2nd Annual Identity and Access Management Conference - Ovum Forum 22 October 2013 , London. Dissuccing concepts and examples of Identity management perimeterization.
Knowing where the safe zone is ovum october 22 2013
1. Mark Skilton, Professor of Practice in Information Systems
Management, Warwick Business School, UK
Warwick Business School
2. Knowing where the safe zone is - Defining
perimeter access strategies for an enterprise
The modern enterprise today has many connections, relationships and
services. Information technology has enabled communication, social
communities and transactions to create opportunities for new types of
value. But this has also changed the types of risks and security issues as
bring your own device (BYOD) and the many types of cloud services have
shifted responsibilities. Do you know where the access perimeter of your
company security is? How do you define risk and value of new
technology?
What are the opportunities and challenges of new
technologies and on legacy operations?
This presentation will look at ways to define the new business – technology
boundaries and the risk and challenges of managing new technology
across these boundaries.
Warwick Business School
3. Overview
Knowing the safe zone – perimeter strategies
What is your business ecosystem?
Describing your security risk and opportunity
Managing opportunities – API management
Managing access - connectivity
The future ?
Overview
4. Overview
Knowing the safe zone – perimeter strategies
What is your business ecosystem ?
Describing your security risk and opportunity
Managing opportunities – API management
Managing access - connectivity
The future ?
Overview
5. Business Ecosystem
the challenges we face
Old model
Business and IT use of
software and hardware assets
Project based development
lifecycle
Platforms and networks
Transformational advisory and
governance
Security controls and audit
service monitoring
Why business ecosystems ?
New model:
Data plethora of data types
and sources
Multi-channel Service
marketplaces
Devices and “things”
Focus on intelligent processes
and monetization
Compliance and pervasive
automated monitoring of
security
6. Objects in the Internet of Things
There are potentially billions of objects that could connect through IP addresses and network protocols to
identify , exchange and collaborate services.
Devices
Tags, Sensors and
platforms
Products
Content
Services
Money
Places
and
Machines
7. Era of Internetworking - Where is
the perimeter ?
Internet
Switches
Tier 1 Networks
NSPs
Network Peering
and Interconnections
Tier 2 ISP
Tier 2 Network
IP Backbone
IXP
Examples of ISP services include email, FTP, webhosting
ISPs
Internetworking
Satellite
Public Switched
Telephone
Networks
PTSN
Tier 3 networks
(ISP)
Cable
Operators
DSL, T1, T3 Leased Lines
Wide Area
Network WAN
4G (3G LTE/SAE)
Gateways
Gateways
3G / 3.5G
Femtocell
Wifi
Gateways
InfraRed
Local
Area
Network
LAN
GPS
Bluetooth
Mobile Devices
RFID
Sensors
Proximity,
Smart Card
8. + 2.5 Billion Internet Users 2013
Representing 35% World
Population
Why business ecosystems ?
9. 1.7 billion mobile devices sold in 2012, and
6.8 billion subscriptions equivalent to 96
percent of the world population
Why business ecosystems ?
10. Internet video accounting for 61 % of
total internet data (cisco)
Social Media
Is driving
massive online
Video growth
Why business ecosystems ?
11. 1 in 4 people around world use at least one
form social networking = 1.7 Billion in
2013
1 in 3 people = 2.55 billion global audience
by 2017
all the geo-tagged locations of uploaded Flickr photos by concentration.
Why business ecosystems ?
12. Where is the perimeter ?
No. People
in Organization
Ave No. of social
network
connections
No. Hours
Online
Formal
Yourself
No. of Devices
per person
Why business ecosystems ?
Near to you Your Network
No. of
networks
informal/formal
Your Extended Network
No. applications
and web sites
Visited, used
13. What is your Organization
estimated perimeter node score ?
Formal
X
Average
No. of Devices
per person
X
3
Average
No. People
in Organization
500
X
No. of
system
networks
X
informal/formal
Ave No. of
social
network
connections
X
X 3 X 300 X
No. applications
/ Web sites
Visited, used
10
13,500,000
Illustrative only
Why business ecosystems ?
