WomenTech Global Ambassador of WomenTech Network, Worldwide with the Vision of mobilizing and empowering over 100,000 women in Technology and Cyber Security to develop and thrive in their career. She is also a Member of the Advisory board of VigiTrust, Ireland running with the vision of joining global Cyber Security Key Players to exchange ideas about the direction in which the Cyber Security industry is moving in terms of innovation, case studies, research work and upcoming laws and standards. Prior to RoseTech, she had acquired over 14 years wealth of experience as an IT Professional from 2000 to 2016 across banks, insurance firm, manufacturing and others. While in Afribank Nigeria Plc, in 2008, she under-studied an Information Security Expert from ATOS Origin, London as an Information Security Assistant. This spurred her to building and establishing her career in Information/Cyber Security subsequently. Professionally, she is Certified Chief Information Security Officer (CCISO), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager(CISM), Certified Information Systems Auditor(CISA), Certified Ethical Hacker(CEH) and other Information Technology related certifications. She is also an (ISC)2 Authorized Instructor with various Cyber Security training Suites for Individuals and Corporate Organizations. Educationally, She completed a Dubai Virtual Leadership Course with London Graduate School in Collaboration with Common Wealth University in 2020. She has MSc. In Information Systems Management(ISM) from University of Liverpool, 2011 and BSc. In Computer Science/Mathematics from University of Port Harcourt,1998/1999. She is a professional member in good standing with (ISC)2 and many other Information Security Bodies and Associations. She has also attended both International and Local Cyber Security and Technology Conferences as a Speaker, a Delegate or a Volunteer. Chinatu is available for Cyber Security related Services. https://www.linkedin.com/in/chinatu-uzuegbu-67593119/; https://de.slideshare.net/Chinatu
Preamble • What is Identity Management? • Why did National Security Alliance declare Identity Management Day? • Identity Defined Security Alliance(IDSA) Report on Data Breaches, 2021. • The Identity and Access Management Lifecycle. • The Concept of Identification, Authentication, Authorization and Accountability (IAAA). • Vulnerabilities and Attacks on Identity and Access Management. • The Identity Management Frameworks. • The Identity and Access Management Systems • Best Practices in Identity Management as advised by The Identity Defined Security Alliance(IDSA). • Conclusion: The Gartner’s Six Trends in Identity Management 2022. • Questions
What is Identity Management? Identity management is the process of Identifying, Authenticating and Authorizing individuals or entities to have access todigitalresourcessuchas applications, databases, systems, networks,Platforms,e-mails,internet, Infrastructures,devices,data,information andothers, with security and resilient Accounting in mind.
Why did National Security Alliance(NSA) declare Identity Management Day? As the Digital Age and the New Normal have brought the Workplace close to the Home front, it has become paramount for all Entities(Individuals, Organizations, Children, Students, Seniors, SMEs and others) to protect their Digital Identities. NSA implies that most successful attacks were not necessarily due to evolvement in technology but due to poor Identity Management Practices. The ongoing Technology evolvements and transformation of Businesses should mandate the security around Identity Management as the first line of action. NSA secludes every 2nd Tuesday in April for Security Leaders, Security Vendors and Security Advocates to educate all entities around managing their Digital identities and Information Assets with security and optimal protection in mind. Inadequate Security Hygiene on the Official or Personal Accounts and Devices of Entities could grant the bad guys unauthorized access to their entire Kingdom.
Why did National Security Alliance(NSA) declare Identity Management Day? Cont’d Security Awareness Digital Identity Security; a priority! Reduced Risk of Data Breaches and losses Understand the dangers of Poor Identity Management To enforce Best Practices To enforce Multifactor Authentication(MFA) To encourage Vendor Support For a Clarion Call and urgency as the Growth curve of Identifiable Elements increases rapidly. To enforce Password Policies To promote Identity Mgt. as the first line of defense in protecting Entities’ Information Assets. To encourage Software Updates. To enforce Zero Trust Architecture
Identity Defined Security Alliance Report on Data Breaches, 2021 https://www .idsalliance.org/wp-content/uploads/2020/08/IDSA- Successful Identity-related security breaches in the last two years. global loss to Data Breaches from 2017 till Date. were due to Weak and stolen Credentials. (Verizon Data Breach Investigations Report, 2021). thought the above breaches could be prevented and are determined to invest on secured Identity investments in the next two years. 79% of Orgs 97% of the victims 61% of the breaches $6T 15 Billion passwords are available on the Dark Web (Forbes) $3.2 Billion in venture funding went into the identity management space in 2021. (CrunchBase)
The Identity Management Lifecycle Provisioning & De-Provisioning Concept
