Presentations Access Control for IT Assets NEO Chapter November 2012

8/16/2019 Presentations Access Control for IT Assets NEO Chapter November 2012

1/33

ACCESS CONTROL FOR IT ASSETS

Mike Thomas

Erie Insurance


2/33

CONTENTS

Identity Management

Foundations and

basics

What needs to beprotected

IT Risk perspective


3/33

WHAT’S ACCESS CONTROL?

Well it’s pretty obvious……But the moreimportant IT becomes…….as we continue toput our most trusted assets into an IT

context……..as we rely more and more on ITto do critical work and services for us…….asthe RISK of loss or interruption of our ITassets becomes more critical……..Access

Control is part of the foundation of a viable ITinfrastructure…without it you might lose your,time, money, and identity


4/33

ACCESS CONTROL BASIC COMPONENTS

Asset Target – Data or Application

User – Person or System Object

Policy – Sets ‘Need to Know’ Principle Reference Monitor -


5/33

DETERMINE WHAT NEEEDS TO BE PROTECTED

An Inventory of IT Assets would be a good placeto start

ITIL based inventories are very good if you have

them I like to break them down using Westerman’s

Risk PyramidBusiness Requirements

ApplicationsData

Infrastructure


6/33

THE IT RISK PYRAMID (WESTERMAN HUNTER MIT 2007)


7/33

BUSINESS STRATEGY (AGILITY)

This is where Policies, Standards, and

Guidelines come from

Laws and Regulations, Public and Private –

GLBA, SOX, PCI

Access controls have to ‘Fit’ what the

organization wants and support its mission


8/33

APPLICATIONS

Business and organization processes – programs that sell something, manufacturesomething, offer a service, do something useful

The really important programs that don’tmonitor or manage processes deal with makingand managing data.

Programs often reflect the mission, activities,and major purposes of an organization.

People need program to get things done Programs need to be secured


9/33

DATA

Data is the second biggest problem for securityprofessionals today. Complexity is the biggest.

Electronic Data is growing faster than any other aspect ofthe IT Universe. We are making data at a ridiculous pace.

It needs to be managed and secured. People need access to data usually through programs

and applications

‘Need to Know’ is more important than ever.

Data should be able to stand on its own regardless of

what application needs or uses it (James Martin) In the Pyramid Data context should be a prerequisite to

the application.


10/33

INFRASTRUCTURE

Infrastructure is at the bottom of the Pyramid

All other things run on it

If it is not done well or not secured andcontrolled properly things will not go well

Poor implementation at the infrastructure

level will ripple through all other layers

Access Control applies to infrastructure

targets as well


11/33

THE HUMAN TARGETS

At the end of the day

the majority of the

access control purpose

is focused on people.

People make and use

data to do their work.

This is the hardest partof access controls


12/33

IT RISK


13/33

THE 4A FRAMEWORK FOR MANAGING IT RISK

Availability – Keep the systems running andrecover from interruptions.

Access – Ensure appropriate access to data

and systems so the right people have accessthey need and the wrong people don’t.

Accuracy – Provide correct, timely, and

complete information. Agility – The capability to change with

managed cost and speed.


14/33

IT RISK MECHANICS

Availability

Access

Accuracy

Agility

Assess

Strategic IT

Risks

External

Forces

Strategic

Intitiatives

Executive

Team

Knowledge

IT Risk

Management

Strategies

Assess IT

Risk

Management

Program

IT and

Business

Manager

Knowledge

Risk

GovernancePlans

Foundation

Plans

Awareness

Plans

Process Awareness

Foundation

4A Framework Risk Disciplines


15/33

IT RISK DRIVES ACCESS CONTROL

Access control is needed for business assets

that are at the highest risk….of loss, misuse,

exposure

Risk analysis allows you to prioritize the

need for access control….what needs

protected and controlled

Resources are always limited so prioritizationis a good idea (biggest bang for the buck)


16/33

THE ACCESS CONTROL PROGRAM


17/33

THE IT SECURITY PROGRAM

this is the development, implementation, and maintenanceof all of the components that comprise IT Security at anorganization. It organizes these components into Tactical,Operational, and Strategic activities.

The IT Security Program document details all of the ITSecurity related activates. It shows management or atrusted third party how the organization conducts its ITSecurity programs and activities.

The IT Security Program will operate a life cycle thatincludes planning and organization, implementation,

operations and maintenance, and Monitoring andevaluation.

It includes Access Control and IT Risk


18/33

IT PROGRAM OBJECTIVES

The Information Security Program (ISP) is

designed to:

Ensure the security and confidentiality of

confidential information and IT resources, Protect against any anticipated threats or hazards to

the security or integrity of the information or IT

infrastructure; and

Protect against unauthorized access to or use of theinformation or IT infrastructure that could result in

substantial harm or inconvenience to any customer.


