3. IAM
• C’est quoi ?
• Quel est le contexte
actuel?
3. IAM & cloud computing
• Pourquoi en avons nous
besoin?
• To do list
• IAM et vie privée
• IAM et contrôle
8. e-discovery
• Conclusion
4. 1. IAM c’est quoi ?
ign
Single S
ord On Secure Remote
Passw ment Fede
ration
e Access
Manag
Role based
Managemen
t Provisioning
Web Services
Security
ng &
Authorization Auditi g
tin
Repor
es
Directori
Digital Strong on
ati PKI
Rights
Authentic
Management
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk
6. Q: What’s posted on this
monitor?
a – password to financial application
b – phone messages
c – to-do’s
7. Q: What determines your
employee’s access?
a – give Alice whatever Wally has
b – roles, attributes, and requests
c – whatever her manager says
8. Q: Who is the most privileged
user in your enterprise?
a – security administrator
b – CFO
c – the summer intern who is now working
for your competitor
9. Q: How secure is your
identity data?
a – It is in 18 different secured stores
b – We protect the admin passwords
c – Privacy? We don’t hold credit card
numbers
10. Q: How much are manual
compliance controls costing
your organization?
a – nothing, no new headcount
b – don’t ask
c – don’t know
11. Today’s IT Challenges
More Compliant Business
• Increasing regulatory demands
• Increasing privacy concerns
• Business viability concerns
More Agile Business More Secured Business
• More accessibility for employees, • Organized crime
customers and partners • Identity theft
• Higher level of B2B integrations • Intellectual property theft
• Faster reaction to changing requirements • Constant global threats
12. State Of Security In Enterprise
• Incomplete
• Multiple point solutions from many vendors
• Disparate technologies that don’t work together
• Complex
• Repeated point-to-point integrations
• Mostly manual operations
• ‘Non-compliant’
• Difficult to enforce consistent set of policies
• Difficult to measure compliance with those policies
13. Identity Management Values
• Trusted and reliable security
• Efficient regulatory compliance
• Lower administrative and development costs
• Enable online business networks
• Better end-user experience
14. IAM n’est pas uniquement une tâche informatique !
La gestion des identités consiste à gérer le cycle de vie des personnes
(embauche, promotion, mutation, départ, etc.) au sein de la société et les
impacts induits sur le système d’information (création de Comptes
utilisateurs, attribution de Profils utilisateurs, mise en œuvre du contrôle
d'accès, etc.).
Cette gestion des identités doit pouvoir être faite d'un point de vue
fonctionnel par des non-informaticiens (exemple : Ressources Humaines,
Maîtrise d’ouvrage, l’utilisateur lui-même) et d'un point de vue technique
par des informaticiens (exemple : administrateur, Maîtrise d’œuvre).
source clusif 14
15. La solution de gestion d’identités doit être une solution globale sur la
base d’une infrastructure centralisée avec une gestion fonctionnelle
distribuée et qui intègre les fonctionnalités suivantes :
• la gestion du référentiel central des utilisateurs (alimentation à partir
de référentiels utilisateurs sources),
• la gestion du référentiel central des ressources concernées par la
gestion des droits d’accès,
• la gestion des habilitations (gestion des Profils, Rôles, gestion des
utilisateurs, workflow),
• le provisioning (synchronisation des référentiels cibles de sécurité),
• l’administration décentralisée,
• l’auto-administration, gestion par les utilisateurs des mots de passe et
des données privées,
• l’audit et le reporting,
• le contrôle d’accès (authentification, autorisation).
source clusif 15
16. Définition
• What is Identity Management ?
“Identity management is the set of
business processes, and a
supporting infrastructure, for the
creation, maintenance, and use of
digital identities.” The Burton
Group (a research firm specializing
in IT infrastructure for the
enterprise)
• Identity Management in this
sense is sometimes called
“Identity and Access
Management” (IAM)
17. Identity and Access Management is the process for
managing the lifecycle of digital identities and access for
people, systems and services. This includes:
User Management – management of large, changing user
populations along with delegated- and self-service
administration.
Access Management – allows applications to authenticate
users and allow access to resources based upon policy.
Provisioning and De-Provisioning – automates account
propagation across applications and systems.
Audit and Reporting – review access privileges, validate
changes, and manage accountability.
CA
IAM : J. Tony Goulding CISSP, ITIL CA t
ony.goulding@ ca.com 17
18. IAM c’est par exemple…
• “Bonjour je suis Julie, une
étudiante d’INFOSAFE.” (Identité)
• “Ceci est mon mot de passe.”