The Concept of Identification, Authentication, Authorization and Accounting (IAAA). Identification Process of making a Claim Personally Identifiable Information(PII), Organizational Identifiable Information, Application to Application Ids, Federated Ids, Machine Identities, Botnets User Name, Account Number, Desktop Id, Laptop Id, Email Id, Social Security Number, Application Id, National Id, Federated Id, Employee Id, Business Id, Enterprise Id, Organization Id, Cloud Based Id, Host Id, Server Id, Phone Number, IP Address and others. Authentication Process of Validating the identified Claim. Something You Know Something You Have Something You are Multi Factor Authentication Password, PIN. Smart Card, ATM Card, Token Device. Biometrics Enrollments and Others. Authorization Process of assigning access rights on authentication as claimed. Least Privilege Need To Know Role Based, Rule Based Separation of duties. Read, Write, Delete, Modify, Create, Input, Authorize, Check, Monitor, Audit. Accounting Process of assuring that Access Rights are running as assigned and as required. User Behavior Review Account Access Review Duties Review JIT Review Privilege Users Review Temporary Access Review Log Files, Database Activity Monitoring, Audit Trails, SIEM, IDS, IPS, DRM, DLP, Non- Repudiation, Digital Signatures
Identification (Process of making a Claim) Personally Identifiable Information Organizational Identifiable Information Email Address Employees Social Security Number Contractors National Id Third parties(Federated Identi ti es) Account Number Customers Phone Number Business Email Ids Biometrics Verification Number Application Ids User Id End-Users Others Machines
Machine Identities Botnets (Zombies) Robotic Process Automation(RPA) Application to Application Ids(STP) group of autonomous programs on a distributed network of Systems mandated to interact for a purpose. Technology that uses software robots to automate repetitive tasks and manual processes, thus, enhancing the work by interacting with websites, business and desktop applications, databases and people to execute repetitive and often mundane tasks. , Straight-through Process(STP) guarantees a handshake between two or more Applications with authentication strings and token to enable either of the Applications access right to the other Application’s Resources.
Machine Identities Cont’d Federated Identities(Third Parties) Identities issued by an organization to Third Party Partners(P2P), Businesses(B2B), Regulatory bodies, Suppliers, Escrows, Vendors and others directly or indirectly in Business relationship. Access Rights to Third Parties are Time-bound with close monitoring as the case may be. Cloud Based Ids Cloud-Based Identities are managed by Third party Providers or Cloud Brokers as Identity As a Service(IDaaS) to enterprises who subscribe. The ID issued by the IDaaS Provider is what the organization applies for enrollment into the Cloud platform as a Subscriber.
Authentication Process of Validating a Claim as Identified. Three Factors of Authentication Something You Know Password, Personal Identification Number(PIN) Something You Have Smart Card, ATM Card, Token Device Something You are Biometrics(Physical and Biological Traits) such as Finger Prints, Voice, Iris Scan, Facial Scan, Keystrokes and others.  Any two or more of the above factors of Authentication promotes a Multi Factor Authentication.  One of the factors or a combination of tools from only one of the factors of Authentication remains a Single Factor Authentication and is seen as a Weak Authentication.  Passwords are seen as the weakest of the Factors of Authentication  Biometrics are seen as the strongest of the Factors of Authentication as a human attribute cannot be impersonated even though it still remains a Single Factor of Authentication and weak Authentication if applied alone.
Authorization (Process of granting Access Right on Validating the Identified Claim) Concept of Least Privilege Access Rights should be granted based on all that the validated Claim needs to perform a specific task and not more. Concept of Need To Know Access Rights should be granted based on the Security clearance and Classification level of Subject. For example only the access rights required for the knowledge of the Subject. Separation of duties No one Subject should be able to complete a critical Process alone , the process has to be divided to prevent issues of fraud except with collusions from the combination of two or more subjects. Just-in-Time Access Right Access Rights for Vendors, Contractors, Third Parties and Guests should be temporal and time bound with close monitoring. Privilege Account/Access Management Access Rights to Privileged Accounts such as Sys Administrator, Database Admin and other privileged Entities on high profiled tasks should be closely monitored with a Privilege Access Management System to assure abuse of such privileges are minimized Privilege Users(Vertical and Horizontal) Privileged Users could leverage on their access rights to acquire a higher profiled access to critical Assets(Vertical) or leverage on too many access creeps to acquire unauthorized access and Information(Horizontal) for example add-on to existing privilege due to a re-leave task. Role Based Access Control Access Rights should be granted with a seamless Access Control Model, already established in the Governance of the organization driven by the job roles of each department in the organization. Rule Based Access Control Access Rights should granted based on Policies, Standards and Baselines mandated by the governance of the organization.
Accounting (Process of assuring that Access Rights are running as assigned and as required through Audit trails.)  Account Access Review  User Behavior Review  Privilege Users Review  Just in Time Access Review  Third Parties Access Review  Access Control Review  Log Files Review  Others
Advantages of an Identity Management System Builds a strong security wall to safeguard personal data like passwords, social security numbers, names, credit cards, phone numbers, addresses and others. Manages users, their credentials, policies, and access within and without an organization as well as users’ descriptive data and how they can be accessed. Protects organizations against all types of identity theft, like credit fraud, which was the most rampant. Controls user information in computer systems, data which may include those that help authenticate user identity and those that describe actions and information that can be accessed or performed. Covers single sign-on, multi-factor authentication, and access management, or as a directory for identity and profile data storage.  the technology has been undergoing remarkable changes with identity management software, now focusing on ease of deployment, integration, and compliance. Uses only top-of-the-line tools to protect user identity from breaches.
