cis13: don't panic! how to apply identity concepts to the business
DESCRIPTION
Pamela Dingle, Technical Director, Ping Identity Applying concepts of identity and access to real world business situations is really just a case of knowing where one's towel is. Once you have a working, accurate identity lifecycle, and the tools to leverage that lifecycle across business domains, the last thing to do is to apply those tools to the problems at hand. Pamela Dingle will walk you through real world use cases and discuss how everything works together, so that your organization can do its very best to figure out the right questions to ask for success (of course we already know the answer is 42).TRANSCRIPT
Copyright ©2013 Ping Identity Corporation. All rights reserved. 1
The
How to Apply Identity Concepts to the Business
P. Dingle Ping Identity, CIS 2013
Copyright ©2013 Ping Identity Corporation. All rights reserved. 2
• f
Hammers are Fun – but what’s the Construction Project?
Copyright ©2013 Ping Identity Corporation. All rights reserved. 3
Risks must be identified and mitigated
The NAILS of Business: RISK and ENABLEMENT
http://www.flickr.com/photos/nicolopaternoster/3933549608
When risk is understood and measured, it does not have to hold you back
http://www.flickr.com/photos/boogieswithfish/5173834794/
Copyright ©2013 Ping Identity Corporation. All rights reserved. 4
• How does the business run today? – Where are the inefficiencies – Where is the danger
• How can the risk be mitigated? • What can success enable? • What are common solution architectures? • How do you know when you’re done?
DIY: Explaining & Measuring Identity & Access Risk
http://www.flickr.com/photos/hadesigns/3223831119
Copyright ©2013 Ping Identity Corporation. All rights reserved. 5
• Every application is written to run as an island – User Account Store – Login Page – Password Recovery Mechanism – Administration Console
Basic Challenges: Application Isolation
http://www.flickr.com/photos/sussetuss77/8582289800
Copyright ©2013 Ping Identity Corporation. All rights reserved. 6
• Management Inefficiency becomes Security Risk – 1000 Applications require 1000 Administrators to get the
memo about Fred changing roles • How long does it take to change Fred’s access? • How many applications are missed or never know?
• Data Divergence – How many admins update Janice’s surname when she gets
married? • How many help desk calls does she have to make? • What if the data that is obsolete is her job role? • What happens if the corporate username standard is first-intial-last-
name? • Disgruntled Employees are a serious risk
– When Fred gets fired, can you protect your assets? • Cloud assets are at greatest risk • Inefficient administrative process can cost millions
Risks of Application Silos
Copyright ©2013 Ping Identity Corporation. All rights reserved. 7
• Every application has a different security regime – Separately emulating policies
around passwords, data retention, roles, minimal disclosure in a thousand applications is a non-starter
• Lifetime Employee Problem – How many incorrect
permissions does an employee have if he’s perfomed multiple jobs at the company?
• How can you expect staff to consistently adhere to policy if you can’t consistently apply it?
Basic Challenges: Inconsistent Policy & Interaction
http://www.flickr.com/photos/kaiban/4351734363
Copyright ©2013 Ping Identity Corporation. All rights reserved. 8
• Users who can bypass policy could: – Be phished – Practice poor security hygiene – Breach separation of duty rules – Access unapproved applications – Get really ticked off because they never understand
how to comply • Businesses who can’t judge policy:
– Can’t see what is happening – Must blindly trust that execution matches expectation – Cannot prove anything
Risk: Inadvertent Breach of Security Policies
Copyright ©2013 Ping Identity Corporation. All rights reserved. 9
• Shadow IT – The cost boundary for software has been
compromised – Monthly subscriptions can fly under the wire – IT may never know that applications are in use
• Orphaned Accounts – Admin gets fired – Group stops using tool
• Password Abuse – Cloud app hacked – Corporate creds stolen
Challenges: Cloud Applications
http://www.flickr.com/photos/pinksherbet/179279964
Copyright ©2013 Ping Identity Corporation. All rights reserved. 10
• Loss of Visibility – IT no longer knows what apps are in use
• Loss of Control – User may start in the cloud and end in the cloud – Relationship is between cloud application and
user – Business doesn’t control policy, session, or logs
Risks: Cloud Applications
Copyright ©2013 Ping Identity Corporation. All rights reserved. 11
• Hardware you might not own or control • Personal data and Private data colocated • Much easier object to steal or lose • Difficulty in typing credentials on tiny
keyboards • Huge expanding set of connections
– Multiple applications on thousands of devices • APIs may represent all new application silow
Challenges: Mobile
http
://w
ww
.flic
kr.c
om/p
hoto
s/32
2457
53@
N07
/333
3572
689
• Developers may want to do their own thing
• You can’t get web working and forget about services
Copyright ©2013 Ping Identity Corporation. All rights reserved. 12
• Industry best practice in Enterprise has been to build a set of services to abstract the management of identities and coarse grained access away from applications – Central infrastructure, managed by IT – One (or very few) single source(s) of
truth for User Presence in the organization
– One place to set and enforce policies • Result: INTERCONNECTIVITY
– Apps need to trust infrastructure – Vendors/developers need to help
An Answer: 42 Identity/Access Management
http://www.flickr.com/photos/23881436@N05/2853260749
Copyright ©2013 Ping Identity Corporation. All rights reserved. 13
• [meta]Directories • Provisioning Solutions
– Automation of account lifecycle
• Web Access Management Solutions
• Federation Solutions • SIEM, multifactor • Workflow
Common Solutions to Identity and Access Risk?
Copyright ©2013 Ping Identity Corporation. All rights reserved. 14
The Question: Integration Answer: Standards!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 15
• Backend Synchronization – Push identity data directly into databases – Great inside the Enterprise, impossible in the clouds
• Proprietary Protection schemes • Standards-based interaction
– Use standardized interfaces to pass data in auditable ways
• APIs • Protocols
Options for Identity Architects
Copyright ©2013 Ping Identity Corporation. All rights reserved. 16
• Sometimes it’s better to link constellations of apps instead of directly connect to apps – Often you find groups of
apps that already have SSO enabled
Good Business: Interfederation not Refederation
Copyright ©2013 Ping Identity Corporation. All rights reserved. 17
• Users know what to expect – Consistent ceremony
• Lifecycle can be explained by your superiors
• App access on Day One • Zero day de-provisioning • Lifetime employees lose access
when they change jobs • Execs comfortable attesting • The D can by BYO’d
Signs of Success --- AKA proving ROI
http://www.flickr.com/photos/geckoam/2723280142
Copyright ©2013 Ping Identity Corporation. All rights reserved. 18
• Pamela Dingle: @pamelarosiedee – http://eternallyoptimistic.com
• Nishant Kaushik: @NishantK – http://blog.talkingidentity.com
• Dale Olds: @daleolds – http://virtualsoul.org
Thank You!