(Authentification)
• “Je veux accéder à la plateforme”
(Authorisation accordée)
• “Je veux améliorer la note de mon
examen.”
(Autorisation refusée)
19. Mais c’est aussi…
• Un nouveau professeur
• Donc une adresse email, à
donner dès que possible
• Un mot de passe sur ICHEC
Campus
• Un mot de passe Intranet
• Un mot de passe IE Campus
• Définir les autres services
auxquel il a accès
20. Quelles sont les questions à se poser??
• Les personnes sont-elles ce
qu’elles disent être?
• Sont-elles des membres réels
de notre communauté ?
• Ont-elles reçu les
autorisations nécessaires ?
• Le respect de leurs données
personnelles est-il mis en
place?
21. Exemples de questions
– Quel mot type de mot de passe
donner?
– Quelles sont les activités autorisées?
– Quelles sont les activités interdites?
– A quelle catégorie de personne cette
nouvelle identité doit-elle être
attachée?
– A quel moment du processus
d’entrée les autorisations doivent-
elles être données?
– Quelles modalités de contrôle sont
mises en place? Peut-on prouver
tout cela à un auditeur ?
– Quid de l’e-discovery?
22. Le triple A de l’IAM
• Authentication
WHO ARE YOU?
• Authorization / Access Control
• WHAT CAN YOU DO?
Audit
• WHAT HAVE YOU DONE?
22
27. Entre l’identité virtuelle et ...
Dans ce contexte, l’amoncellement de parcelles laissées plus ou
moins à l’abandon dessine un portrait par petites touches. Un peu
comme les tableaux pointillistes : de manière unitaire, aucune des
traces n’est réellement significative. Mais le tableau général, lui,
représente le sujet dans son ensemble. À la vue de tous et pas
forcément sous un angle souhaité…
http://www.buschini.com/2009/12/04/identite-traditionnelle-versus-identite-numerique/
27
28. • Internet est basé sur des
communications anonymes
Welcome to a digital world
• Les entreprises participent à de
nombreux réseaux générant de
multiples identités
• Les systèmes internes ont parfois des
systèmes d’identifiants différents
• Les utilisateurs sont les maillons faibles
de la sécurité
• La criminalité informatique augmente
• La mise en place de contrôles impose
l’identification
• La gestion des traces est indispensables
• La protection de la vie privée impose
des contrôles
31. Explosion of IDs
# of Business Partners
Digital IDs Automation (B2B)
Company
(B2E)
Customers
(B2C)
Mobility
Internet
Client Server
Mainframe s
ion
at
p lic Time
Pre 1980’s 1980’s
Ap 1990’s 2000’s
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk
32. The Disconnected Reality
HR
•Authentication
•Authorization
•Identity Data
Finance
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data Office
Enterprise Directory
•Authentication
•Authorization
Infra
Application External app
•Identity Data
•Authentication
•Authorization
•Identity Data
“Identity Chaos”
– Nombreux utilisateurs et applications •Authentication application
In-House
Application
•Authorization
– Nombreuses ID •Identity Data employee
Applicati
– Plusieurs identité par utilisateur •Authentication
•Authorization
– Plusieurs log in et mots de passe •Identity Data
–
–
Multiple repositories of identity information
Multiple user IDs, multiple passwords on
– Management décentralisé
– Conflits business <-> IT
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk
33. Multiple Contexts
Customer satisfaction & customer intimacy
Cost competitiveness
Reach, personalization
Your CUSTOMERS Your SUPPLIERS
Collaboration
Outsourcing
Faster business cycles; process
automation
Value chain
Your COMPANYand
your EMPLOYEES
M&A
Mobile/global workforce
Flexible/temp workforce
Your REMOTE and Your PARTNERS
VIRTUAL EMPLOY EES
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk
34. Trends Impacting Identity
R is in g T id e o f R e g u la t io n a n d
C o m p lia n c e
S O X , H I P A A , G L B , B a s e l I I , 2 1 C F R P a r t 11, …
$ 15 . 5 b i l l i o n s p e n d o n c o m p l i a n c e ( a n a l y s t
e s t im a t e )
D e e p e r L in e o f B u s in e s s A u t o m a t io n
a n d In t e g r a t io n
O n e h a lf o f a ll e n t e r p r is e s h a v e S O A u n d e r
d e v e lo p m e n t
I W e br e ear v i c n g s T h n dei n g t g L o wni n gs 4c5 a p e
nc s s i es pe r a r a d %
• Identity theft costs banks and credit card issuers $1.2 billion in 1 yr
$ 2 5 0 b illio n lo s t f r o m e x p o s u r e o f c o n f id e n t ia l in f o
M a in t e n a n c e C o s t s D o m in a t e IT
B udg et
O n a v e r a g e e m p l o y e e s n e e d a c c e s s t o 16 a p p s
a n d s ys te m s
