veriphyr bright talk 20120523
TRANSCRIPT
![Page 1: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/1.jpg)
VERIPHYR PROPRIETARY
Alan Norquist, CEO & FounderVeriphyr, Inc.
Chase Away Cloud Challenges: User Access Governance & Compliance
![Page 2: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/2.jpg)
Goals of User Access Governance & Compliance
User System Access = User’s Responsibilities Bank – “Access to everything and nobody knows it”
User Activity Access = User’s Responsibilities Finance – “Can’t both approve PO and approve payment”
User Data Access = User’s Responsibilities Healthcare – Only view patients under one’s care
VERIPHYR PROPRIETARY 2May 27, 2012
![Page 3: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/3.jpg)
Requirement Across Industries
VERIPHYR PROPRIETARY 3May 27, 2012
Healthcare(HIPAA)
“access … must be restricted to those who have been granted access rights”
Banking(FFIEC)
“employee’s levels of online access .. match current job responsibilities”
Brokerage(FINRA)
“employee’s access … limited strictly to … employee’s function”
Utilities(NERC)
“access permissions are consistent with …work functions performed”
Retail(PCI)
“Limit access to … only individuals whose job requires such access”
Public Companies(SOX - COBIT)
“user access rights … in line with … business needs”
![Page 4: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/4.jpg)
What is the Effect of the Cloud?
Reduced Cost from Resource Pooling Rapid Implementation and Elasticity
Ubiquitous Broad Network Access Accessible from outside your organization perimeter Accessible from variety of devices
Shift in Ownership and Control Resource layers controlled by multiple independent providers
Multi-Tenancy (Resource Pooling) Resources shared across multiple independent consumers
Split in User Access Management Data center vs. cloud
VERIPHYR PROPRIETARY 4May 27, 2012
![Page 5: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/5.jpg)
Cloud Models – Build vs. Contract
VERIPHYR PROPRIETARY 5May 27, 2012
Infrastructureas a
Service (IaaS)
Platformas a
Service (PaaS)
Softwareas a
Service (SaaS)
Source: Cloud Security Alliance 2011
“The lower down the stack the Cloud providerStops, the more security the consumer is tactically responsible for implementing and managing” – CSA Guidance v3.0
RFP or Contract
It In
RFP or Contract
It In
Build it inBuild it in
![Page 6: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/6.jpg)
User Access Governance and Compliance
Build or Contract What?1. Identity Stores2. Logging (Both Access and Activity)3. Key Data Entities (customers, patients, partners, etc)
Critical Issues Interfaces
Insufficient - User interface Required – Standard-based APIs
Capabilities Detailed logs showing access to sensitive transactions and date
(patient, customer, etc.)
Ability to Extract Data Insufficient - Reports showing single identity’s activity over 2 weeks Required – Formatted file of all identities and all activity for all time
VERIPHYR PROPRIETARY 6May 27, 2012
![Page 7: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/7.jpg)
Cloud ConsumerCloud Consumer
Cloud Providers’ Native Identity Mgmt?
Manage Each Cloud Separately?
VERIPHYR PROPRIETARY 7May 27, 2012
Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider
![Page 8: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/8.jpg)
IAM as a Service
Centralized federated identity across cloud vendors Build in or contract requirements for support of standards
like SAML, OpenID and Oauth
VERIPHYR PROPRIETARY 8May 27, 2012
Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider
Cloud ConsumerCloud Consumer IAM as a ServiceIAM as a Service
![Page 9: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/9.jpg)
Cloud Provider Compliance Reports?
Cloud facilitates departments use of “best of breed” Need to integrate compliance reporting across many
separate cloud vendors
VERIPHYR PROPRIETARY 9May 27, 2012
Cloud ProviderCloud Provider Cloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud Provider
Cloud ConsumerCloud Consumer
![Page 10: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/10.jpg)
Identity and Access Intelligence (IAI) "Joining together data in identity and access management (IAM)
systems and security logs with other data could be massively valuable to both IT and the business." - James Richardson, Gartner
Build or contract in the ability for bulk export of identity store info, logs (both access and activity), and key data (customers, patients, partners, etc).
VERIPHYR PROPRIETARY 10May 27, 2012
Cloud ProviderCloud Provider Cloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud Provider
Identity and AccessIntelligence
Identity and AccessIntelligenceCloud ConsumerCloud Consumer
![Page 11: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/11.jpg)
Identity and Access Intelligence (IAI) “Access reports of users and applications are requirements in
information security and IT governance, risk and compliance management programs, and Identity and Access Intelligence is needed to address those requirements.” – Gartner
Identifies policy violations - identity, rights, activity & data Determines if policy violation have been exploited
Different from SIEM SIEM focused on packets and IP addresses IAI focused on people and data
Works across Cloud Providers Audit (access and activity) log from all cloud applications Identity stores from all IAM as a Service vendors Patient, customer, partner data from applications such as HR
VERIPHYR PROPRIETARY 11May 27, 2012
![Page 12: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/12.jpg)
Revealing - User Access ≠ User’s Responsibilities
User Access Activity Across ResourcesId
entit
y
Resources
VERIPHYR PROPRIETARYMay 27, 2012 12
![Page 13: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/13.jpg)
Revealing - User Access ≠ User’s Responsibilities
IAI Analytics Reveal Inappropriate AccessId
entit
y
Resources
VERIPHYR PROPRIETARYMay 27, 2012 13
![Page 14: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/14.jpg)
Summary
Goal of Access Governance and Compliance User Access = User’s Responsibility
Cloud Changes Underlying Architecture
Need to “Build or Contract In” Standards for IAM as a Service Data Sources for Identity and Access Intelligence (IAI)
For more information contact me [email protected] # 650.384.0560
VERIPHYR PROPRIETARY 14May 27, 2012
![Page 15: Veriphyr bright talk 20120523](https://reader038.vdocuments.us/reader038/viewer/2022102903/55a3ceff1a28ab1b0d8b47c8/html5/thumbnails/15.jpg)
For more information
Whitepaper on IAM as a Service
https://cloudsecurityalliance.org/research/
Whitepaper on Identity and Access Intelligence
http://bit.ly/IAI-whitepaper
Alan NorquistCEO, [email protected]# 650.384.0560
VERIPHYR PROPRIETARY 15May 27, 2012