#mfsummit2016 secure: introduction to identity, access and security
Post on 15-Apr-2017
1.026 Views
Preview:
TRANSCRIPT
Introduction to Identity, Access & Security
David Mount | Director – IAS Solutions Consulting | 24 February 2016
Walking the Risk Tightrope
Mobile
Is our use of mobile devices
secure?
Service Delivery
Are we doing enough to ensure
availability and data security? Network
Are we ensuring the security of the
network?
Third Party Risk
Are we doing enough to manage
partner, contractor, and customer
access?
IoT
How do we securely take
advantage of IoT?
Data Breach
Are we doing enough to control access
to sensitive information? Do we
understand our threat landscape?
Compliance
Are we complying with all applicable
mandates? How do we reduce the cost
of compliance?
Balancing Act
Organisations face a fundamental
problem they must overcome.
It is the balancing of two directly
divergent needs:
- Provide access to everything
- Restrict access to the minimum
necessary
Who / What has access
• Employees
• Contractors
• Partners and suppliers
• Customers
• Services
• “Things”
• etc
Manage Rights
Managed rights across
employee lifecycle
Minimise the number of
privileged users
Minimise the rights users
are granted
Enforce access controls
regardless of access point
Use common controls
across enterprise and cloud
apps
Leverage adaptive,
multifactor authentication
Enforce Access Controls
Source: “Privileged User Abuse & The Insider Threat”, Ponemon Institute Research Report 5/2014
Monitor User Activity
How are users leveraging
the rights granted?
Is activity outside defined
controls/policies?
Is activity associated with a
known person or service?
15
Cloud/SAAS
Privileged
Legacy
IoT Data
“Things”
Social
Internal Mobile
External
Wh
at
is b
ein
g a
cc
es
se
dD
iffe
ren
t ty
pes
of
iden
tity
Secure Governed
Access
16
Cloud/SAAS
Privileged
Legacy
IoT Data
“Things”
Social
Internal Mobile
External
Wh
at
is b
ein
g a
cc
es
se
dD
iffe
ren
t ty
pes
of
iden
tity
Secure Governed
Access
ActivityMonitoring& Analytics
IdentityGovernance &Administration
PrivilegeManagement
AdaptiveRisk-basedAccess
Identity Governance & AdministrationEnforcing the Least-Privilege Principle
• Self-service access request/review for SaaS and enterprise apps
• Anomaly-based and risk-prioritised “adaptive certifications”
• Closed-loop, automated remediation of entitlement creep
• Data governance – certify access to data, not just apps
• Privilege management – ensure privileges are not misused
ActivityMonitoring& Analytics
IdentityGovernance &Administration
PrivilegeManagement
AdaptiveRisk-basedAccess
Access Management & AuthenticationEnforcing the Least-Privilege Principle
• Invisible end user experience providing access across cloud, enterprise, and hybrid applications and resources
• Adaptive, risk-based access makes authentication as convenient as possible for users
• Step-up privileged access when risk indicates a need
• Tie multi-factor authentication to step-up authentication to further reduce risk of outsider credential abuse
ActivityMonitoring& Analytics
IdentityGovernance &Administration
PrivilegeManagement
AdaptiveRisk-basedAccess
Access Management & AuthenticationEnforcing the Least-Privilege Principle
• Invisible end user experience providing access across cloud, enterprise, and hybrid applications and resources
• Adaptive, risk-based access makes authentication as convenient as possible for users
• Step-up privileged access when risk indicates a need
• Tie multi-factor authentication to step-up authentication to further reduce risk of outsider credential abuse
ActivityMonitoring& Analytics
IdentityGovernance &Administration
PrivilegeManagement
AdaptiveRisk-basedAccess
Activity Monitoring & AnalyticsIdentifying Risks and Threats, Enabling Decisions
• Real-time user and entity activity monitoring and response
• Policy-based change monitoring including file integrity monitoring
• Access metrics: know what users are doing with their access
• Identify “things” on the network through integration with Cisco ISE for IoT security
ActivityMonitoring& Analytics
IdentityGovernance &Administration
PrivilegeManagement
AdaptiveRisk-basedAccess
top related