Advantages of an Identity Management System Cont’d • Minimized risks of data breaches • Enhanced control over their user accounts’ accesses and privileges • Access control that drills right down to individual applications, APIs, and services • Cloud-based access and control over users and applications located anywhere in the world • Better user experience with features like SSO and customized interfaces • Cross-organization onboarding made seamlessly – even when they have disparate systems in place • Creating a brand trust by securing the organization for a better reputation as a compliant, reliable, and trustworthy business
Identity Management Systems Microsoft Identity Manager Microsoft Azure Ac tive Directory Oracle Identity Management Okta Identity Management Zoho Vault OneLogin LogMeIn Pro Auth0 ExcelID ADManager Plus Centrify Identity Service Intermedia AppID Enterprise RSA SecurID WSO2 Identity Server ForgeRock Identit y Platform miniOrange NetIQ IDM SailPoint Imprivata OneSign DigitalPersona
Identity Management Frameworks • NIST SP 800-63-4: Digital Identity Guideline on Identity Proofing and Registration. • NIST SP 800-192: Access Control Model. • NIST SP 800-79-2: Denying or granting requests. • ISO/IEC 24760: Identity Management Framework, 2021. • ISO 2910x: Identity Privacy. • ISO 29003: Identity Proofing and Verification. • ISO 27001 Annex 9: Access Control.
Vulnerabilities and Attacks on Identity and Access Management. Vulnerability/Attack Description Identity Theft Privilege Creep or Authorization Creep Privilege Misuse Manual Processes Privilege Escalation(Vertical & Horizontal) Inadequate Exit and Termination Process Whaling Attacks
Identity Management Best Practices by (National Security Alliance and Identity Defined Security Alliance) To promote a secured Identity and Access Management across all Sectors, National Security Alliance(NSA) and Identity Defined Security Alliance(IDSA) recommend that: Meticulously review and understand your organization’s Assets, Business needs and Capabilities Multi-Factor Authentication(MFA) be inculcated into the Authentication framework of organizations. All Access points and handshakes should be integrated with growth and adoption of Technology in mind. Organizations should ensure efficient Vendors Support with Contractual bindings and Service Level Agreement. Organizations should embrace Zero Trust Network Security and Trust Zero Model. Clarify Ownership of ALL Identities ( Data Owner, Asset Owner, Identity Owner) Ascertain who is responsible for the creation, removal, ongoing maintenance and security of an identity within your organization? Establish unique Identifiers for all human and Non-human Identities to maintain a trail of activity from each identity. Deploy a resilient and robust Identity and Privileged Access Management(IAM) System to secure access to critical Assets and ascertain the sensitivity of resource being requested and the elevated permission before granting request. Ensure an authoritative source of trusted Identity data(Social Security Number, employment, Contractor’s SLA) to ascertain the right decisions on what access should be granted and to what extent in terms of expiration date.
Identity Management Best Practices Cont’d by (National Security Alliance and Identity Defined Security Alliance) Identify and Discover Critical and Non-critical Assets and Identity Sources spread across on-premise and in the cloud environments, with mobile and virtual elements putting in mind the new digitally driven Business World and overwhelming connectivity. You can only protect what you are aware of. Automate Provisioning/De-provisioning of Access through the lifecycle events such as Exit and Termination processes. This would reduce the risk that goes with manual provisioning and deprovisioning of Access Rights. Focus on Identity-Centered Security Outcomes that protect the digital identities and secure their access to enterprise data and resources such as the security capabilities around the IAAA(End Point Protection, Data Access Governance, Zero Trust Network Security and Account Access/User Behavior Review Tools as well as Security Personnel). Establish Governance Processes and Program through a Governance Steering Committee or Security Steering Committee, supposedly members from cross functional departments to review and establish policies around Identity Management of the organization and its procedures and also determine overall impact before initiating the IDM program changes
Conclusion (Gartner’s Six Trends on Identity Management, 2022) www.gartner.com
(Gartner’s Six Trends on Identity Management, 2022) • Connect anywhere computing will further drive need for smarter access control. • Improving user experience for all users will be essential for secure digital business. • Keys, secrets, certificates and machines will require more attention. • New applications and APIs will need to leverage the latest IAM development guidelines’ • Hybrid cloud and multi-cloud will drive ongoing IAM architecture maintenance/evolution. • IGA functions will evolve to enable decentralized architecture
Thank You Chinatu Uzuegbu (CCISO, CISSP, CISM, CISA CEH, …) Managing Cyber Security Consultant, RoseTech. Founding Past President, (ISC)2 Nigeria chapter. chinatuuzuegbu@outlook.com c.uzuegbu@isc2nigeriachapter.org info@rtechccsl.com https://www.linkedin.com/in/chinatu-uzuegbu-67593119/ https://de.slideshare.net/Chinatu +2348037815577

