Copyright ©2013 Ping Identity Corporation. All rights reserved. 1 The How to Apply Identity Concepts to the Business P. Dingle Ping Identity, CIS 2013
Jun 20, 2015
Copyright ©2013 Ping Identity Corporation. All rights reserved. 1
The
How to Apply Identity Concepts to the Business
P. Dingle Ping Identity, CIS 2013
Copyright ©2013 Ping Identity Corporation. All rights reserved. 2
• f
Hammers are Fun – but what’s the Construction Project?
Copyright ©2013 Ping Identity Corporation. All rights reserved. 3
Risks must be identified and mitigated
The NAILS of Business: RISK and ENABLEMENT
http://www.flickr.com/photos/nicolopaternoster/3933549608
When risk is understood and measured, it does not have to hold you back
http://www.flickr.com/photos/boogieswithfish/5173834794/
Copyright ©2013 Ping Identity Corporation. All rights reserved. 4
• How does the business run today? – Where are the inefficiencies – Where is the danger
• How can the risk be mitigated? • What can success enable? • What are common solution architectures? • How do you know when you’re done?
DIY: Explaining & Measuring Identity & Access Risk
http://www.flickr.com/photos/hadesigns/3223831119
Copyright ©2013 Ping Identity Corporation. All rights reserved. 5
• Every application is written to run as an island – User Account Store – Login Page – Password Recovery Mechanism – Administration Console
Basic Challenges: Application Isolation
http://www.flickr.com/photos/sussetuss77/8582289800
Copyright ©2013 Ping Identity Corporation. All rights reserved. 6
• Management Inefficiency becomes Security Risk – 1000 Applications require 1000 Administrators to get the
memo about Fred changing roles • How long does it take to change Fred’s access? • How many applications are missed or never know?
• Data Divergence – How many admins update Janice’s surname when she gets
married? • How many help desk calls does she have to make? • What if the data that is obsolete is her job role? • What happens if the corporate username standard is first-intial-last-
name? • Disgruntled Employees are a serious risk
– When Fred gets fired, can you protect your assets? • Cloud assets are at greatest risk • Inefficient administrative process can cost millions
Risks of Application Silos
Copyright ©2013 Ping Identity Corporation. All rights reserved. 7
• Every application has a different security regime – Separately emulating policies
around passwords, data retention, roles, minimal disclosure in a thousand applications is a non-starter
• Lifetime Employee Problem – How many incorrect
permissions does an employee have if he’s perfomed multiple jobs at the company?
• How can you expect staff to consistently adhere to policy if you can’t consistently apply it?
Basic Challenges: Inconsistent Policy & Interaction
http://www.flickr.com/photos/kaiban/4351734363
Copyright ©2013 Ping Identity Corporation. All rights reserved. 8
• Users who can bypass policy could: – Be phished – Practice poor security hygiene – Breach separation of duty rules – Access unapproved applications – Get really ticked off because they never understand
how to comply • Businesses who can’t judge policy:
– Can’t see what is happening – Must blindly trust that execution matches expectation – Cannot prove anything
Risk: Inadvertent Breach of Security Policies
Copyright ©2013 Ping Identity Corporation. All rights reserved. 9
• Shadow IT – The cost boundary for software has been
compromised – Monthly subscriptions can fly under the wire – IT may never know that applications are in use
• Orphaned Accounts – Admin gets fired – Group stops using tool
• Password Abuse – Cloud app hacked – Corporate creds stolen
Challenges: Cloud Applications
http://www.flickr.com/photos/pinksherbet/179279964
Copyright ©2013 Ping Identity Corporation. All rights reserved. 10
• Loss of Visibility – IT no longer knows what apps are in use
• Loss of Control – User may start in the cloud and end in the cloud – Relationship is between cloud application and
user – Business doesn’t control policy, session, or logs
Risks: Cloud Applications
Copyright ©2013 Ping Identity Corporation. All rights reserved. 11
• Hardware you might not own or control • Personal data and Private data colocated • Much easier object to steal or lose • Difficulty in typing credentials on tiny
keyboards • Huge expanding set of connections
– Multiple applications on thousands of devices • APIs may represent all new application silow
Challenges: Mobile
http
://w
ww
.flic
kr.c
om/p
hoto
s/32
2457
53@
N07
/333
3572
689
• Developers may want to do their own thing
• You can’t get web working and forget about services
Copyright ©2013 Ping Identity Corporation. All rights reserved. 12
• Industry best practice in Enterprise has been to build a set of services to abstract the management of identities and coarse grained access away from applications – Central infrastructure, managed by IT – One (or very few) single source(s) of
truth for User Presence in the organization
– One place to set and enforce policies • Result: INTERCONNECTIVITY
– Apps need to trust infrastructure – Vendors/developers need to help
An Answer: 42 Identity/Access Management
http://www.flickr.com/photos/23881436@N05/2853260749
Copyright ©2013 Ping Identity Corporation. All rights reserved. 13
• [meta]Directories • Provisioning Solutions
– Automation of account lifecycle
• Web Access Management Solutions
• Federation Solutions • SIEM, multifactor • Workflow
Common Solutions to Identity and Access Risk?
Copyright ©2013 Ping Identity Corporation. All rights reserved. 14
The Question: Integration Answer: Standards!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 15
• Backend Synchronization – Push identity data directly into databases – Great inside the Enterprise, impossible in the clouds
• Proprietary Protection schemes • Standards-based interaction
– Use standardized interfaces to pass data in auditable ways
• APIs • Protocols
Options for Identity Architects
Copyright ©2013 Ping Identity Corporation. All rights reserved. 16
• Sometimes it’s better to link constellations of apps instead of directly connect to apps – Often you find groups of
apps that already have SSO enabled
Good Business: Interfederation not Refederation
Copyright ©2013 Ping Identity Corporation. All rights reserved. 17
• Users know what to expect – Consistent ceremony
• Lifecycle can be explained by your superiors
• App access on Day One • Zero day de-provisioning • Lifetime employees lose access
when they change jobs • Execs comfortable attesting • The D can by BYO’d
Signs of Success --- AKA proving ROI
http://www.flickr.com/photos/geckoam/2723280142
Copyright ©2013 Ping Identity Corporation. All rights reserved. 18
• Pamela Dingle: @pamelarosiedee – http://eternallyoptimistic.com
• Nishant Kaushik: @NishantK – http://blog.talkingidentity.com
• Dale Olds: @daleolds – http://virtualsoul.org
Thank You!