Information Security’s Blind...

Information Security’s Blind Spot:

Who Do You Trust?

© 2012 Enterprise Management Associates, Inc.

Scott Crawford

Managing Research Director

Enterprise Management Associates

www.enterprisemanagement.com

Ravi Srinivasan

Director of Identity & Access Management

IBM

www.ibm.com

http://www.enterprisemanagement.com/

http://www.ibm.com/

Today’s Presenters

Slide 2

Scott Crawford – Managing Research Director Scott is the Managing Research Director of EMA’s Security and Risk

Management practice. Scott has over 20 years of experience as an IT

professional. He is the former head of information security for the

Comprehensive Nuclear-Test-Ban Treaty Organization’s International Data

Centre in Vienna, Austria, and has served in both the private and public sectors,

with organizations such as the University Corporation for Atmospheric Research

and Emerson.

Ravi Srinivasan - Director of Identity & Access

Management Ravi manages the IBM identity, access and mainframe security portfolio product

management based in Austin, Texas. He has over 15 years of experience in

market strategy, product management and development in software and

services industries. Ravi meets and consults with senior management, lines of

business owners and IT operations management around the world on their key

security, risk, and compliance initiatives. He’s also a frequent speaker at trade,

analyst conferences and customer events to share a worldwide perspective and

insights. Ravi mentors several security services practitioners and product

managers to develop practical solution approach to changing security, risk and

compliance needs.

Slide 3

Logistics for Today’s Webinar

Questions

• An archived version of the event

recording will be available at


• Log questions in the Q&A panel located

on the lower right corner of your screen

• Questions will be addressed during the

Q&A session of the event

Event recording

Event presentation

• A PDF of the PowerPoint

presentation will be available


Information Security’s Blind Spot:

Who Do You Trust?

© 2012 Enterprise Management Associates, Inc.

Scott Crawford

Managing Research Director

Enterprise Management Associates



One of IT Security’s Favorite Quotes

Slide 5 © 2012 Enterprise Management Associates, Inc.

“Trust, but

Verify”

The Problem with “Trust, but Verify”

• When one can verify,

is trust really

necessary? Or even

relevant?

• When one cannot

verify, all one has is

trust…and it’s blind

• Case in point:

• The proverb itself is

Russian (“Доверяй,

но проверяй”)

• Actually, it was a

favorite of Lenin’s…


But Hang On a Sec…

• Reagan quoted the

proverb because it was

familiar to Russian-

speakers

• A few lessons for

infosec…


• When verifying, context matters!

IT Security’s Complexity and Scale

• IT complexity

• Remains a challenge…but add to that:

• Profusion of applications

• Web

• SaaS

• Mobile

• Device diversity

• From traditional to…how many mobile devices??

• Industrialized threats

• Commoditized attacks at scale

• Sophisticated adversaries

• Well-resourced, patient, targeted attacks


Common Threads in Attacks

• Targeting the user

• …Or more specifically, the user’s

access privileges

• Access to tangible assets (cybercrime,

fraud)

• Access to valuable information

• Access to anything else that might be

interesting…

• Stepwise progress of a more serious

attack

• Privilege escalation

• Shared administrative accounts

• Poorly controlled linkage between

individual user accounts and

administrative privilege


So Who Do YOU Trust?

• Once access is gained, do you know how it’s

being used?

• Example: Legitimate user, questionable activity

• Could this be a compromise of a legitimate account?

• Or is a “trusted” individual behaving suspiciously?

• How can you tell the difference?

• Access privileges are assigned, based on…what,

exactly?

• In B2C applications: Fraud data?

• B2B: Validation of partners?

• Internal: Who makes access risk decisions? IT?

• What are YOU doing to verify?


Verification through

Identity and Access Intelligence

• Ability to monitor is important…but ability to correlate with identity and access is key!

• When user behavior deviates from a norm

• Requires recognition of normal behavior for a specific identity

• How dynamic? When behavior changes during a transaction?

• So it’s a legitimate user. Is access always appropriate, regardless of the context?

• Information – User – Network – Endpoint

• Warning: Application access control that stops at the “front end”

• Do backend systems implicitly “trust” the front ends of complex applications?


A More Dynamic Concept of Access Control

(or, if you prefer, of Verification)

• Ability to “tune” access based on

a dynamic assessment of context

• …which means a more dynamic

concept of policy as well:

• Appropriate individual

• Appropriate access privileges

• Appropriate context

• Requires integration of identity

intelligence with

• Access controls in applications

• Access controls in infrastructure

• Monitoring capability to provide

necessary insight

“Identity and access aware”

Recognizes deviations


Identity

Monitoring Control

Intelligence

Intelligence Throughout Identity Lifecycles:

Who Did You Say You Trust?

• Access privileges assigned…based on what?

• What have you done to verify?

• Example: User enrollment for B2C banking

• Is this individual who they claim to be?

• How can you verify?

• Detect any indicators of fraud?

• “Emily K. Cook” == “E. Kelly Cooke”?

• Within the enterprise: Who makes access decisions?

• Business pros responsible for risk management …or IT?

• Responding to malicious activity during transactions

• Dynamic controls on fraud

• What about de-provisioning?

• Monitor & review privileges for use, consistency

• Terminate or constrain when not needed


Identity and Access Intelligence

Matters in All Security Domains

• Hardening

• Access controls refined for context

• Better definition of access privileges,

throughout IAM lifecycles

• Containment

• Deviations from norms for a given identity or

access scenario can be detected & blocked

• Requires more dynamic linkage between

identity, monitoring & control

• Action

• Dynamic containment when deviations from

norms for an access scenario appear

• More effective response – more efficient

triage of incidents


A “new” security

paradigm:

In Summary:

Do You Verify, or Do You Simply Trust?