More Related Content

PDF
Identity and Access Management 101
Jerod Brennen
 
PPTX
Identity and Access Management (IAM): Benefits and Best Practices 
Veritis Group, Inc
 
PDF
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
PDF
Identity Governance: Not Just For Compliance
IBM Security
 
PPTX
information security awareness course
Abdul Manaf Vellakodath
 
PDF
NIST - Cybersecurity Framework mindmap
WAJAHAT IQBAL
 
PDF
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Identity and Access Management 101
Jerod Brennen
 
Identity and Access Management (IAM): Benefits and Best Practices 
Veritis Group, Inc
 
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
Building an effective Information Security Roadmap
Elliott Franklin
 
Identity Governance: Not Just For Compliance
IBM Security
 
information security awareness course
Abdul Manaf Vellakodath
 
NIST - Cybersecurity Framework mindmap
WAJAHAT IQBAL
 
Enterprise Vulnerability Management: Back to Basics
Damon Small
 

What's hot (20)

PPTX
Security operation center
MuthuKumaran267
 
PPTX
Business continuity
Alka Mehar
 
PPTX
WHY SOC Services needed?
manoharparakh
 
PPT
Physical Security Assessments
Tom Eston
 
PPTX
Employee Security Awareness Training
Denis kisina
 
PPTX
Information security governance
Koen Maris
 
PPT
Building an Effective Identity Management Strategy
NetIQ
 
PDF
Identity & Access Management by K. K. Mookhey
Network Intelligence India
 
PPT
7. physical sec
7wounders
 
PDF
Vulnerability Management Program
Dennis Chaupis
 
PPTX
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
PPTX
cyber-security-reference-architecture
Birendra Negi ☁️
 
PPT
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PPTX
Close your security gaps and get 100% of your traffic protected with Cloudflare
Cloudflare
 
PPTX
Cyber Security Organizational Operating Model and Governance
Srinidhi Aithal
 
PPTX
SOC Architecture Workshop - Part 1
Priyanka Aash
 
PPTX
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
PPTX
Security Operation Center Fundamental
Amir Hossein Zargaran
 
PDF
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
PPTX
Data Loss Prevention from Symantec
Arrow ECS UK
 
Security operation center
MuthuKumaran267
 
Business continuity
Alka Mehar
 
WHY SOC Services needed?
manoharparakh
 
Physical Security Assessments
Tom Eston
 
Employee Security Awareness Training
Denis kisina
 
Information security governance
Koen Maris
 
Building an Effective Identity Management Strategy
NetIQ
 
Identity & Access Management by K. K. Mookhey
Network Intelligence India
 
7. physical sec
7wounders
 
Vulnerability Management Program
Dennis Chaupis
 
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
cyber-security-reference-architecture
Birendra Negi ☁️
 
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Close your security gaps and get 100% of your traffic protected with Cloudflare
Cloudflare
 
Cyber Security Organizational Operating Model and Governance
Srinidhi Aithal
 
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
Security Operation Center Fundamental
Amir Hossein Zargaran
 
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
Data Loss Prevention from Symantec
Arrow ECS UK
 
Ad

Similar to Identity & Access Management Day 2022.pdf (20)

PDF
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
PDF
Denver ISSA Chapter Meetings - Changing the Security Paradigm
Identity Defined Security Alliance
 
PDF
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies
 
PDF
Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identity Defined Security Alliance
 
PPTX
Cyber crime and Information Security.pptx
SAINATHYADAV11
 
PDF
Awareness Security Session 2023 v1.0.pptx.pdf
AbdullahKanash
 
PPTX
Unit 1.pptx
MsVaishaliKumar
 
PPTX
Cybersecurity Leadership Forum - Cincinnati
Identity Defined Security Alliance
 
PPTX
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
NabankemaRukayiyah
 
DOCX
Identity Security.docx
Mohsin Abbas
 
PPTX
Information Security and Indian IT Act 2000
Dr. Prashant Vats
 
PDF
Complicate, detect, respond: stopping cyber attacks with identity analytics
CA Technologies
 
PDF
Cyber+Security+Fundamentals.pdf.....network security
vijayannamratha
 
PDF
CIA-Triad-Presentation.pdf
BabyBoy55
 
PPTX
CYBER Crime Cyber Security Cyber Law INDIA
Anish Rai
 
PDF
The Components of Cyber Security.pptx.pdf
apurvar399
 
PPTX
Co p
Allyn McGillicuddy
 
PPTX
ITIL Basic introduction for the beginners
zamankhanbd23
 
PDF
The Growing Need for Cyber Security in India
yams12611
 
PDF
Co p
Allyn McGillicuddy
 
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
Denver ISSA Chapter Meetings - Changing the Security Paradigm
Identity Defined Security Alliance
 
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies
 
Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identity Defined Security Alliance
 
Cyber crime and Information Security.pptx
SAINATHYADAV11
 
Awareness Security Session 2023 v1.0.pptx.pdf
AbdullahKanash
 
Unit 1.pptx
MsVaishaliKumar
 
Cybersecurity Leadership Forum - Cincinnati
Identity Defined Security Alliance
 
1713435528251_1709734122381_1708585866621_1708585864158_2.Information Systems...
NabankemaRukayiyah
 
Identity Security.docx
Mohsin Abbas
 
Information Security and Indian IT Act 2000
Dr. Prashant Vats
 
Complicate, detect, respond: stopping cyber attacks with identity analytics
CA Technologies
 
