Download - CIS13: Don't Panic! How to Apply Identity Concepts to the Business

Copyright ©2013 Ping Identity Corporation. All rights reserved. 1

The

How to Apply Identity Concepts to the Business

P. Dingle Ping Identity, CIS 2013


•  f

Hammers are Fun – but what’s the Construction Project?


Risks must be identified and mitigated

The NAILS of Business: RISK and ENABLEMENT

http://www.flickr.com/photos/nicolopaternoster/3933549608

When risk is understood and measured, it does not have to hold you back

http://www.flickr.com/photos/boogieswithfish/5173834794/


•  How does the business run today? –  Where are the inefficiencies –  Where is the danger

•  How can the risk be mitigated? •  What can success enable? •  What are common solution architectures? •  How do you know when you’re done?

DIY: Explaining & Measuring Identity & Access Risk

http://www.flickr.com/photos/hadesigns/3223831119


•  Every application is written to run as an island –  User Account Store –  Login Page –  Password Recovery Mechanism –  Administration Console

Basic Challenges: Application Isolation

http://www.flickr.com/photos/sussetuss77/8582289800


•  Management Inefficiency becomes Security Risk –  1000 Applications require 1000 Administrators to get the

memo about Fred changing roles •  How long does it take to change Fred’s access? •  How many applications are missed or never know?

•  Data Divergence –  How many admins update Janice’s surname when she gets

married? •  How many help desk calls does she have to make? •  What if the data that is obsolete is her job role? •  What happens if the corporate username standard is first-intial-last-

name? •  Disgruntled Employees are a serious risk

–  When Fred gets fired, can you protect your assets? •  Cloud assets are at greatest risk •  Inefficient administrative process can cost millions

Risks of Application Silos


•  Every application has a different security regime –  Separately emulating policies

around passwords, data retention, roles, minimal disclosure in a thousand applications is a non-starter

•  Lifetime Employee Problem –  How many incorrect

permissions does an employee have if he’s perfomed multiple jobs at the company?

•  How can you expect staff to consistently adhere to policy if you can’t consistently apply it?

Basic Challenges: Inconsistent Policy & Interaction

http://www.flickr.com/photos/kaiban/4351734363


•  Users who can bypass policy could: –  Be phished –  Practice poor security hygiene –  Breach separation of duty rules –  Access unapproved applications –  Get really ticked off because they never understand

how to comply •  Businesses who can’t judge policy:

–  Can’t see what is happening –  Must blindly trust that execution matches expectation –  Cannot prove anything

Risk: Inadvertent Breach of Security Policies


•  Shadow IT –  The cost boundary for software has been

compromised –  Monthly subscriptions can fly under the wire –  IT may never know that applications are in use

•  Orphaned Accounts –  Admin gets fired –  Group stops using tool

•  Password Abuse –  Cloud app hacked –  Corporate creds stolen

Challenges: Cloud Applications

http://www.flickr.com/photos/pinksherbet/179279964


•  Loss of Visibility –  IT no longer knows what apps are in use

•  Loss of Control –  User may start in the cloud and end in the cloud –  Relationship is between cloud application and

user –  Business doesn’t control policy, session, or logs

Risks: Cloud Applications


•  Hardware you might not own or control •  Personal data and Private data colocated •  Much easier object to steal or lose •  Difficulty in typing credentials on tiny

keyboards •  Huge expanding set of connections

–  Multiple applications on thousands of devices •  APIs may represent all new application silow

Challenges: Mobile

http

://w

ww

.flic

kr.c

om/p

hoto

s/32

2457

53@

N07

/333

3572

689

•  Developers may want to do their own thing

•  You can’t get web working and forget about services


•  Industry best practice in Enterprise has been to build a set of services to abstract the management of identities and coarse grained access away from applications –  Central infrastructure, managed by IT –  One (or very few) single source(s) of

truth for User Presence in the organization

–  One place to set and enforce policies •  Result: INTERCONNECTIVITY

–  Apps need to trust infrastructure –  Vendors/developers need to help

An Answer: 42 Identity/Access Management

http://www.flickr.com/photos/23881436@N05/2853260749


•  [meta]Directories •  Provisioning Solutions

–  Automation of account lifecycle

•  Web Access Management Solutions

•  Federation Solutions •  SIEM, multifactor •  Workflow

Common Solutions to Identity and Access Risk?


The Question: Integration Answer: Standards!


•  Backend Synchronization –  Push identity data directly into databases –  Great inside the Enterprise, impossible in the clouds

•  Proprietary Protection schemes •  Standards-based interaction

–  Use standardized interfaces to pass data in auditable ways

•  APIs •  Protocols

Options for Identity Architects


•  Sometimes it’s better to link constellations of apps instead of directly connect to apps –  Often you find groups of

apps that already have SSO enabled

Good Business: Interfederation not Refederation


•  Users know what to expect –  Consistent ceremony

•  Lifecycle can be explained by your superiors

•  App access on Day One •  Zero day de-provisioning •  Lifetime employees lose access

when they change jobs •  Execs comfortable attesting •  The D can by BYO’d

Signs of Success --- AKA proving ROI

http://www.flickr.com/photos/geckoam/2723280142


•  Pamela Dingle: @pamelarosiedee –  http://eternallyoptimistic.com

•  Nishant Kaushik: @NishantK –  http://blog.talkingidentity.com

•  Dale Olds: @daleolds –  http://virtualsoul.org

Thank You!