Information Security’s Blind Spot:
Who Do You Trust?
© 2012 Enterprise Management Associates, Inc.
Scott Crawford
Managing Research Director
Enterprise Management Associates
www.enterprisemanagement.com
Ravi Srinivasan
Director of Identity & Access Management
IBM
www.ibm.com
Today’s Presenters
Slide 2
Scott Crawford – Managing Research Director Scott is the Managing Research Director of EMA’s Security and Risk
Management practice. Scott has over 20 years of experience as an IT
professional. He is the former head of information security for the
Comprehensive Nuclear-Test-Ban Treaty Organization’s International Data
Centre in Vienna, Austria, and has served in both the private and public sectors,
with organizations such as the University Corporation for Atmospheric Research
and Emerson.
Ravi Srinivasan - Director of Identity & Access
Management Ravi manages the IBM identity, access and mainframe security portfolio product
management based in Austin, Texas. He has over 15 years of experience in
market strategy, product management and development in software and
services industries. Ravi meets and consults with senior management, lines of
business owners and IT operations management around the world on their key
security, risk, and compliance initiatives. He’s also a frequent speaker at trade,
analyst conferences and customer events to share a worldwide perspective and
insights. Ravi mentors several security services practitioners and product
managers to develop practical solution approach to changing security, risk and
compliance needs.
Slide 3
Logistics for Today’s Webinar
Questions
• An archived version of the event
recording will be available at
www.enterprisemanagement.com
• Log questions in the Q&A panel located
on the lower right corner of your screen
• Questions will be addressed during the
Q&A session of the event
Event recording
Event presentation
• A PDF of the PowerPoint
presentation will be available
Information Security’s Blind Spot:
Who Do You Trust?
© 2012 Enterprise Management Associates, Inc.
Scott Crawford
Managing Research Director
Enterprise Management Associates
www.enterprisemanagement.com
One of IT Security’s Favorite Quotes
Slide 5 © 2012 Enterprise Management Associates, Inc.
“Trust, but
Verify”
The Problem with “Trust, but Verify”
• When one can verify,
is trust really
necessary? Or even
relevant?
• When one cannot
verify, all one has is
trust…and it’s blind
• Case in point:
• The proverb itself is
Russian (“Доверяй,
но проверяй”)
• Actually, it was a
favorite of Lenin’s…
Slide 6 © 2012 Enterprise Management Associates, Inc.
But Hang On a Sec…
• Reagan quoted the
proverb because it was
familiar to Russian-
speakers
• A few lessons for
infosec…
Slide 7 © 2012 Enterprise Management Associates, Inc.
• When verifying, context matters!
IT Security’s Complexity and Scale
• IT complexity
• Remains a challenge…but add to that:
• Profusion of applications
• Web
• SaaS
• Mobile
• Device diversity
• From traditional to…how many mobile devices??
• Industrialized threats
• Commoditized attacks at scale
• Sophisticated adversaries
• Well-resourced, patient, targeted attacks
Slide 8 © 2012 Enterprise Management Associates, Inc.
Common Threads in Attacks
• Targeting the user
• …Or more specifically, the user’s
access privileges
• Access to tangible assets (cybercrime,
fraud)
• Access to valuable information
• Access to anything else that might be
interesting…
• Stepwise progress of a more serious
attack
• Privilege escalation
• Shared administrative accounts
• Poorly controlled linkage between
individual user accounts and
administrative privilege
Slide 9 © 2012 Enterprise Management Associates, Inc.
So Who Do YOU Trust?
• Once access is gained, do you know how it’s
being used?
• Example: Legitimate user, questionable activity
• Could this be a compromise of a legitimate account?
• Or is a “trusted” individual behaving suspiciously?
• How can you tell the difference?
• Access privileges are assigned, based on…what,
exactly?
• In B2C applications: Fraud data?
• B2B: Validation of partners?
• Internal: Who makes access risk decisions? IT?
• What are YOU doing to verify?
Slide 10 © 2012 Enterprise Management Associates, Inc.
Verification through
Identity and Access Intelligence
• Ability to monitor is important…but ability to correlate with identity and access is key!