X
Average
No. Hours
Online
X 5
67,500,000
14. What is your personal estimated
perimeter node score ?
Formal
Average
No. of Devices
per person
5
X
No. of
system
networks
Why business ecosystems ?
Ave No. of
social
network
connections
X
No. applications
/ Web sites
Visited, used
X 5 X 2000 X 10
Assume International Travel x5 per year
Assume travel 3 times per week
Assume WIFI, 3G/4G networks
Illustrative only
X
informal/formal
300,000
X
Average
No. Hours
Online
X 10
3,000,000
15. What is a secure perimeter ?
Controlled access
No. People
in Organization
Compliant
Why business ecosystems ?
Secure
Controlled
system
No. of Devices
networks
per person
Controlled social
network
connections
Configured/standards
Continuous
access and use
state monitoring
?
Managed
16. Overview
Knowing the safe zone – perimeter strategies
What is your business ecosystem ?
Describing your security risk and opportunity
Managing opportunities – API management
Managing access - connectivity
The future ?
Overview
17. Data is getting more complex
Structured data
Semi-structured data
Unstructured data
Data |
Increasingly
Externalized
And metadata
Your edge profile data
Your message payload
data
Your behavioral metadata
- co-presence
Your transient data –
travel in physical and
virtual space
Embedded Data shelf life
value
(“productization of data”)
18. Connectivity is changing
Example programmable web have collected a database of Open
APIs. Many companies use APIs to establish connectivity services with their
web sites
Open APIs
And Closed
(Proprietary)
APIs
Managed APIs can be problematic if the API specification is changes by the Provider impacting
on the users of that API. APIs are a common method for many Cloud system service connections.
19. Enterprise Technology is externalized
“as a service” points Protection Points System Access ports
Web access
Corporate / Private Network
Internet
Network services
Backend services
External Firewall
Devices
Network
Network
Mobile applications
Mobile Data
Internal Firewall
G
A
T
W
A
Y
APIs
Applications
Data
Active Directory
API Management gateway
Identity ?
Access provisioning
Authentication and Data Privacy ?
VPN Tunnel
Usage Policy Governance, compliance, and controls
“AS A SERVICE”
20. Perimeter definitions – heat mapping
Market segments
and entities
Social Network
Channels
APIs
Own data and IP
Your Enterprise Networks
3rd party data and IP
3rd party Networks
Staff, products,
Services, assets,
facilities
SPAN Of CONTROL
21. Risk - Impact
* USB Investment research
Federated Devices
Authorization
Management
Certification
Processes and services
“ ID Theft every 79
Seconds (*)
DR and BC
Management
23. Overview
Knowing the safe zone – perimeter strategies
What is your business ecosystem ?
Describing your security risk and opportunity
Managing opportunities – API management
Managing access - connectivity
The future ?
Overview
24. API Management
Examples Mashery an Intel Company, provide a secure appliance and software
system for managing API connectivity to multiple devices and services
Web GUI to manage
the API policies and use
Appliance is used to Manage
access to APIs
25. Cloud Aggregator Broker –
Orchestrator
Example : Mulesoft Cloud Hub – enabled integration of multi-cloud integration
Apps
Stores
Where
is the
Perimeter?
Contract
Perimeter
versus
Technical
Perimeter
26. Example Network Traffic Monitoring for
Virtualized compute environments
Example Net Optics Phantom Virtualization Tap
Monitoring of Inter-VM
traffic across all best-ofbreed hypervizors in
virtual computing
environments.
The Phantom Monitor
component installs in the
hypervizor for total traffic
visibility.
Use with virtual or
physical Intrusion
Detection Systems (IDSs),
protocol analyzers, layer2 and Later-3 probes, and
other devices.