Cyber+Security+Fundamentals.pdf.....network security
vijayannamratha
 
CIA-Triad-Presentation.pdf
BabyBoy55
 
CYBER Crime Cyber Security Cyber Law INDIA
Anish Rai
 
The Components of Cyber Security.pptx.pdf
apurvar399
 
Co p
Allyn McGillicuddy
 
ITIL Basic introduction for the beginners
zamankhanbd23
 
The Growing Need for Cyber Security in India
yams12611
 
Co p
Allyn McGillicuddy
 
Ad

More from Chinatu Uzuegbu (19)

PDF
Business Process Revamp is Paramount in 2024.pdf
Chinatu Uzuegbu
 
PDF
Preventing Cloud Data Breaches.pdf
Chinatu Uzuegbu
 
PPTX
Securing The Clouds Proactively-BlackisTech.pptx
Chinatu Uzuegbu
 
PDF
Securing The Clouds with The Standard Best Practices-1.pdf
Chinatu Uzuegbu
 
PDF
World Password Management Day, 2023.pdf
Chinatu Uzuegbu
 
PPTX
The Nigerian Cybersecurity Space-How Regulated Are We?
Chinatu Uzuegbu
 
PDF
Fundamentals for Stronger Cloud Security2.pdf
Chinatu Uzuegbu
 
PDF
Effectiveness of Cyber Security Awareness.pdf
Chinatu Uzuegbu
 
PDF
What The Cyber Entails-2.pdf
Chinatu Uzuegbu
 
PDF
What The Cyber Entails-1.pdf
Chinatu Uzuegbu
 
PDF
Combating Cyber Crimes Proactively.pdf
Chinatu Uzuegbu
 
PDF
Combating cyber crimes chinatu
Chinatu Uzuegbu
 
PDF
Practical approach to combating cyber crimes
Chinatu Uzuegbu
 
PPSX
Cyber Security Awareness Month 2017-Wrap-Up
Chinatu Uzuegbu
 
PPSX
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
PDF
Cyber crime (prohibition,prevention,etc)_act,_2015
Chinatu Uzuegbu
 
PPSX
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
PPSX
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
PPSX
Cyber Security Awareness Month 2017
Chinatu Uzuegbu
 
Business Process Revamp is Paramount in 2024.pdf
Chinatu Uzuegbu
 
Preventing Cloud Data Breaches.pdf
Chinatu Uzuegbu
 
Securing The Clouds Proactively-BlackisTech.pptx
Chinatu Uzuegbu
 
Securing The Clouds with The Standard Best Practices-1.pdf
Chinatu Uzuegbu
 
World Password Management Day, 2023.pdf
Chinatu Uzuegbu
 
The Nigerian Cybersecurity Space-How Regulated Are We?
Chinatu Uzuegbu
 
Fundamentals for Stronger Cloud Security2.pdf
Chinatu Uzuegbu
 
Effectiveness of Cyber Security Awareness.pdf
Chinatu Uzuegbu
 
What The Cyber Entails-2.pdf
Chinatu Uzuegbu
 
What The Cyber Entails-1.pdf
Chinatu Uzuegbu
 
Combating Cyber Crimes Proactively.pdf
Chinatu Uzuegbu
 
Combating cyber crimes chinatu
Chinatu Uzuegbu
 
Practical approach to combating cyber crimes
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Wrap-Up
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
Cyber crime (prohibition,prevention,etc)_act,_2015
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017
Chinatu Uzuegbu
 

Recently uploaded (20)

PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Five Habits of High-Impact Board Members
OnBoard
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
What is a Computer? Input Devices /output devices
GulJan8
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 

