identity-& access management trends & innovation · identity-& access management trends...
TRANSCRIPT
![Page 1: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/1.jpg)
Jacoba Sieders - Head of IAM ABNAMRO
Identity- & Access ManagementTrends & innovation
![Page 2: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/2.jpg)
http://map.norsecorp.com/#/
![Page 3: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/3.jpg)
IAM challenges are growing incomplexity and volume
3
• “7 Any”• De-perimeterisation• Web 2 App consistency• “API economy”• Cloud, Shadow IT• 24/7 cybercrime profs• Growing privacy concerns• Increasing regulatory pressure
(GDPR, PSD II)• IAM becomes relevant for almost all
aspects of life
IAM trends
![Page 4: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/4.jpg)
IAM awareness grows as digitisation reaches boardrooms of ancient institutions
4
IAM trends
• Chief Digital Officer• Chief Innovation Officer• Experiments lab• Hackatons• Start-up partners• Innovation Boards• Startup Friday• Design Thinking• Tribes and clans
![Page 5: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/5.jpg)
![Page 6: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/6.jpg)
Identity of Things,CIAM. “Branded identities” User accounts expandinto full user profiles
Smart dustNetworked sensorsDrone deliverySmart citiesMobilityChaining across domainsBig data
Identity
![Page 7: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/7.jpg)
Flexible real time entitlement granting: ABAC
Attribute Based Access Control
Resource
Type: FinancialDepartment ZAuthor XNot yet approvedObsoletePublicEtcetera
Subject
Name xRole YDepartment ZCost Centre 123Manager AEtcetera
Action
Check outReviewEditAlter contentsCheck inPhysical actionsEtcetera
Environment
Night timeLocationHome networkOffice wifiRegistered deviceEtcetera
Authorisation
![Page 8: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/8.jpg)
at 3:00 amSubject ObjectEnvironment
Preferred at a bar in Utrechtlogged on via PIN5
50 euro
Retailfrom current account
can
trans
fer
via an iPhone iOS 7.1
to Rabobank Accountof Facebook friend
Netherlands
Daa
n Ko
ning
Client
at home
Subject ObjectEnvironment
manager on new year’s dayPrivate Banking while using a tablet Private Banking
customer dataregion Utrecht
Nieuwegeincan
upda
te
Ale
x Pr
ins
…..
Subject ObjectPrivate Banking Manager
can updatecustomer dataAlex Prins can view
…..…..
ABAC
RBAC
AuthorisationRBAC versus ABAC
![Page 9: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/9.jpg)
Object approach / attributes
Content Classes (client data, employee data, payment data, etc.)
Sensitivity (customer critical, business operation, near-public, etc.)
Confidentiality & Integrity rating
Time (creation, last access)
Data Ownership (e.g. BU)
Creator
Type (spreadsheet, Powerpoint, textdocument, e-mail, etc.)
Content-Based Approach Query-Based Approach
Content Classes (client data, employee data, payment data, etc.)
Sensitivity (customer critical, business operation, near-public, etc.)
Confidentiality & Integrity rating
Time (creation, last access)
Data Ownership
Is Golden Source or Copy?
Limit (Number of query results)
Analytics-Based Approach
Content Classes (client data, employee data, payment data, etc.)
Sensitivity (customer critical, business operation, near-public, etc.)
Confidentiality & Integrity rating
Maximum Usage Period (how long is it allowed to use the data)
Sources (from which systems does the data originate)
From Golden Source or Copy? (quality)
Inherited attributes (from sources)
Authorisation
![Page 10: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/10.jpg)
framework for interaction and governance of rulesets
Finegrained context aware access mmnt - building blocks
Identity federation
Profile repository Trust level framework
Rulesets in rule engines
![Page 11: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/11.jpg)
ABAC building blocks
PDP Policy Decision PointsPAP Policy Administration PointsPIP Policy Information PointsPEP Policy Enforcement PointsXACML
Attributes:Data qualityData managementRules: Ownership in the business
session integrator
connectors, interfacestoken management
data classifier
![Page 12: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/12.jpg)
Attribute Based Access Control - Summary
• Context Based, Rule Based• Step-up authentication• Adjusted trust-level per context, per transaction• Trustlevel on dataset or transaction, fine-grained, datacentric• More flexible than Role Based Acces Control (RBAC)• Configuration within IAM tools instead of coding within applications• Trustlevel on transaction request context• Trustlevel framework enables immediate intervention when compromised• Migrate from RBAC to ABAC as a strategy (a role is also a rule!)
Focus on governance and business involvement
Authorisation
![Page 13: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/13.jpg)
Authentication @ work
identity+
properties authentication
AuthorisationEntitlements
for the ID
PasswordTokenPINMultifactor
pre-linkedto
authenticationclaim ID
Biometrics
access to
Data & transactions
Transaction request
Authentication
![Page 14: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/14.jpg)
“New” methods of authentication
14
• Biometrics, voice, fingerprint, facial• Behaviour patterns • From “knowing” to “being”• Rule based authentication• Artificial Intelligence & data analysis recognize you• Out-of-Band technologies across registered devices
• Challenge: How to use non-PII data and still ensure the right trust level?• “Undentification”
Continuous enrolment Continuous authenticationContinuous identity proofing
Authentication
![Page 15: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/15.jpg)
Transactionrequest
Identity +
properties
Authentication & Identity converging
AuthorisationEntitlements
for the ID
PasswordTokenPINMultifactorOut Of Band (OOB)
Device typingContextEndpoint info
pre-linkedto Data &
transactions
access to
NetworkMeta dataNavigationUse patternsBiometrics
Authentication
Continuous ID proofing,AuthenticationEnrollment
Transaction request
Machine learningFraud blacklistSOC data
Authentication
![Page 16: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/16.jpg)
“Un”dentification
![Page 17: Identity-& Access Management Trends & innovation · Identity-& Access Management Trends & innovation. ... to Rabobank Account of Facebook friend Netherlands Daan Koning Client at](https://reader034.vdocuments.us/reader034/viewer/2022052105/6040089ceeca1e44676a96dc/html5/thumbnails/17.jpg)
Preventative, Detective, Reactive controls converging
start Wish Instruction / Request Transaction (Payment
settlement)
SecurityOperationsCentre
IAM Fraud Detection
Infra:Device, network, etc.
..
BCM