Kurt Johnson, Courion A discussion of how identity management needs to move to the next generation of intelligent IAM, combining traditional elements of provisioning and governance with continuous monitoring and rich analytics to identify risk, threats, and vulnerabilities to access.

1. Identity Therapy: Surviving the Explosion
of Users, Access, and Identities
Kurt Johnson
VP Strategy & Corporate Development
Courion Corporation
@kurtvjohnson

2. 2
Courion Mission
Help customers
succeed in a world
of open access and
increasing threats.

3. 3
Customer Need
Mobile AppsCloud Systems & Apps
Data
Resources
Assets
Systems & Apps
ACCESS
Ensure the Right People
have the Right Access
to the Right Resources
and are doing the Right Things

4. 4

5. 5

6. 6

7. 7

8. 8

9. 9
Reputation Risk

10. 10
Financial Risk

11. 11

12. 12

13. 13

14. 14

15. 15
Source: 2014 Verizon Data Breach Investigations Report
Number of breaches per threat action category

16. 16
Hacking breaches by type
0%
10%
20%
30%
40%
50%
60%
2009 2010 2011 2012 2013
Source: 2014 Verizon Data Breach Investigations Report
Use of stolen credentials
Brute force
Backdoor or C2
SQL
Footprinting

17. 17
Identity and Access Management Controls
Provisioning
Governance

18. 18

19. 19
2013 may be remembered as the
“year of the retailer breach”, but
a comprehensive assessment
suggests it was a year of
transition from geopolitical
attacks to large-scale attacks on
payment card systems

20. 20
Verizon 2014 PCI Compliance Report

21. 21
PCI DSS Requirement 8:
Identify and authenticate access to system components
“Only 24.2% of organizations that
suffered a security breach were
compliant with Requirement 8 at the
time of the breach”
“64.4% of organizations failed to
restrict each account with
access to cardholder data to
just one user”
“More than half of insiders committing
IT sabotage were former employees who
regained access via backdoors or
corporate accounts that were never
disabled”
Source: Verizon 2014 PCI Compliance Report

22. 22
Top Audit Findings
0% 5% 10% 15% 20% 25% 30% 35% 40%
Lack of sufficient segregation of duties
Removal of access following a transfer or termination
Excessive developers' access to production systems and data
Excessive acess rights
30%
18%
22%
31%
31%
27%
31%
38%
28%
29%
29%
36%
2012 2010 2009
Source: Deloitte Global Financial Services Security Survey

23. 23

24. 24
Identity and Access Management Controls
Provisioning
Governance

25. 25

26. 26

27. 27

28. 28

29. 29

30. 30

31. 31

32. 32
Identity of the Internet of Things
(ID) (IoT)

33. 33
ID IoT

34. 34

35. 35
Source: PWC Global State of Information Security Survey, 2014

36. 36
Percent of breaches where time was days or less
Source: 2014 Verizon Data Breach Investigations Report

37. 37
POS Intrusions Discovery Method
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Internal
External
99%
1%
Source: 2014 Verizon Data Breach Investigations Report

38. 38
“Shift your security mindset from incident
response to continuous response, wherein
systems are assumed to be compromised and
require continuous monitoring and
remediation.”
“Designing an Adaptive Security Architecture for Protection From Advanced Attacks”
Peter Firstbrook and Neil MacDonald, 2014.

39. 39

40. 40

41. 41

42. 42

43. 43

44. 44

45. 45

46. 46

47. 47

48. 48
Multi-dimensional analysis
Trillions of access
relationships
100’s of policies
& regulations
POLICIES
1000’s of
applications,
file shares &
resources
RESOURCES
Millions of
actions
ACTIVITY
100’s of thousands
of access rights &
roles
RIGHTS
100,000’s of
people, millions
of identities
IDENTITY

49. 49

50. 50

51. 51

52. 52

53. 53
Intelligent Governance • New account created outside
provisioning system
• High risk application
• High risk set of entitlements
• Employee not in HR system
…another
…and another

54. 54
Provisioning Today
Provisioning
Request
Policy
Evaluation
Approval Fulfillment
Reject
Request

55. 55
Intelligent Provisioning
Provisioning
Request
Policy
Evaluation
Fulfillment
Risk
Scoring

56. 56
Intelligent Provisioning
Provisioning
Request
Approval Fulfillment
Reject
Request
Policy
Evaluation
Risk
Scoring

57. 57
Intelligent Provisioning
Provisioning
Request
Policy
Evaluation
Approval Fulfillment
Additional
Approval
Reject
Request
Risk
Scoring

58. 58

59. 59

60. 60

61. 61
“By year-end 2020, identity analytics
and intelligence (IAI) tools will deliver
direct business value in 60% of
enterprises, up from <5% today.”
Intelligent IAM

62. 62
Continuous
Monitoring
& Analytics
GovernanceProvisioning
Intelligent IAM
Policy