Data Sources: Gartner, AMR Research, s eMarketer, n d $ 2 0Justice 0 p e r u s e r p e r y e a r f o r P W
C o m p a n i e IDC, s p e U.S. Department. of - 3
36. Pain Points
Business
IT Admin Developer End User Security/ Compliance
Owner
• Too many user • Redundant • Too many • Too many • Too expensive
stores and code in each passwords orphaned to reach new
account admin app • Long waits for accounts partners,
requests • Rework code access to apps, • Limited channels
• Unsafe sync too often resources auditing ability • Need for
scripts control
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk
38. Cloud Computing: Definition
• No Unique Definition or General Consensus about what Cloud
Computing is …
• Different Perspectives & Focuses (Platform, SW, Service Levels…)
• Flavours:
– Computing and IT Resources Accessible Online
– Dynamically Scalable Computing Power
– Virtualization of Resources
– Access to (potentially) Composable & Interchangeable Services
– Abstraction of IT Infrastructure
No need to understand its implementation: use Services & their APIs
– Some current players, at the Infrastructure & Service Level:
SalesfoRce.com, Google Apps, Amazon, Yahoo, Microsoft, IBM, HP, etc.
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
39. Cloud Computing: Models
Cloud
Provider #1
On Demand
Printing CPUs
Service
CRM
Office Service Data
Apps Storage
User Service
… Cloud
Provider #2
Enterprise
Backup
Service
ILM
Service Service
Employee
Service Service 3
Service
Business …
Apps/Service
…
Internal Cloud … The
Internet
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
40. Cloud Computing: Implications
• Enterprise:
Paradigm Shift from “Close & Controlled” IT Infrastructures and Services to
Externally Provided Services and IT Infrastructures
• Private User:
Paradigm Shift from Accessing Static Set of Services to Dynamic & Composable
Services
• General Issues:
– Potential Loss of Control (on Data, Infrastructure, Processes, etc.)
– Data & Confidential Information Stored in The Clouds
– Management of Identities and Access (IAM) in the Cloud
– Compliance to Security Practice and Legislation
– Privacy Management (Control, Consent, Revocation, etc.)
– New Threat Environments
– Reliability and Longevity of Cloud & Service Providers
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
41. IAM Identity in the Cloud: Enterprise Case
Capabilities Cloud
Provider #1 User Account
Data
& Confidential
and Services
Provisioning/ User Account
De-provisioning Information On Demand Provisioning/
Printing CPUs De-provisioning
Service
Can be
Authentication CRM Identity & Authentication
Authorization Credentials
Authorization
Audit Office Service Data
Identity & Audit
Apps Storage
Outsourced
Credentials
Service Data
& Confidential
Cloud Identity &
Information
in Identity & … Credentials
Provider #2
Credentials
Enterprise
The Cloud …
User Account
Provisioning/
De-provisioning Data
Authentication
& Confidential
Backup
Authentication
Identity & Authorization Authorization ILMInformationService
Credentials Audit Audit Service
Service
Employee Identity &
Data Service Credentials Service 3
& Confidential User Account
Provisioning/
Information
Identity & Service De-provisioning
Business Credentials …
Apps/Service
…
Internal Cloud … The
Internet
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
42. Identity in the Cloud: Enterprise Case
Issues and Risks [1/2]
• Potential Proliferation of Required Identities & Credentials to Access Services
Misbehaviours when handling credentials (writing down, reusing, sharing, etc.)
• Complexity in correctly “enabling” Information Flows across boundaries
Security Threats
(Enterprise Cloud & Service Providers, Service Provider Service Provider, …_
• Propagation of Identity and Personal Information across Multiple Clouds/Services
Privacy issues (e.g. compliance to multiple Legislations, Importance of Location, etc.)
Exposure of business sensitive information
(employees’ identities, roles, organisational structures, enterprise apps/services, etc.)
How to effectively Control this Data?
• Delegation of IAM and Data Management Processes to Cloud and Service Providers
How to get Assurance that these Processes and Security Practice are Consistent with
Enterprise Policies?
- Recurrent problem for all Stakeholders: Enterprise, Cloud and Service Providers …
Consistency and Integrity of User Accounts & Information across various Clouds/Services
How to deal with overall Compliance and Governance issues?