• Getting beyond one-time verification

• A more dynamic approach

• Throughout identity and access scenarios

• Differentiating legitimate access from malicious actions

• Attacker compromising a legitimate user account

• Legitimate user compromising the organization

• A more dynamic approach to access management

• Legitimate user, appropriate use, appropriate circumstances

• Incorporating the “identity of things” into context-based access control

• More pervasive identity and access intelligence

• Throughout transactions

• Throughout application components - not just “trusting the stack”

• From provisioning to use, privilege modification, termination


Needed to Move Forward

• Identity and Access Management

• A more intelligent approach to IAM lifecycles

• Integrating insight more widely across IT

• Monitoring

• Correlation of identity and access privileges with behavior

• Ability to understand norms, identify deviations

• Control

• Security technologies: Consuming intelligence for more dynamic response

Security countermeasures (network defense, DAM, etc.)

Access controls in infrastructure, applications

• Access based on context

• More dynamic control when deviations are detected


© 2012 IBM Corporation

IBM Security Systems

17 © 2012 IBM Corporation

Enabling Identity and Access Intelligence

Ravi Srinivasan

Director, Identity and Access Management




18

IAM &

Federation

Web Application

Scanning

Virtualization

Security

Network

Security

Image & Patch

Management

Database

Monitoring

IBM Security Intelligence

IAM is central to enabling Access Everywhere Enabling social, mobile and cloud use cases with flexible, layered security solutions



19

Organizations are progressing their security maturity to tackle emerging governance, risk and compliance needs

Optimized

Security Intelligence:

Information and event management

Advanced correlation and deep analytics

External threat research

Role based analytics

Identity governance

Privileged user

controls

Data flow analytics

Data governance

Secure app

engineering

processes

Fraud detection

Advanced network

monitoring

Forensics / data

mining

Secure systems

Proficient

User provisioning

Access mgmt

Strong authentication

Database vulnerability

monitoring

Access monitoring

Data loss prevention

Application firewall

Source code

scanning

Virtualization security

Asset mgmt

Endpoint / network

security management

Basic Centralized directory Encryption

Access control Application scanning

Perimeter security

Anti-virus

People Data Applications Infrastructure

Security

Intelligence



20

IBM Identity and Access Management Vision

Manage Enterprise Identity Context Across All Security Domains



21

Identity Governance key to enable IAM intelligence within enterprise

General information > Select users > Select permissions

1. Empower business owners and

analysts to design with simple

choice role mining

2. Use role analytics catalog,

project based scoping to

implement best practices

3. Get effective role structure with

validation using SoD simulations

and Automatic approval

Identity management in an interconnected enterprise

Create and maintain roles and access structures to enforce

Identity and Access Governance



22

Privileged user controls key to detecting insider fraud

Who?

An internal user

Potential Data Loss

Who? What? Where?

What?

Oracle data

Where?

Gmail

Threat detection in the post-perimeter world

User anomaly detection and application level visibility are critical

to identify inside threats



23

Identity propagation improves control to enable security intelligence

Client System (browser, rich client)

Proxy/

Intermediary

Web Application Server/Portal

Server

Existing Application

Authentication

Services Security Runtime Services

Identity

Services

Jon

[email protected] <Jd_token>

Enterprise

Information System

z42

Mapped to j212_saml

Mapped to z42_ptkt

Authorization

Services

Audit

Services Integrity

Services

Confidentiality

Services

Fir

ew

all

Fir

ew

all

Enable secure mobile, social and cloud transformations

Secure collaboration demands improving auditability of who and

what are connecting into the enterprise

Provide applications auditable identities for controlling access and compliance

Standards-based run-time security enables ease of integration



24

Client requirements

Audit concerns using “generic ID” and authenticate the

brokers

Migrating legacy, host-based application to new portal

Need to provide clients contract information residing

on RACF via new portlets to insurance brokers.

Solution

Deployed IBM solution to propagate client contract

information end-to-end

Ability to preserve identity at granularity of original user

Benefits

Solution deployed in 4 months and in production

Ability to meet regulatory and compliance needs by

providing an auditable access across all domains

Location: Munich, Germany

Industry: Insurance

Profile: Management holding company

of one of the biggest primary insurance

groups

Companies offer full range of financial

services, life, health, property/casualty

and legal expenses insurance

Fund and bank products and asset

management for third parties and real-

estate broking

Size: less than 10000

Case Study – Mid-sized German Insurance company helps drive identity access intelligence with IBM solutions



25

IBM Security: Delivering intelligence, integration and expertise across a comprehensive framework

Intelligence ● Integration ● Expertise

Only vendor in the market with end-to-

end coverage of the security foundation

6K+ security engineers and consultants

Award-winning X-Force® research

Largest vulnerability database in the

industry



26

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Q&A – Please Log Questions in the Q&A Panel

Additional Resources

• For more information on IBM Security Solutions, visit:

http://www.ibm.com/security

• IBM Endpoint Manager for Lifecycle Management

• http://bit.ly/zfWdkg

• IBM Endpoint Manager for Security and Compliance

• http://bit.ly/y1bqq0

• Scott Crawford’s RiskRecon: Navigating Security & Risk Blog

• http://blogs.enterprisemanagement.com/scottcrawford/

27

http://www.ibm.com/security

http://bit.ly/zfWdkg

http://bit.ly/zfWdkg

http://bit.ly/y1bqq0

http://bit.ly/y1bqq0

http://blogs.enterprisemanagement.com/scottcrawford/

Date post:	13-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Information Security’s Blind...

Documents