#mfsummit2016 secure: introduction to identity, access and security

Introduction to Identity, Access & Security

David Mount | Director – IAS Solutions Consulting | 24 February 2016

Landscape is becoming more complex

Cloud Mobile BYOD Social

Walking the Risk Tightrope

Mobile

Is our use of mobile devices

secure?

Service Delivery

Are we doing enough to ensure

availability and data security? Network

Are we ensuring the security of the

network?

Third Party Risk

Are we doing enough to manage

partner, contractor, and customer

access?

IoT

How do we securely take

advantage of IoT?

Data Breach

Are we doing enough to control access

to sensitive information? Do we

understand our threat landscape?

Compliance

Are we complying with all applicable

mandates? How do we reduce the cost

of compliance?

Balancing Act

Organisations face a fundamental

problem they must overcome.

It is the balancing of two directly

divergent needs:

- Provide access to everything

- Restrict access to the minimum

necessary

Primed for Failure

Too Open

Data breach

occurs

Too Restricted

IT is marginalised

and ignored

A Fundamental Problem

There are too many users, with too much access

Understanding Identity & Relationships

Identity & relationships of

Users, things, services

etc

Who / What has access

• Employees

• Contractors

• Partners and suppliers

• Customers

• Services

• “Things”

• etc

How do we respond?

Identity Powered Security

Minimise

Rights

Enforce

Access Controls

Monitor

User Activity

Manage Rights

Managed rights across

employee lifecycle

Minimise the number of

privileged users

Minimise the rights users

are granted

Enforce access controls

regardless of access point

Use common controls

across enterprise and cloud

apps

Leverage adaptive,

multifactor authentication

Enforce Access Controls

Source: “Privileged User Abuse & The Insider Threat”, Ponemon Institute Research Report 5/2014

Monitor User Activity

How are users leveraging

the rights granted?

Is activity outside defined

controls/policies?

Is activity associated with a

known person or service?

How does Micro Focus help……now & in the future

15

Cloud/SAAS

Privileged

Legacy

IoT Data

“Things”

Social

Internal Mobile

External

Wh

at

is b

ein

g a

cc

es

se

dD

iffe

ren

t ty

pes

of

iden

tity

Secure Governed

Access

16

Cloud/SAAS

Privileged

Legacy

IoT Data

“Things”

Social

Internal Mobile

External

Wh

at

is b

ein

g a

cc

es

se

dD

iffe

ren

t ty

pes

of

iden

tity

Secure Governed

Access

ActivityMonitoring& Analytics

IdentityGovernance &Administration

PrivilegeManagement

AdaptiveRisk-basedAccess

Identity Governance & AdministrationEnforcing the Least-Privilege Principle

• Self-service access request/review for SaaS and enterprise apps

• Anomaly-based and risk-prioritised “adaptive certifications”

• Closed-loop, automated remediation of entitlement creep

• Data governance – certify access to data, not just apps

• Privilege management – ensure privileges are not misused



PrivilegeManagement


Access Management & AuthenticationEnforcing the Least-Privilege Principle

• Invisible end user experience providing access across cloud, enterprise, and hybrid applications and resources

• Adaptive, risk-based access makes authentication as convenient as possible for users

• Step-up privileged access when risk indicates a need

• Tie multi-factor authentication to step-up authentication to further reduce risk of outsider credential abuse



PrivilegeManagement


Activity Monitoring & AnalyticsIdentifying Risks and Threats, Enabling Decisions

• Real-time user and entity activity monitoring and response

• Policy-based change monitoring including file integrity monitoring

• Access metrics: know what users are doing with their access

• Identify “things” on the network through integration with Cisco ISE for IoT security



PrivilegeManagement


21

Cloud/SAAS

Privileged

Legacy

IoT Data

“Things”

Social

Internal Mobile

External

Wh

at

is b

ein

g a

cc

es

se

dD

iffe

ren

t ty

pes

of

iden

tity

Secure Governed

Access

Identity

Analytics

#mfsummit2016 secure: introduction to identity, access and security

Technology