Identity & Access Management Day 2022.pdf

  • 1. Resiliency in Identity & Access Management to Commemorate The Identity Management Day, 2022 Tuesday, April 12, 2022 Chinatu Uzuegbu CCISO, CISSP, CISM, CISA, CEH, MSc. Managing Cyber Security Consultant RoseTech Cybercrime Solutions Ltd.
  • 2. Chinatu Uzuegbu’s BIO Chinatu Uzuegbu is The Managing Cyber Security Consultant with RoseTech Cybercrime Solutions Ltd. A Cyber Security firm running with the vision of assisting Entities to proactively Combat Cyber Crimes, proffering Cyber Security solutions and facilitating Cyber Security workshops. Her concern about the rate of frauds and abuse emanating with Technology gave birth to RoseTech. She is The Founding and immediate Past President of (ISC)2 Nigeria Chapter, running with the vision of promoting a Safe and Secure Cyber Space of Nigeria. (ISC)2 Nigeria Chapter has enjoyed the (ISC)2 Global Chapter award Recognition in Europe, Middle East and Africa for the global award years 2020 and 2021. She is also a Member of the global (ISC)2 Chapter Advisory Committee(CAC) running with the vision of providing strategies to improve the governance and structure of (ISC)² Chapters, promoting chapter leadership development, enhancing the engagement and experience of (ISC)² chapter membership and providing insight, resources and guidance for the (ISC)² Chapter Programs. She is a Cyber Security Mentor with the Open Cyber Security Mentorship Program(OCMP), an initiative of AfriHathon and Cyber in Africa with the vision of mentoring and developing the young minds in Cyber Security. Chinatu was in the Top 50 Women in Cyber Security Finalist by Cyber in Africa, 2020 accolade. She is recently recognized as a WomenTech Global Ambassador of WomenTech Network, Worldwide with the Vision of mobilizing and empowering over 100,000 women in Technology and Cyber Security to develop and thrive in their career. She is also a Member of the Advisory board of VigiTrust, Ireland running with the vision of joining global Cyber Security Key Players to exchange ideas about the direction in which the Cyber Security industry is moving in terms of innovation, case studies, research work and upcoming laws and standards. Prior to RoseTech, she had acquired over 14 years wealth of experience as an IT Professional from 2000 to 2016 across banks, insurance firm, manufacturing and others. While in Afribank Nigeria Plc, in 2008, she under-studied an Information Security Expert from ATOS Origin, London as an Information Security Assistant. This spurred her to building and establishing her career in Information/Cyber Security subsequently. Professionally, she is Certified Chief Information Security Officer (CCISO), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager(CISM), Certified Information Systems Auditor(CISA), Certified Ethical Hacker(CEH) and other Information Technology related certifications. She is also an (ISC)2 Authorized Instructor with various Cyber Security training Suites for Individuals and Corporate Organizations. Educationally, She completed a Dubai Virtual Leadership Course with London Graduate School in Collaboration with Common Wealth University in 2020. She has MSc. In Information Systems Management(ISM) from University of Liverpool, 2011 and BSc. In Computer Science/Mathematics from University of Port Harcourt,1998/1999. She is a professional member in good standing with (ISC)2 and many other Information Security Bodies and Associations. She has also attended both International and Local Cyber Security and Technology Conferences as a Speaker, a Delegate or a Volunteer. Chinatu is available for Cyber Security related Services. https://www.linkedin.com/in/chinatu-uzuegbu-67593119/; https://de.slideshare.net/Chinatu
  • 3. Preamble • What is Identity Management? • Why did National Security Alliance declare Identity Management Day? • Identity Defined Security Alliance(IDSA) Report on Data Breaches, 2021. • The Identity and Access Management Lifecycle. • The Concept of Identification, Authentication, Authorization and Accountability (IAAA). • Vulnerabilities and Attacks on Identity and Access Management. • The Identity Management Frameworks. • The Identity and Access Management Systems • Best Practices in Identity Management as advised by The Identity Defined Security Alliance(IDSA). • Conclusion: The Gartner’s Six Trends in Identity Management 2022. • Questions
  • 4. What is Identity Management? Identity management is the process of Identifying, Authenticating and Authorizing individuals or entities to have access todigitalresourcessuchas applications, databases, systems, networks,Platforms,e-mails,internet, Infrastructures,devices,data,information andothers, with security and resilient Accounting in mind.
  • 5. Why did National Security Alliance(NSA) declare Identity Management Day? As the Digital Age and the New Normal have brought the Workplace close to the Home front, it has become paramount for all Entities(Individuals, Organizations, Children, Students, Seniors, SMEs and others) to protect their Digital Identities. NSA implies that most successful attacks were not necessarily due to evolvement in technology but due to poor Identity Management Practices. The ongoing Technology evolvements and transformation of Businesses should mandate the security around Identity Management as the first line of action. NSA secludes every 2nd Tuesday in April for Security Leaders, Security Vendors and Security Advocates to educate all entities around managing their Digital identities and Information Assets with security and optimal protection in mind. Inadequate Security Hygiene on the Official or Personal Accounts and Devices of Entities could grant the bad guys unauthorized access to their entire Kingdom.
  • 6. Why did National Security Alliance(NSA) declare Identity Management Day? Cont’d Security Awareness Digital Identity Security; a priority! Reduced Risk of Data Breaches and losses Understand the dangers of Poor Identity Management To enforce Best Practices To enforce Multifactor Authentication(MFA) To encourage Vendor Support For a Clarion Call and urgency as the Growth curve of Identifiable Elements increases rapidly. To enforce Password Policies To promote Identity Mgt. as the first line of defense in protecting Entities’ Information Assets. To encourage Software Updates. To enforce Zero Trust Architecture