Network Traffic
Monitoring Appliance
27. Example Intrusion Prevention System (IPS)
Example McAfee Network Security Platform
User Identification
Key Features
Threat Prevention
Botnet detection
Behavior-based analysis
Malware protection
Forensic analysis integrated
Scalable web-based management
Application Identification
Device identification
IP de-fragmentation and TCP stream
reassembly
Anomaly detection
Inspection of virtual environments
DoS and DDoS prevention
File reputation, IP reputation, Geolocation
Protocol tunnelling support , IPv6,
V4-. MPLS
28. Example Cloud Environment
Application Performance management
Example Compuware APM. Monitors applications across physical and virtual
networks and environments. can be deployed easily into private, public or
hybrid cloud applications via either BYOL (bring your own license) or elastic,
consumption based models.
Application response times
User Experience
Real time and synthetic load testing
29. Overview
Knowing the safe zone – perimeter strategies
What is your business ecosystem ?
Describing your security risk and opportunity
Managing opportunities – API management
Managing access - connectivity
The future ?
Overview
30. Martini model: Any IP, any device,
any time anywhere
Jericho Forum, The Open Group
31. Cloud “as a services” Security
Solutions
Device Security
Proxy Controls / Appliances
Device
Authentication
Security
Endpoint
Device
Management
Strong
Password
Control
Subscriber account security
API Usage
Port Network
connect
Device Connect
Fillters
Intrusion
Prevention
System (IPS)
Chargebacks
/Billing
Controls
Service
Metering
Controls
Web Store
Front
Cloud Service security Status
Anti virus
Anti Spam
Security
Information
Cloud
Service
Reporting
management
(SIM)
Data Loss
Prevention
(DLP)
Mobile
Device
Management
(MDM)
Single Signon
Wipe data
when Lost
Remote
Application
Control
Token PKI,
SSH Keys
Controls
User Group,
Directory
Management
Application
Virtualization
(Secure VDI)
Network
Monitoring
Network
Transport
Encryption
(VPN)
Hypervizor /
VM
Monitoring
Database
Monitoring
Cryptographic controls
Data
Encryption
External Example
http://wwwclouage.com
Cloud Monitoring
Identity and
Access
Management
Virtualization Isolation services
Cloud
Storage
Virtualization
Internal
Authentication / Authorization
Application
Usage
Monitoring
Service Level
Outage
Monitoring
PaaS Development and XaaS Deployment
Service
Configuration
management
Code
Version
Encryption
Code/VM
Deployment
Encryption
32. Overview
What is your business ecosystem ?
Describing your security risk and opportunity
Managing opportunities – API management
Managing access - connectivity
The future ?
Overview
37. The surface underneath
The security layer pervades everywhere
Enterprise operating models will need underpinned of legal
and security strategies to support and validate an increasingly
externalized business model
API Management
Network
management
Intrusion
Management
Application
Management
Identity and access
Management
Encryption
Management
Compliance and IP
Management
38. Holistic Governance , Risk &
Compliance for ecosystems
Security is critical in moving IT services that are potentially no longer under the enterprise control or on
premise. The following diagram looks at On-premise and Off premise security controls .
Risk
Management
Compliance
Monitoring Management
Audit
Security Governance
Personnel Security
Management
Security Policy
Management
Access Management
Identity
Management
Firewall
Management
Validate
Log, Analyze, Event management
Test
Regime
Business Continuity
Management
Availability Management
Backup
Management
Disaster Recovery
Management
Identify
Translate
Incident Management
Security Operations
Asset
Digital Rights
Management
Management
Administrationn
Privilege, Deploy, Decommission, Dispose
Encryption
Management
Security Controls
Private Network
Management
Portability Management
Secure Development/Operations
Coding Standards
Code review
Unit Test
Publish/
Versions
39. Conclusions
Knowing where the safe zone is - Defining perimeter access
strategies for an enterprise
Scaling of business technology will drive changes in cultural and
legal issues as data and usage shifts toward social network based
economy
Cloud enabled commodization and “on stop contract/less” but may
alter risk profile complexity
There will be a variant of technologies to manage externalized
Identity and usage access
–
–
–
–
API Management
Social network usage in processes
Data analytics for usage behaviors
A combination of both
Technologies will enable wider Identity profiles challenging legal
boundaries of access and usage
The future?