regulatory compliance and privacy in enterprise security

All Contents © 2005 Burton Group. All rights reserved.

Regulatory Compliance and Privacy in Enterprise Security

Smart Card Alliance 2005Trent HenrySenior Analystthenry@burtongroup.comwww.burtongroup.com

Thursday – October 13, 2005

2Regulatory Compliance and Privacy

Thesis• Organizations are under ever-increasing scrutiny

• Legal and contractual mandates for privacy, transaction integrity, financial transparency, policy compliance, among many others

• Resultant audits require greater security diligence• Considerable focus on...

• Segregation of duties (SOX)• Customer data protection (GLBA, HIPAA)• “Identity theft” (SB 1386)

• ...Has increased the need for stronger identity assurance• Identity management (IdM)• Identity audit

3Regulatory Compliance and Privacy

Agenda

• Background• Role of identity management• Future directions

4Regulatory Compliance and Privacy

Agenda

• Background• Role of identity management• Future directions

5Background

Information privacy (or ‘data protection’)

• Control over the collection, use, and disclosure of personal information

• Personal information = data relating to an identified or identifiable individual

• Not an issue of ownership but of controls to protect privacy

• . . . Based on promises, legal rights

• Privacy viewed as a human right• Creates obligations for information owners

• (Although “owner” should really be “custodian,” especially in Europe)

6Background

What is identity management?

• A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities

• Involves both technology and process• Involves managing unique IDs, attributes, credentials, entitlements• Must enable enterprises to create manageable life cycles• Must scale from internally facing systems to externally facing

applications and processes

• Goal state: general-purpose infrastructure and authoritative sources, clean integration across people, process, and technology

• Successful IdM provides coverage for security controls

7Background

Identity assurance

• Identity vetting + credentials + lifecycle management

Technology

Assu

ranc

e

SelfSelf--enrollmentenrollment

IT providedIT provided

Strong Strong business business

process: HRprocess: HR

Integrated w/ Integrated w/ relationship relationship

managementmanagement

NoneNone

Managed adManaged ad--hoc by IThoc by IT

AutomaticAutomatic

Workflow Workflow approval approval processprocess

Strong audit Strong audit trail: forms trail: forms and sigsand sigs

PasswordsPasswords

OneOne--time time passwordspasswords

Tokens + Tokens + biometricsbiometrics

Providing Credentials

Provisioning Services

Managing Lifecycle

8Regulatory Compliance and Privacy

Agenda

• Background• Role of identity management• Future directions

9Role of Identity Management

Essential requirements covered by IdM

• Manage user identity, authentication, and access to systems

• Manage user account lifecycle• Review accounts periodically• Log and alert security activities• Manage/monitor third-party access and interfaces• Protect transmission of sensitive information

10Role of Identity Management

Provisioning and meta-directories

Provisioning agents/connectors

Provisioning server(s)

General-purposedirectory

PeopleGroupsRolesRules

Provisioningworkflows

LDAP

APIs

APIs

Repository(log, audit)

SQL/ODBC

Otherresources

Provisioningserver(s) Databases

Applications

Resourcemanagers

Platforms

11Role of Identity Management

Provisioning and meta-directories

• User management, account lifecycle, workflow, automated approvals

• Linchpin for improved IT control• Strong controls for regulatory support

• Password policy enforcement• Segregation of administrative duties• Centralized logging of lifecycle events

• Areas of improvement• Automated review of access rights

12Role of Identity Management

Virtual directories

13Role of Identity Management

Virtual directories

• Integrate non-shared identity data from disparate systems

• Allow restrictions on data views• Enforce confidentiality over private information• Especially sensitive customer personal data

• As proxy, help create security zone separation• Complement what firewalls already do

• Concern: auditors & IT teams have limited experience• Explaining the control characteristics might be tricky

14Role of Identity Management

Authentication and authorization systems

• Core component of access control• Strong authentication improves identity assurance (along

with proper vetting)• Centralized authentication service(s) help with audit and

attestation activities• Provide single location for data analysis and compliance testing

15Role of Identity Management

Other pieces of the puzzle

IdMPolicy

AccountMgmt

Log / Alert

AuthN &AuthZ

AccessControl

IncidentResponse

SecurityAwareness

DisasterRecoveryFirewalls

EncryptionControls

ConfigMgmt

ChangeControl

Backup / Archival

PhysicalFacilities

PersonnelSecurity

16Regulatory Compliance and Privacy

Agenda

• Background• Role of identity management• Future directions

17Future Directions

What's missing?

• Ties between the identity infrastructure and other security components

• Linking compliance mandates with specific operational technologies

• Evidence of privacy controls• Are we being effective?• Regulators/auditor haven't turned their eyes here . . . yet

• Better monitoring and feedback

18Future Directions

“Identity audit” solutions

• Control-based reporting• Tie IT to the control objectives that need to be achieved (e.g. for

regulations)

• Improved audit data gathering• Provide more relevant data to show evidence of compliance• Multiple levels of information granularity (depending on audience)

• Explicit authorization review• New provisioning workflow

• Training and awareness• Sign acceptable use form before access

• Compliance document creationAudit data gathering

19Future Directions

Integration with security event information management (SEIM)

20Regulatory Compliance and Privacy

Conclusion

• Audit and regulation for security/privacy is here—and here to stay

• Few organizations can avoid it, whether financial, compliance, or contractual

• Identity management systems provide automated coverage over important control activities

• Privacy, integrity, workflow (elimination of human error), policy enforcement, and so on to improve identity assurance

• Organizations will require other IT (and non-IT) components to complete their control environment

• IdM is “one piece of the puzzle”