  • 7. Identity Defined Security Alliance Report on Data Breaches, 2021 https://www .idsalliance.org/wp-content/uploads/2020/08/IDSA- Successful Identity-related security breaches in the last two years. global loss to Data Breaches from 2017 till Date. were due to Weak and stolen Credentials. (Verizon Data Breach Investigations Report, 2021). thought the above breaches could be prevented and are determined to invest on secured Identity investments in the next two years. 79% of Orgs 97% of the victims 61% of the breaches $6T 15 Billion passwords are available on the Dark Web (Forbes) $3.2 Billion in venture funding went into the identity management space in 2021. (CrunchBase)
  • 8. The Identity Management Lifecycle Provisioning & De-Provisioning Concept
  • 9. The Concept of Identification, Authentication, Authorization and Accounting (IAAA). Identification Process of making a Claim Personally Identifiable Information(PII), Organizational Identifiable Information, Application to Application Ids, Federated Ids, Machine Identities, Botnets User Name, Account Number, Desktop Id, Laptop Id, Email Id, Social Security Number, Application Id, National Id, Federated Id, Employee Id, Business Id, Enterprise Id, Organization Id, Cloud Based Id, Host Id, Server Id, Phone Number, IP Address and others. Authentication Process of Validating the identified Claim. Something You Know Something You Have Something You are Multi Factor Authentication Password, PIN. Smart Card, ATM Card, Token Device. Biometrics Enrollments and Others. Authorization Process of assigning access rights on authentication as claimed. Least Privilege Need To Know Role Based, Rule Based Separation of duties. Read, Write, Delete, Modify, Create, Input, Authorize, Check, Monitor, Audit. Accounting Process of assuring that Access Rights are running as assigned and as required. User Behavior Review Account Access Review Duties Review JIT Review Privilege Users Review Temporary Access Review Log Files, Database Activity Monitoring, Audit Trails, SIEM, IDS, IPS, DRM, DLP, Non- Repudiation, Digital Signatures
  • 10. Identification (Process of making a Claim) Personally Identifiable Information Organizational Identifiable Information Email Address Employees Social Security Number Contractors National Id Third parties(Federated Identi ti es) Account Number Customers Phone Number Business Email Ids Biometrics Verification Number Application Ids User Id End-Users Others Machines
  • 11. Machine Identities Botnets (Zombies) Robotic Process Automation(RPA) Application to Application Ids(STP) group of autonomous programs on a distributed network of Systems mandated to interact for a purpose. Technology that uses software robots to automate repetitive tasks and manual processes, thus, enhancing the work by interacting with websites, business and desktop applications, databases and people to execute repetitive and often mundane tasks. , Straight-through Process(STP) guarantees a handshake between two or more Applications with authentication strings and token to enable either of the Applications access right to the other Application’s Resources.
  • 12. Machine Identities Cont’d Federated Identities(Third Parties) Identities issued by an organization to Third Party Partners(P2P), Businesses(B2B), Regulatory bodies, Suppliers, Escrows, Vendors and others directly or indirectly in Business relationship. Access Rights to Third Parties are Time-bound with close monitoring as the case may be. Cloud Based Ids Cloud-Based Identities are managed by Third party Providers or Cloud Brokers as Identity As a Service(IDaaS) to enterprises who subscribe. The ID issued by the IDaaS Provider is what the organization applies for enrollment into the Cloud platform as a Subscriber.
  • 13. Authentication Process of Validating a Claim as Identified. Three Factors of Authentication Something You Know Password, Personal Identification Number(PIN) Something You Have Smart Card, ATM Card, Token Device Something You are Biometrics(Physical and Biological Traits) such as Finger Prints, Voice, Iris Scan, Facial Scan, Keystrokes and others.  Any two or more of the above factors of Authentication promotes a Multi Factor Authentication.  One of the factors or a combination of tools from only one of the factors of Authentication remains a Single Factor Authentication and is seen as a Weak Authentication.  Passwords are seen as the weakest of the Factors of Authentication  Biometrics are seen as the strongest of the Factors of Authentication as a human attribute cannot be impersonated even though it still remains a Single Factor of Authentication and weak Authentication if applied alone.
  • 14. Authorization (Process of granting Access Right on Validating the Identified Claim) Concept of Least Privilege Access Rights should be granted based on all that the validated Claim needs to perform a specific task and not more. Concept of Need To Know Access Rights should be granted based on the Security clearance and Classification level of Subject. For example only the access rights required for the knowledge of the Subject. Separation of duties No one Subject should be able to complete a critical Process alone , the process has to be divided to prevent issues of fraud except with collusions from the combination of two or more subjects. Just-in-Time Access Right Access Rights for Vendors, Contractors, Third Parties and Guests should be temporal and time bound with close monitoring. Privilege Account/Access Management Access Rights to Privileged Accounts such as Sys Administrator, Database Admin and other privileged Entities on high profiled tasks should be closely monitored with a Privilege Access Management System to assure abuse of such privileges are minimized Privilege Users(Vertical and Horizontal) Privileged Users could leverage on their access rights to acquire a higher profiled access to critical Assets(Vertical) or leverage on too many access creeps to acquire unauthorized access and Information(Horizontal) for example add-on to existing privilege due to a re-leave task. Role Based Access Control Access Rights should be granted with a seamless Access Control Model, already established in the Governance of the organization driven by the job roles of each department in the organization. Rule Based Access Control Access Rights should granted based on Policies, Standards and Baselines mandated by the governance of the organization.
  • 15. Accounting (Process of assuring that Access Rights are running as assigned and as required through Audit trails.)  Account Access Review  User Behavior Review  Privilege Users Review  Just in Time Access Review  Third Parties Access Review  Access Control Review  Log Files Review  Others
