Understanding Identity Management and Security.
- 1. Understanding Identity Management and Security. Starring: Chinatu Uzuegbu Identity Management Day, April 13, 2021 Cyber in Africa Event
- 2. KeyNote Speaker • Top 50 women in Cyber Security, Africa 2020 Accolade. • Founding Cyber Security Consultant: RoseTech CyberCrime Solutions Limited.(2016 till Date). • President, (ISC)2 Nigeria Chapter(2018 till Date). • Experienced BanKer(2007 to 2016): – Afribank Nigeria Plc/Mainstreet Bank Ltd(2007 to 2015): . IT/Application/Data Custodian (Core Banking Applications, Third Party Applications, Enterprise Applications Development, Others). . Information Security Assistant – Skyebank Nig Plc(2015 to 2016): . Business Relationship Manager • Afribank Insurance Brokerage(2004 to 2007): – Head, Information Technology • Nigeria Distilleries Ltd(2002 to 2004): -Ag, Head, Information Technology. -Senior IT Officer • Professional Membership in Good Standing: – Cyber Security Experts Association of Nigeria(CSEAN) – International Information Systems Security Certification Consortium(ISC)2 – Information Systems Audit and Control Association (ISACA) – EC-Council ChinatuUzuegbu CCISO, CISSP, CISM, CISA, CEH,…………
- 3. Overview • What is Identity Management ? • Why Identity Management Day? • Report on Data Breaches, 2020. • The Concept of Identification, Authentication, Authorization and Accountability or Auditing.. • Organizational Digital Identifiable Information • Personal Digital Identifiable Information • Best Practices in Identity Management • Questions
- 4. What is Identity Management? Identity management (ID management) is the organizational process for identifying, authenticating and authorizing individuals or groups of people to have access to applications, systems or networks by associating user rights and restrictions with established identities.
- 5. Why Identity Management Day? Security Awareness Digital Identity Security; a priority Reduce Risk of Data Breaches and losses Dangers of non- challancy Inculcate Best Practices and MFA Tremendous and Steady Growth of Identifiable Elements Leverage on Vendor Support
- 6. Data Breaches in High Rise: IDSA Report 2020 https://www.idsalliance.org/wp-content/uploads/2020/08/IDSA- Infographic-v3-1.pdf Successful Identity-related security breaches in the last two years Global loss to Data Breaches from 2017 till Date Leveraged on Weak and stolen Identities(Verizon Report, 2020) Thought the above breaches could be prevented. 79% of Orgs 99% of the victims 81% of the breaches $6T
- 8. Identification Process of making a Claim: • Personal Identifiable Information(PII) • Organizational Identifiable Information
- 9. Organizational Identifiable Information: • Employees • Contractors • Third parties(Federated Identities) • Customers • End-Users • machines
- 10. • Bots • RPA(Robotic Process Automation). • Application to Application Accounts. • Built-in IaaS, Idaas, XaaS Concept Machine identities:
- 11. Bots(Zombie) • An autonomous program on the internet or another network that can interact with systems or users. • Botnets: group of autonomous programs on a distributed network of Systems mandated to interact for a purpose.
- 12. Robotic Process Automation(RPA) • Technology that uses software robots to automate repetitive tasks and manual processes. • Enhancing the work of your employees by interacting with websites, business and desktop applications, databases and people to execute repetitive and often mundane work.
- 13. Application to Application Identities(STP) Concept of the Straight-Through Process(STP) from the diagram in below: 1. Application A is automatically registered to request authentication to access Resources from Application B using the Application Identity(App ID). 1. Application A on registration with the App ID, obtains a client ID and secret key(token).
- 14. Application to Application Identities(STP) Cont’d 3. On authentication with the client ID and token, Application A requests authorization to access Resources from Application B. 4. Application B automatically grants Application A access rights based on the token strings(Response Handshake) earlier issued by APP ID. 5. Application A is now able to send requests and access Resources from Application B leveraging on the Handshake.
- 15. Federated(Third Party) Identities • Identities issued by an organization to Third Party Partners(P2P), Businesses(B2B), Regulatory bodies, Suppliers, Escrows, Vendors and others directly or indirectly in Business relationship. • Access Rights to Third Parties are Time-bound with close monitoring as the case may be.
- 16. Cloud-Based Identities • Identity As a Service(IDaaS) is a Cloud-based authentication built and operated by a third-party provider. • IDaaS companies supply cloud-based authentication or identity management to enterprises who subscribe. • The ID issued by the IDaaS Provider is what the organization applies for enrollment into the Cloud platform as a Subscriber.
- 17. Personal Identifiable Information(PII) • Email Address • Security Identity • National Identity • Bank Account Number • Bank Verification Number • User Identity • Others
- 18. Authentication Process of Validating a Claim: –Passwords –Biometrics –Smart Cards –ATM Cards –Tokens –Cloud based Authentication –Others –Multi Factor Authentication is the way to go!
- 19. Factors of Authentication The three Factors of Authentication: • Something You Know: Password, PIN; the weakest. • Something You have : Token, Phone, Smart Card. • Something You are: Biometrics(Finger prints, others); the strongest. • A combination of two or more of the above factors makes a strong authentication.
- 20. Multi-Factor Authentication(MFA) • A combination of two or more of the three factors of Authentication. • No critical Identifiable Information is authenticated with single factor approach. • MFA promotes strong authentication mechanism as no one of the factors of authentication is strong enough and must not be applied alone for critical Information assets.
- 21. Authorization • Process of assigning access rights on authentication. • Grant Access Rights based on Concept of : Least Privilege and Need to Know. • Role Based Access Control is the way to go!
- 22. Accountability • Process of trailing activities on the system/network and assuring that all activities are traceable whatsoever: – Time Stamps – Digital Signatures – Audit Trails – Non-Repudiation – Log Files(SIEM) – Others
- 23. NSA and IDSA Advise To promote a secured Identity and Access Management across all Sectors, National Security Alliance(NSA) and Identity Defined Security Alliance(IDSA) recommend that: • Best Practices be enforced and mandated. • Multi-Factor Authentication(MFA) be inculcated into the Authentication framework of organizations. • All Access points be integrated with growth and adoption of Technology in mind. Think IAM system and PAM system. • Organizations establish Handshakes with Vendors for necessary Support. • Organizations Embrace Zero Trust Architecture around all Infrastructures and Applications.
- 24. Identity Management Best Practices • Clarify Ownership of ALL Identities. • Ascertain the custodian of All Identities. • Who is responsible for the creation, removal, ongoing maintenance and security of an identity within your organization? • Imbibe the culture of Multi Factor Authentication(MFA) for all Handshakes. • Deploy a resilient and robust Privileged Access Management(PAM) System. • Deploy a resilient and robust Identity and Access Management(IAM) System. • Zero Trust Architecture in everything is the way to go!
- 25. Happy Identity Management Day April 13, 2021
- 26. Thank You Chinatu Uzuegbu (CCISO, CISSP, CISM, CISA CEH, …). Founding Cyber Security Consultant, RoseTech. President, (ISC)2 Nigeria chapter. chinatuuzuegbu@outlook.com c.uzuegbu@isc2nigeriachapter.org info@rtechccsl.com https://www.linkedin.com/in/chinatu-uzuegbu- 67593119/ +2348037815577