VERIPHYR PROPRIETARY

Alan Norquist, CEO & FounderVeriphyr, Inc.

Chase Away Cloud Challenges: User Access Governance & Compliance

Goals of User Access Governance & Compliance

User System Access = User’s Responsibilities Bank – “Access to everything and nobody knows it”

User Activity Access = User’s Responsibilities Finance – “Can’t both approve PO and approve payment”

User Data Access = User’s Responsibilities Healthcare – Only view patients under one’s care

VERIPHYR PROPRIETARY 2May 27, 2012

Requirement Across Industries

VERIPHYR PROPRIETARY 3May 27, 2012

Healthcare(HIPAA)

“access … must be restricted to those who have been granted access rights”

Banking(FFIEC)

“employee’s levels of online access .. match current job responsibilities”

Brokerage(FINRA)

“employee’s access … limited strictly to … employee’s function”

Utilities(NERC)

“access permissions are consistent with …work functions performed”

Retail(PCI)

“Limit access to … only individuals whose job requires such access”

Public Companies(SOX - COBIT)

“user access rights … in line with … business needs”

What is the Effect of the Cloud?

Reduced Cost from Resource Pooling Rapid Implementation and Elasticity

Ubiquitous Broad Network Access Accessible from outside your organization perimeter Accessible from variety of devices

Shift in Ownership and Control Resource layers controlled by multiple independent providers

Multi-Tenancy (Resource Pooling) Resources shared across multiple independent consumers

Split in User Access Management Data center vs. cloud

VERIPHYR PROPRIETARY 4May 27, 2012

Cloud Models – Build vs. Contract

VERIPHYR PROPRIETARY 5May 27, 2012

Infrastructureas a

Service (IaaS)

Platformas a

Service (PaaS)

Softwareas a

Service (SaaS)

Source: Cloud Security Alliance 2011

“The lower down the stack the Cloud providerStops, the more security the consumer is tactically responsible for implementing and managing” – CSA Guidance v3.0

RFP or Contract

It In

RFP or Contract

It In

Build it inBuild it in

User Access Governance and Compliance

Build or Contract What?1. Identity Stores2. Logging (Both Access and Activity)3. Key Data Entities (customers, patients, partners, etc)

Critical Issues Interfaces

Insufficient - User interface Required – Standard-based APIs

Capabilities Detailed logs showing access to sensitive transactions and date

(patient, customer, etc.)

Ability to Extract Data Insufficient - Reports showing single identity’s activity over 2 weeks Required – Formatted file of all identities and all activity for all time

VERIPHYR PROPRIETARY 6May 27, 2012

Cloud ConsumerCloud Consumer

Cloud Providers’ Native Identity Mgmt?

Manage Each Cloud Separately?

VERIPHYR PROPRIETARY 7May 27, 2012

Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider

IAM as a Service

Centralized federated identity across cloud vendors Build in or contract requirements for support of standards

like SAML, OpenID and Oauth

VERIPHYR PROPRIETARY 8May 27, 2012

Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider Cloud ProviderCloud Provider

Cloud ConsumerCloud Consumer IAM as a ServiceIAM as a Service

Cloud Provider Compliance Reports?

Cloud facilitates departments use of “best of breed” Need to integrate compliance reporting across many

separate cloud vendors

VERIPHYR PROPRIETARY 9May 27, 2012

Cloud ProviderCloud Provider Cloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud Provider

Cloud ConsumerCloud Consumer

Identity and Access Intelligence (IAI) "Joining together data in identity and access management (IAM)

systems and security logs with other data could be massively valuable to both IT and the business." - James Richardson, Gartner

Build or contract in the ability for bulk export of identity store info, logs (both access and activity), and key data (customers, patients, partners, etc).

VERIPHYR PROPRIETARY 10May 27, 2012

Cloud ProviderCloud Provider Cloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud ProviderCloud Provider

Identity and AccessIntelligence

Identity and AccessIntelligenceCloud ConsumerCloud Consumer

Identity and Access Intelligence (IAI) “Access reports of users and applications are requirements in

information security and IT governance, risk and compliance management programs, and Identity and Access Intelligence is needed to address those requirements.” – Gartner

Identifies policy violations - identity, rights, activity & data Determines if policy violation have been exploited

Different from SIEM SIEM focused on packets and IP addresses IAI focused on people and data

Works across Cloud Providers Audit (access and activity) log from all cloud applications Identity stores from all IAM as a Service vendors Patient, customer, partner data from applications such as HR

VERIPHYR PROPRIETARY 11May 27, 2012

Revealing - User Access ≠ User’s Responsibilities

User Access Activity Across ResourcesId

entit

y

Resources

VERIPHYR PROPRIETARYMay 27, 2012 12

Revealing - User Access ≠ User’s Responsibilities

IAI Analytics Reveal Inappropriate AccessId

entit

y

Resources

VERIPHYR PROPRIETARYMay 27, 2012 13

Summary

Goal of Access Governance and Compliance User Access = User’s Responsibility

Cloud Changes Underlying Architecture

Need to “Build or Contract In” Standards for IAM as a Service Data Sources for Identity and Access Intelligence (IAI)

For more information contact me anorquist@veriphyr.com # 650.384.0560

VERIPHYR PROPRIETARY 14May 27, 2012

For more information

Whitepaper on IAM as a Service

https://cloudsecurityalliance.org/research/

Whitepaper on Identity and Access Intelligence

http://bit.ly/IAI-whitepaper

Alan NorquistCEO, Veriphyranorquist@veriphyr.comwww.Veriphyr.com# 650.384.0560

VERIPHYR PROPRIETARY 15May 27, 2012