• When user behavior deviates from a norm
• Requires recognition of normal behavior for a specific identity
• How dynamic? When behavior changes during a transaction?
• So it’s a legitimate user. Is access always appropriate, regardless of the context?
• Information – User – Network – Endpoint
• Warning: Application access control that stops at the “front end”
• Do backend systems implicitly “trust” the front ends of complex applications?
Slide 11 © 2012 Enterprise Management Associates, Inc.
A More Dynamic Concept of Access Control
(or, if you prefer, of Verification)
• Ability to “tune” access based on
a dynamic assessment of context
• …which means a more dynamic
concept of policy as well:
• Appropriate individual
• Appropriate access privileges
• Appropriate context
• Requires integration of identity
intelligence with
• Access controls in applications
• Access controls in infrastructure
• Monitoring capability to provide
necessary insight
“Identity and access aware”
Recognizes deviations
Slide 12 © 2012 Enterprise Management Associates, Inc.
Identity
Monitoring Control
Intelligence
Intelligence Throughout Identity Lifecycles:
Who Did You Say You Trust?
• Access privileges assigned…based on what?
• What have you done to verify?
• Example: User enrollment for B2C banking
• Is this individual who they claim to be?
• How can you verify?
• Detect any indicators of fraud?
• “Emily K. Cook” == “E. Kelly Cooke”?
• Within the enterprise: Who makes access decisions?
• Business pros responsible for risk management …or IT?
• Responding to malicious activity during transactions
• Dynamic controls on fraud
• What about de-provisioning?
• Monitor & review privileges for use, consistency
• Terminate or constrain when not needed
Slide 13 © 2012 Enterprise Management Associates, Inc.
Identity and Access Intelligence
Matters in All Security Domains
• Hardening
• Access controls refined for context
• Better definition of access privileges,
throughout IAM lifecycles
• Containment
• Deviations from norms for a given identity or
access scenario can be detected & blocked
• Requires more dynamic linkage between
identity, monitoring & control
• Action
• Dynamic containment when deviations from
norms for an access scenario appear
• More effective response – more efficient
triage of incidents
Slide 14 © 2012 Enterprise Management Associates, Inc.
A “new” security
paradigm:
In Summary:
Do You Verify, or Do You Simply Trust?
• Getting beyond one-time verification
• A more dynamic approach
• Throughout identity and access scenarios
• Differentiating legitimate access from malicious actions
• Attacker compromising a legitimate user account
• Legitimate user compromising the organization
• A more dynamic approach to access management
• Legitimate user, appropriate use, appropriate circumstances
• Incorporating the “identity of things” into context-based access control
• More pervasive identity and access intelligence
• Throughout transactions
• Throughout application components - not just “trusting the stack”
• From provisioning to use, privilege modification, termination
Slide 15 © 2012 Enterprise Management Associates, Inc.
Needed to Move Forward
• Identity and Access Management
• A more intelligent approach to IAM lifecycles
• Integrating insight more widely across IT
• Monitoring
• Correlation of identity and access privileges with behavior
• Ability to understand norms, identify deviations
• Control
• Security technologies: Consuming intelligence for more dynamic response
Security countermeasures (network defense, DAM, etc.)
Access controls in infrastructure, applications
• Access based on context
• More dynamic control when deviations are detected
Slide 16 © 2012 Enterprise Management Associates, Inc.
