Digital Identities Management Protect your information from zombie

Pierluigi SartoriCISSP – CISM – CRISC – CGEIT - MBCI

Pierluigi.sartori@infotn.it

Erise 2012

Trento 09 May 2012

About me

Pierluigi Sartoriemail: pierluigi.sartori@infotn.it

9 years in Italian Air Force (Intelligence and Operations)

10+ years in Security Architecture & Management

ISACA Venice Chapter Leader, CISM Coordinator & Research Director

ISC2 CISSP

ISACA CISM, CRISC & CGEIT

Business Continuity Institute MBCI

CompTIA Security+

About me

Strengths TCP/IP and networking technologies

Technical and Logical Security

Physical Security

Security Management

Business Continuity

Forensics

Privacy

Processes and Procedures

Weaknesses Too many to list them all in an hour

Provincia autonoma di Trento , 47.7683%

Tecnofin Trentina Spa , 39.7101%

Regione Autonoma Trentino-Alto Adige

, 1.7199%

Comune di Trento , 1.2433%

Camera di Commercio Industria Artigianato e Agricoltura , 1.2433%

Comune di Rovereto , 0.7063%

11 Comunità di Valle complessivamente

, 4.8519% 1 Comprensorio , 0.3931%

Altri 170 Comuni, 2.3639%

4

About Informatica Trentina

Informatica Trentina was founded in 1983 on the initiative of the Autonomous Province of Trento and other Trentino entities

Shareolders:

Company Data (31/12/2011):

• Turnover: Euro 59 milions

• Human Resources: 312

5

Mission

The company operates more and more as an “instrument of economic policy”for the development and the growth of the local economic system in the context ofInformation and Communication Technologies:

an internal instrument to modernize Trentino's Public Administration and toencourage development in the local socio-economic context, in compliance withprovincial directives;

a collaborative partner for ICT companies, allowing the various actors to takepart in the realization of the projects concerning the modernization anddigitization of Trentino’s Public Administration;

a driver for innovation, to promote innovation in Trentino's PublicAdministration while supporting the innovation role of public entities throughinnovative projects that have to be put in place working in synergy andcooperating with local ICT businesses with the support of the advanced trainingand research institutes established in the region.

6

Services

Customer Service Desk

More than 181.000 contacts managed

Desktop/Fleet Management

about 12.500 workstations managed

Data Center

The company's Data Center owns 730 servers in order to provide support for advanced management and application solutions in the web world

Training department prepares tailored training programs

In 2011 the company provided 3.600 person/days in training activities with 1.500 participants

Services for the integration of systems and technologies – in 2011 equipped:

21 premises with advanced videoconferencing equipment

65 premises with unified cooperation and communication services

22 multimedia rooms

Definitions (from wikipedia)

7

Digital Identity: is a psychological identity that prevailsin the domains of cyberspace, and is defined as a set ofdata that uniquely describes a person or a thing(sometimes referred to as subject or entity) and containsinformation about the subject's relationships to otherentities.

(Digital) Identity Management: (IdM) describes themanagement of individual identities, their authentication,authorization, and privileges/permissions within or acrosssystem and enterprise boundaries with the goal ofincreasing security and productivity while decreasing cost,downtime, and repetitive tasks. "Identity Management"and "Access and Identity Management" (or AIM) are termsthat are used interchangeably under the title of Identitymanagement while Identity management itself falls theumbrella of IT Security.

A (Simplified) Definition of IAM

A set of processes and

technologies to manage:

Users' digital identities The relationship to civil identity Users' access to systems and the information

they contain

8

Identity Management Has Many Questions to Answer

9

Who approvedthat access?

Who reviewedthat access?

How can you answer all these questions

withoutIAM?

Whoare your users?

Who has accessto what?

(Why do

they need it?)

Who did what?

User provisioning

10

Identity Audit & Reporting

provides "who has access to

what" and "who approved and

reviewed what" reports for

compliance and regulatory

purposes.

Workflow

Resource Access

Administration

Policies

Identities

Identity Administration

provides delegation and

self-service capabilities

for

password, credential, re

source access and role

management.

Role Management

User

Provisioning

Workflow

Access

Identity

Create

Identity

Change

Identity

Retire

Identity

User Provisioning plays a

key role in delivering the

identity process in

enterprises through a

functional model of

administration and auditing.

