E-ID: are you (proven) in control? INFORMATION RISK MANAGEMENT DENNIS VAN HAM.

e-ID: are you (proven) in control?

INFORMATION RISK MANAGEMENT

DENNIS VAN HAM

2© 2006 KPMG EDP Auditors N.V., lid van KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden.

Introduction and setting the scene

Identity: who are you? And how can we be sure it’s you?

Access: what are you allowed to do?

Business: protection of information is important but please don’t bother me;

Technology: lots of it available but how reliable is it really?

Audit and compliance management: proven in control?


Impact on people – changing threats and fast

Man-in-the-Middle Attacks

Pharming

And More …Trojan Horses

Botnets

Spyware

Malware

Keylogging

“Classic” Phishing

2006200520042003


People are different and have many e-ID’s

Hip, 20-something male

Thinks he’s immune to online fraud

Freely gives away his personal information

Has a firewall and antivirus

Clicks on any link

His motto: I grew up with the Internet. I’m not afraid of it.

Tentative mother of grown children

Learning to navigate the Net

Considering banking online, but hasn’t taken the leap yet

Afraid of hackers from news story about ID theft victims

Her motto: The Web is complicated! Better to be safe than sorry.

Young, traveling businessman with a family

Juggles 30 passwords

Uses two-factor authentication at work

Wonders if its available for his personal accounts

His motto: Internet security is key, but I can’t carry one more thing

Source: RSA Security


Impact on business

ComplianceSOX, HIPAA, Privacy, BASEL II, FDIC, etc

Corporate or IT GovernanceLack of clear strategy;Timely implementation of policies or resolutions;Policy enforcement and reporting;

SecurityProtection of intellectual property;Rising administration and helpdesk costs;Complex technologies and application infrastructure.


IT-security survey: six important signals

Technology remains very dynamic, proper risk analysis is key but not applied on a large-scale;

Insufficient expertise most important motive for outsourcing IT-security;

Hacking, viruses and worms significant threats, companies have little insight into the quality of their protection;

Authorisation management is structured ineffectively and inefficiently;

Continuity management is often organised on paper but it is usually not certain whether it also works well in practice;

The growing use of mobile devices requires attention.


Compliance – but not a goal in itself


Complex and getting management attention is difficult


Reality bites – ‘identity and access’ information everywhere


How does an auditor think?


Identity & Access Management – in a nutshell

Significant Integration Effort Required

APIs and protocolsFrameworks

OS and infrastructure

Proc

essin

g

Netw

orkin

g

Stor

age

Secu

rity

J2SE/J2EE



Proc

essin

g

Netw

orkin

g

Stor

age

Secu

rity

Windows/.NET



Proc

essin

g

Netw

orkin

g

Stor

age

Secu

rity

UNIX/LAMP

Authentication Authorization Provisioning

AuditManagement

Meta-Directory

Cross Platform

Federation


More information?

Dennis van Ham Consultant

KPMG Information Risk Management Burgemeester Rijnderslaan 20, 1185 MC Amstelveen Postbus 74105, 1070 BC Amsterdam Telefoon +31(0)20 6568103, Telefax +31 (0)20 6568388 E-mail: [email protected] Internet: www.kpmg.nl/irm

KPMG Information Risk Management

Date post:	26-Mar-2015
Category:	Documents
Upload:	samantha-walsh
View:	214 times
Download:	0 times

E-ID: are you (proven) in control? INFORMATION RISK MANAGEMENT DENNIS VAN HAM.

Documents