  • 16. Advantages of an Identity Management System Builds a strong security wall to safeguard personal data like passwords, social security numbers, names, credit cards, phone numbers, addresses and others. Manages users, their credentials, policies, and access within and without an organization as well as users’ descriptive data and how they can be accessed. Protects organizations against all types of identity theft, like credit fraud, which was the most rampant. Controls user information in computer systems, data which may include those that help authenticate user identity and those that describe actions and information that can be accessed or performed. Covers single sign-on, multi-factor authentication, and access management, or as a directory for identity and profile data storage.  the technology has been undergoing remarkable changes with identity management software, now focusing on ease of deployment, integration, and compliance. Uses only top-of-the-line tools to protect user identity from breaches.
  • 17. Advantages of an Identity Management System Cont’d • Minimized risks of data breaches • Enhanced control over their user accounts’ accesses and privileges • Access control that drills right down to individual applications, APIs, and services • Cloud-based access and control over users and applications located anywhere in the world • Better user experience with features like SSO and customized interfaces • Cross-organization onboarding made seamlessly – even when they have disparate systems in place • Creating a brand trust by securing the organization for a better reputation as a compliant, reliable, and trustworthy business
  • 18. Identity Management Systems Microsoft Identity Manager Microsoft Azure Ac tive Directory Oracle Identity Management Okta Identity Management Zoho Vault OneLogin LogMeIn Pro Auth0 ExcelID ADManager Plus Centrify Identity Service Intermedia AppID Enterprise RSA SecurID WSO2 Identity Server ForgeRock Identit y Platform miniOrange NetIQ IDM SailPoint Imprivata OneSign DigitalPersona
  • 19. Identity Management Frameworks • NIST SP 800-63-4: Digital Identity Guideline on Identity Proofing and Registration. • NIST SP 800-192: Access Control Model. • NIST SP 800-79-2: Denying or granting requests. • ISO/IEC 24760: Identity Management Framework, 2021. • ISO 2910x: Identity Privacy. • ISO 29003: Identity Proofing and Verification. • ISO 27001 Annex 9: Access Control.
  • 20. Vulnerabilities and Attacks on Identity and Access Management. Vulnerability/Attack Description Identity Theft Privilege Creep or Authorization Creep Privilege Misuse Manual Processes Privilege Escalation(Vertical & Horizontal) Inadequate Exit and Termination Process Whaling Attacks
  • 21. Identity Management Best Practices by (National Security Alliance and Identity Defined Security Alliance) To promote a secured Identity and Access Management across all Sectors, National Security Alliance(NSA) and Identity Defined Security Alliance(IDSA) recommend that: Meticulously review and understand your organization’s Assets, Business needs and Capabilities Multi-Factor Authentication(MFA) be inculcated into the Authentication framework of organizations. All Access points and handshakes should be integrated with growth and adoption of Technology in mind. Organizations should ensure efficient Vendors Support with Contractual bindings and Service Level Agreement. Organizations should embrace Zero Trust Network Security and Trust Zero Model. Clarify Ownership of ALL Identities ( Data Owner, Asset Owner, Identity Owner) Ascertain who is responsible for the creation, removal, ongoing maintenance and security of an identity within your organization? Establish unique Identifiers for all human and Non-human Identities to maintain a trail of activity from each identity. Deploy a resilient and robust Identity and Privileged Access Management(IAM) System to secure access to critical Assets and ascertain the sensitivity of resource being requested and the elevated permission before granting request. Ensure an authoritative source of trusted Identity data(Social Security Number, employment, Contractor’s SLA) to ascertain the right decisions on what access should be granted and to what extent in terms of expiration date.
  • 22. Identity Management Best Practices Cont’d by (National Security Alliance and Identity Defined Security Alliance) Identify and Discover Critical and Non-critical Assets and Identity Sources spread across on-premise and in the cloud environments, with mobile and virtual elements putting in mind the new digitally driven Business World and overwhelming connectivity. You can only protect what you are aware of. Automate Provisioning/De-provisioning of Access through the lifecycle events such as Exit and Termination processes. This would reduce the risk that goes with manual provisioning and deprovisioning of Access Rights. Focus on Identity-Centered Security Outcomes that protect the digital identities and secure their access to enterprise data and resources such as the security capabilities around the IAAA(End Point Protection, Data Access Governance, Zero Trust Network Security and Account Access/User Behavior Review Tools as well as Security Personnel). Establish Governance Processes and Program through a Governance Steering Committee or Security Steering Committee, supposedly members from cross functional departments to review and establish policies around Identity Management of the organization and its procedures and also determine overall impact before initiating the IDM program changes
  • 23. Conclusion (Gartner’s Six Trends on Identity Management, 2022) www.gartner.com
  • 24. (Gartner’s Six Trends on Identity Management, 2022) • Connect anywhere computing will further drive need for smarter access control. • Improving user experience for all users will be essential for secure digital business. • Keys, secrets, certificates and machines will require more attention. • New applications and APIs will need to leverage the latest IAM development guidelines’ • Hybrid cloud and multi-cloud will drive ongoing IAM architecture maintenance/evolution. • IGA functions will evolve to enable decentralized architecture
  • 25. Thank You Chinatu Uzuegbu (CCISO, CISSP, CISM, CISA CEH, …) Managing Cyber Security Consultant, RoseTech. Founding Past President, (ISC)2 Nigeria chapter. chinatuuzuegbu@outlook.com c.uzuegbu@isc2nigeriachapter.org info@rtechccsl.com https://www.linkedin.com/in/chinatu-uzuegbu-67593119/ https://de.slideshare.net/Chinatu +2348037815577