Roles

Report

IdentityMonitor

Identity

Digital Identites and Zombies?

11

Zombie Accounts

12

Employees can accumulate an average of 15 to 20 useraccounts over the course of employment

it typically takes an enterprise three to five minutes tomanually turn off each account upon termination

Organizations faced with having to terminate hundredsof thousands, or even millions of accounts, may thinkthat simply terminating an employee's network access issufficient protection.

(Source “Companies open to "Zombie attacks" following mass layoffs” by Dave Porter)

A Zombie Account, also known as orphan account, is aformer employee account, a Digital Identity, not disabledand/or deleted after he’s gone.

Security Treath

13

How we managed this challenge

14

1. Determined the categories of standarduser

2. Identified the features of each category

3. Developed a process for each category

4. Established controls

5. Continuous processes review

Informatica Trentina “Standard Users”

15

1. Employeesa. Managed entirely by HRb. Standard authorization based on organizational chartc. Termination date unknownd. Trust relationship with the company

2. Outsourcera. Managed by different business rolesb. Authorization defined on contractual basisc. Termination date known (contract)d. Contract (no trust) with the company

3. Nomadica. Managed by any employeeb. Limited authorization (just Internet access)c. Termination date known (just one business day)d. potentially no formal relationship

“Employees” – Assignment process

16

StartPrepare new

DI request

Check and

approve request

Check

Request

Compliant

with Policy? Send it back

Approve

HR

Em

plo

ye

e

Ow

ne

rIn

form

ation S

ecu

rity

Dep

art

men

t

Yes

NO

Assign

Role

Records user’s

authorization

Com

pa

ny

IDM

Syste

m

Generates and sends

tickets to operators

Com

pa

ny

Tic

keting

Syste

m

OperatorConfigure

new DI

Communicate

DI to userEnd

InternalControl

InternalControl

“Employees” – Revocation process

17

StartPrepare DI deletetion

request

Check

Request

HR

Info

rma

tion

Se

cu

rity

Dep

art

men

t

Employee

leave

List user’s

authorizationCo

mp

any

IDM

Syste

m

Generates and sends

tickets to operators

Com

pa

ny

Tic

keting

Syste

m

OperatorDelete

DI

Notify

deletetionEnd

InternalControl

“Outsourcer” - Assignment process

18

StartPrepare new

DI request

Set “end of

contract” date

Check

Request

Compliant

with Policy? Send it back

Approve

Co

ntr

act

Ow

ne

rIn

form

ation S

ecu

rity

Dep

art

men

t

Yes

NO

Records user’s

authorization and

termination date

Com

pa

ny

IDM

Syste

m

Generates and sends

tickets to operators

Com

pa

ny

Tic

keting

Syste

m

OperatorConfigure

new DI

Communicate

DI to userEnd

InternalControl

“Outsourcer” – Revocation process

19

StartPrepare DI deletetion

requestCon

tract

Inte

rna

l

refe

ren

t

Employee

leave

List user’s

authorizationCom

pa

ny

IDM

Syste

m

Generates and sends

tickets to operators

Co

mp

any

Tic

ke

tin

g

Syste

m

OperatorDelete

DI

Notify

deletetionEnd

Co

mp

any ID

M

Syste

m StartCheck “end of

contract” date

Expired

contract?

Yes

NO

InternalControl

“Nomadic” users process

20

StartPrepare new Internet

access request

Formal check

and approval

Con

tract

Ow

ne

r

Info

rma

tion

Se

cu

rity

Dep

art

men

t

Records

termination date

Com

pa

ny

IDM

Syste

m

Generates and sends

tickets to operators

Com

pa

ny

Tic

keting

Syste

m

OperatorConfigure

new DI

Communicate

DI to userEnd

InternalControl(formal)

Co

mp

any ID

M

Syste

m StartCheck

expiration dateExpired?

Yes

NO

InternalControl

Disable

accessEnd

21

Informatica Trentina SpaVia G. Gilli, 2 - 38121 Trento

www.infotn.it

Vrae?Afrikaans

Questions?English

¿Preguntas?Spanish

Domande?Italian

Вопросы?Russian

Ερωτήσεις;Greek

tupoQghachmey?Klingon

質問？Japanese

Arabic

問題呢?Chinese

Jewish

Questions?French

Fragen?German

Hindi

Quaestio?Latino