© 2012 IBM Corporation
IBM Security Systems
17 © 2012 IBM Corporation
Enabling Identity and Access Intelligence
Ravi Srinivasan
Director, Identity and Access Management
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
18
IAM &
Federation
Web Application
Scanning
Virtualization
Security
Network
Security
Image & Patch
Management
Database
Monitoring
IBM Security Intelligence
IAM is central to enabling Access Everywhere Enabling social, mobile and cloud use cases with flexible, layered security solutions
© 2012 IBM Corporation
IBM Security Systems
19
Organizations are progressing their security maturity to tackle emerging governance, risk and compliance needs
Optimized
Security Intelligence:
Information and event management
Advanced correlation and deep analytics
External threat research
Role based analytics
Identity governance
Privileged user
controls
Data flow analytics
Data governance
Secure app
engineering
processes
Fraud detection
Advanced network
monitoring
Forensics / data
mining
Secure systems
Proficient
User provisioning
Access mgmt
Strong authentication
Database vulnerability
monitoring
Access monitoring
Data loss prevention
Application firewall
Source code
scanning
Virtualization security
Asset mgmt
Endpoint / network
security management
Basic Centralized directory Encryption
Access control Application scanning
Perimeter security
Anti-virus
People Data Applications Infrastructure
Security
Intelligence
© 2012 IBM Corporation
IBM Security Systems
20
IBM Identity and Access Management Vision
Manage Enterprise Identity Context Across All Security Domains
© 2012 IBM Corporation
IBM Security Systems
21
Identity Governance key to enable IAM intelligence within enterprise
General information > Select users > Select permissions
1. Empower business owners and
analysts to design with simple
choice role mining
2. Use role analytics catalog,
project based scoping to
implement best practices
3. Get effective role structure with
validation using SoD simulations
and Automatic approval
Identity management in an interconnected enterprise
Create and maintain roles and access structures to enforce
Identity and Access Governance
© 2012 IBM Corporation
IBM Security Systems
22
Privileged user controls key to detecting insider fraud
Who?
An internal user
Potential Data Loss
Who? What? Where?
What?
Oracle data
Where?
Gmail
Threat detection in the post-perimeter world
User anomaly detection and application level visibility are critical
to identify inside threats
© 2012 IBM Corporation
IBM Security Systems
23
Identity propagation improves control to enable security intelligence
Client System (browser, rich client)
Proxy/
Intermediary
Web Application Server/Portal
Server
Existing Application
Authentication
Services Security Runtime Services
Identity
Services
Jon
[email protected] <Jd_token>
Enterprise
Information System
z42
Mapped to j212_saml
Mapped to z42_ptkt
Authorization
Services
Audit
Services Integrity
Services
Confidentiality
Services
Fir
ew
all
Fir
ew
all
Enable secure mobile, social and cloud transformations
Secure collaboration demands improving auditability of who and
what are connecting into the enterprise
Provide applications auditable identities for controlling access and compliance
Standards-based run-time security enables ease of integration
© 2012 IBM Corporation
IBM Security Systems
24
Client requirements
Audit concerns using “generic ID” and authenticate the
brokers
Migrating legacy, host-based application to new portal
Need to provide clients contract information residing
on RACF via new portlets to insurance brokers.
Solution
Deployed IBM solution to propagate client contract
information end-to-end
Ability to preserve identity at granularity of original user
Benefits
Solution deployed in 4 months and in production
Ability to meet regulatory and compliance needs by
providing an auditable access across all domains
Location: Munich, Germany
Industry: Insurance
Profile: Management holding company
of one of the biggest primary insurance
groups
Companies offer full range of financial
services, life, health, property/casualty
and legal expenses insurance
Fund and bank products and asset
management for third parties and real-
estate broking
Size: less than 10000
Case Study – Mid-sized German Insurance company helps drive identity access intelligence with IBM solutions
© 2012 IBM Corporation
IBM Security Systems
25
IBM Security: Delivering intelligence, integration and expertise across a comprehensive framework
Intelligence ● Integration ● Expertise
Only vendor in the market with end-to-
end coverage of the security foundation
6K+ security engineers and consultants
Award-winning X-Force® research
Largest vulnerability database in the
industry
© 2012 IBM Corporation
IBM Security Systems
26
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Q&A – Please Log Questions in the Q&A Panel
Additional Resources
• For more information on IBM Security Solutions, visit:
http://www.ibm.com/security
• IBM Endpoint Manager for Lifecycle Management
• http://bit.ly/zfWdkg
• IBM Endpoint Manager for Security and Compliance
• http://bit.ly/y1bqq0
• Scott Crawford’s RiskRecon: Navigating Security & Risk Blog
• http://blogs.enterprisemanagement.com/scottcrawford/
27