veriphyr bright talk 20120523
TRANSCRIPT
VERIPHYR PROPRIETARY
Alan Norquist, CEO & FounderVeriphyr, Inc.
Chase Away Cloud Challenges: User Access Governance & Compliance
Goals of User Access Governance & Compliance
User System Access = User’s Responsibilities Bank – “Access to everything and nobody knows it”
User Activity Access = User’s Responsibilities Finance – “Can’t both approve PO and approve payment”
User Data Access = User’s Responsibilities Healthcare – Only view patients under one’s care
VERIPHYR PROPRIETARY 2May 27, 2012
Requirement Across Industries
VERIPHYR PROPRIETARY 3May 27, 2012
Healthcare(HIPAA)
“access … must be restricted to those who have been granted access rights”
Banking(FFIEC)
“employee’s levels of online access .. match current job responsibilities”
Brokerage(FINRA)
“employee’s access … limited strictly to … employee’s function”
Utilities(NERC)
“access permissions are consistent with …work functions performed”
Retail(PCI)
“Limit access to … only individuals whose job requires such access”
Public Companies(SOX - COBIT)
“user access rights … in line with … business needs”
What is the Effect of the Cloud?
Reduced Cost from Resource Pooling Rapid Implementation and Elasticity
Ubiquitous Broad Network Access Accessible from outside your organization perimeter Accessible from variety of devices
Shift in Ownership and Control Resource layers controlled by multiple independent providers
Multi-Tenancy (Resource Pooling) Resources shared across multiple independent consumers
Split in User Access Management Data center vs. cloud
VERIPHYR PROPRIETARY 4May 27, 2012
Cloud Models – Build vs. Contract
VERIPHYR PROPRIETARY 5May 27, 2012
Infrastructureas a
Service (IaaS)
Platformas a
Service (PaaS)
Softwareas a
Service (SaaS)
Source: Cloud Security Alliance 2011
“The lower down the stack the Cloud providerStops, the more security the consumer is tactically responsible for implementing and managing” – CSA Guidance v3.0
RFP or Contract
It In
RFP or Contract
It In
Build it inBuild it in
User Access Governance and Compliance
Build or Contract What?1. Identity Stores2. Logging (Both Access and Activity)3. Key Data Entities (customers, patients, partners, etc)
Critical Issues Interfaces
Insufficient - User interface Required – Standard-based APIs
Capabilities Detailed logs showing access to sensitive transactions and date
(patient, customer, etc.)
Ability to Extract Data Insufficient - Reports showing single identity’s activity over 2 weeks Required – Formatted file of all identities and all activity for all time
VERIPHYR PROPRIETARY 6May 27, 2012
Cloud ConsumerCloud Consumer
Cloud Providers’ Native Identity Mgmt?
Manage Each Cloud Separately?
VERIPHYR PROPRIETARY 7May 27, 2012
Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider
IAM as a Service
Centralized federated identity across cloud vendors Build in or contract requirements for support of standards
like SAML, OpenID and Oauth
VERIPHYR PROPRIETARY 8May 27, 2012
Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider
Cloud ConsumerCloud Consumer IAM as a ServiceIAM as a Service
Cloud Provider Compliance Reports?
Cloud facilitates departments use of “best of breed” Need to integrate compliance reporting across many
separate cloud vendors
VERIPHYR PROPRIETARY 9May 27, 2012
Cloud ProviderCloud Provider Cloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud Provider
Cloud ConsumerCloud Consumer
Identity and Access Intelligence (IAI) "Joining together data in identity and access management (IAM)
systems and security logs with other data could be massively valuable to both IT and the business." - James Richardson, Gartner
Build or contract in the ability for bulk export of identity store info, logs (both access and activity), and key data (customers, patients, partners, etc).
VERIPHYR PROPRIETARY 10May 27, 2012
Cloud ProviderCloud Provider Cloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud Provider
Identity and AccessIntelligence
Identity and AccessIntelligenceCloud ConsumerCloud Consumer
Identity and Access Intelligence (IAI) “Access reports of users and applications are requirements in
information security and IT governance, risk and compliance management programs, and Identity and Access Intelligence is needed to address those requirements.” – Gartner
Identifies policy violations - identity, rights, activity & data Determines if policy violation have been exploited
Different from SIEM SIEM focused on packets and IP addresses IAI focused on people and data
Works across Cloud Providers Audit (access and activity) log from all cloud applications Identity stores from all IAM as a Service vendors Patient, customer, partner data from applications such as HR
VERIPHYR PROPRIETARY 11May 27, 2012
Revealing - User Access ≠ User’s Responsibilities
User Access Activity Across ResourcesId
entit
y
Resources
VERIPHYR PROPRIETARYMay 27, 2012 12
Revealing - User Access ≠ User’s Responsibilities
IAI Analytics Reveal Inappropriate AccessId
entit
y
Resources
VERIPHYR PROPRIETARYMay 27, 2012 13
Summary
Goal of Access Governance and Compliance User Access = User’s Responsibility
Cloud Changes Underlying Architecture
Need to “Build or Contract In” Standards for IAM as a Service Data Sources for Identity and Access Intelligence (IAI)
For more information contact me [email protected] # 650.384.0560
VERIPHYR PROPRIETARY 14May 27, 2012
For more information
Whitepaper on IAM as a Service
https://cloudsecurityalliance.org/research/
Whitepaper on Identity and Access Intelligence
http://bit.ly/IAI-whitepaper
Alan NorquistCEO, [email protected]# 650.384.0560
VERIPHYR PROPRIETARY 15May 27, 2012