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
43. Identity in the Cloud: Enterprise Case
Issues and Risks [2/2]
• Migration of Services between Cloud and Service Providers
Management of Data Lifecycle
• Threats and Attacks in the Clouds and Cloud Services
Cloud and Service Providers can be the “weakest links” in Security & Privacy
Reliance on good security practice of Third Parties
The Future of Identity in the Cloud: Requirements, Risks & OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA e-Identity Conference, 2009
44. 4.Pourquoi en avons nous besoin?
•Sécurité
•Compliance
•Réduction des coûts
•Support pour l’audit
•Contrôle d’accès
46. Economies possibles
• Directory Synchronization
“Improved updating of user data: $1 85 per user/year”
“Improved l management: $800 per l
ist ist”
- Giga Information Group
• Password Management
“Password reset costs range from $51 (best case) to $1 47 (worst case) for
labor alone.” – Gartner
• User Provisioning
“Improved IT efficiency: $70,000 per year per 1 ,000 managed users”
“Reduced hel desk costs: $75 per user per year”
p
- Giga Information Group
47. Can We Just Ignore It All?
• Today, average corporate user
spends 16 minutes a day logging on
• A typical home user maintains 12-18
identities
• Number of phishing sites grew over
1600% over the past year
• Corporate IT Ops manage an average
of 73 applications and 46 suppliers,
often with individual directories
• Regulators are becoming stricter
about compliance and auditing
• Orphaned accounts and identities
lead to security problems
Source: Microsoft’s internal research and Anti-phishing Working Group
48. IAM Benefits
Benefits today Benefits to take you
(Tactical) forward
(Strategic)
Save money and improve operational
efficiency New ways of working
Improved time to deliver applications and
service
Improved time to market
Enhance Security
Closer Supplier, Customer,
Regulatory Compliance and Audit
Partner and Employee relationships
Source: Identity and Access Management: OverviewRafal Lukawiecki - Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk
49. 5. IAM to do list
• Création et suppression
automatique de comptes
• Gestion des traces
• Archivage (durée??)
• Vie privée
• Compliance
• Sécurité <> risques
• De plus en plus
d’utilisateurs
• E-business
63. • Que peut-on
contrôler?
• Limites?
• Correspondance
privée
• Saisies sur salaire
• Sanctions réelles
• Communiquer les
sanctions?
64. • Sécurité organisationnelle
– Département sécurité
– Consultant en sécurité
– Procédure de sécurité
– Disaster recovery
65. • Sécurité technique
– Risk analysis
– Back-up
– Procédure contre incendie, vol, etc.
– Sécurisation de l’accès au réseau IT
– Système d’authentification (identity management)
– Loggin and password efficaces
66. • Sécurité juridique
– Contrats d’emplois et
information
– Contrats avec les sous-
contractants
– Code de conduite
– Contrôle des employés
– Respect complet de la
réglementation
69. Definition of e-discovery
• Electronic discovery (or e-discovery) refers to discovery in civil
litigation which deals with information in electronic format
also referred to as Electronically Stored Information (ESI).
• It means the collection, preparation, review and production of
electronic documents in litigation discovery.
• Any process in which electronic data is sought, located,
secured, and searched with the intent of using it as evidence
in a civil or criminal legal case
• This includes e-mail, attachments, and other data stored on a
computer, network, backup or other storage media. e-
Discovery includes metadata.
70. Recommandations
Organizations should update and/or create information
management policies and procedures that include:
– e-mail retention policies, On an individual level, employees tend
to keep information on their hard drives “just in case” they might
need it.
– Work with users to rationalize their storage requirements and
decrease their storage budget.
– off-line and off-site data storage retention policies,
– controls defining which users have access to which systems
andunder what circumstances,
– instructions for how and where users can store data, and •
backup and recovery procedures.
– Assessments or surveys should be done to identify business
functions, data repositories, and the systems that support them.
– Legal must be consulted. Organizations and their legal teams
should work together to create and/or update their data
retention policies and procedures for managing litigation holds.
71. 9. Conclusion
• IAM n’est pas uniquement une question
informatique les aspects juridiques et de
gestion sont essentiels
• Attention aux aspects compliance
• Plus de sécurité nécessaire
– Cloud computing
– Virtualisation
– Data privacy
– archivage
• Transparence
• E-discovery
72. L’IAM est aussi une opportunité
• Repenser la sécurité
• Limiter les risques
• Réduire les coûts
• Repréciser les rôles et
responsabilités
• Appréhender les risques futurs