19/33

ACCESS CONTROL ARCHITECTURE


20/33

IT ARCHITECURE

If you are going to build an IT organization

that fits the business mission and all of the

associated complexities you will need

architecture

Plan and design before you build

IT Security is an integral component of IT

Architecture


21/33

THE ARCHITECTURE PROCESS

Business PlatformArchitects

EnterpriseArchitectureBusiness Model

IT Governance

Technical

StandardsProcess

Standards

Bricks &Patterns

Bricks &Patterns

Business

Drivers

EA ProjectApproval

Process

Guidelinesand Checklists

EnterpriseArchitects

Infrastructure

Architects

Business formulates

it’s needs. Engages EA

for fit and feasibility.

EA ensures that IT Architecture requirementswill be applied. If changes are in order due to

project requirements EA will manage any

modifications to the Architecture.

Architecture Principle – Organization and Process

IT Guiding

Principles

Technical Feedback

Architecture Fit Based on PrinciplesArchitecturePrinciples

ApprovedProjects

ArchitecturePatterns

ArchitectureStandards

New Technology

Approval Process

Business Architecture

Application Architecture

Data Architecture

Technology Architecture

Architectural FitAssessment

New System

Infrastructure

Implementation


22/33

IT SECURITY ARCHITECTURE

Security Service

Map

IT Security

Roadmap

EA Risk

Program

IT Risk

Program

IT Security

Governance

IT SecurityProgram

Risk Position

Total Security

Cost

Current State

Security

Effectiveness

Risk

Measure

Risk

Assessment

Risk

Assessment

Risk

Measure

Risk

Measure

Total Risk

Cost

Annual Loss

Rate

Annual Risk

Forecast

Risk Position

EA Principle

IT

Risk

Principles

IT Security

Processes

IT Security

Life Cycle

IT Security

Architecture

Business

Drivers

Policy

Standards

Procesdures

Security

Strategy

Enterprise IT Security Architecture Program


23/33

ACCESS CONTROL ARCHITECTURE

Security

Administration

Windows Unix / Linux ZOS

Programming Interfaces

eTrust Site

Minder

High Level

Programming

Project

Supplier

LDAPMeta

Directory

SubProject

Cycle

Security

Models

Model

Admin

Security

DATA

Role

Based

Security

Other

Security Project

IT Security IT Security IT Security

Company

Customers

User

Provisioning

Smart

Cards

Public

CA

Private

CA

CA-RCM

SSO

People

Soft

Kerberos

EMail

Sign

Data

Calsssification

Security

Dictionary

GovernanceCompliance

Privacy

SOX PCI States

Audit

Quarterly Tests

Annual Compliance

SecureCode

Quarterly Tests

Non-Public Info

ApplicationScan

ProdIsolation

SecureEMail

Key Management

SecureNetwork

Account Mgmt

Firewall Mgmt

LDAPMeta

Directory

3rd PartyAudits

VendorAcces

FieldCrypto

HIPS

Wireless

TwoFactor

PCI

Physical

Access

User

Models

SecurityPolicy

Automated

Provisioning

SOX

Company

Company

CompanyCompany Company

IT Security

CompanyIT Security

Company

Company

Company Company

ID Request

WEB

Company

IT Security

LDAPMeta

Directory

Company

Centrify

Control


24/33

IAM CASE STUDY


25/33

IAM CASE STUDY POINTS

This shows the complexity of the problem There are a lot of components in this case study

The components cover all layers from the network up

This is a large organization with tens of thousands of users and millions ofcustomers

It is dispersed over a continent

You must have an architecture to get a handle on this This also applies to smaller companies and less complex infrastructures

Some of the technology components shown help organize and implement Access Control

Some of these components such as operating systems (ZOS ACF2 Top Secret)and AD have to be managed whether you like it or not

I like LDAP I like one copy of the Identity Master that all Access Control components use

I like federated Identity and authorization claims

I like Roles


26/33

HOW TO DO ACCESS CONTROL

A process and plan to implement Access

Control (IREC 2007)

Getting the business partners and even

customers involved


27/33

ASSESSING RISKS AND ROLES


28/33

DEFINING ACCESS RIGHTS


29/33

ACCESS CONTROL – BIGGER PICTURE

Do we really have to do this? (outsource it)

The dating game case study

http://www.datehookup.com/http://www.cupid.com/http://www.christianmingle.com/http://www.true.com/http://www.okcupid.com/http://www.singlesnet.com/http://www.eharmony.com/http://www.zoosk.com/http://www.plentyoffish.com/http://www.match.com/


30/33

DATING AND SINGLES SITES ARE HAVING BIG PROBLEMS

The growth of social media and sites for singles and dating have growndramatically in the last ten years

There are over 14,000 singles dating sites in the US alone

The top European site has over 17 million active users

‘SCAMS’ are the name given to con artist scenarios where sitecustomers are subjected to a staged ploy on their interests up to andincluding marriage

These are elaborate deceptions designed to elicit money andinformation out of unsuspecting targets

The CONs are far more likely to originate in Eastern Europe where mostof the complaints have been lodged.

The targets are worldwide many of them in North and South America. Complaints from unhappy customers and the theft of PI data including

cash is causing credit card companies to shut down many site operatorsability to take a credit or debit card

They have to solve the Identity and Access Control problem to staysucessful


31/33

DATING GAME IDENTITY AND ACESS CONTROL

We approached the problem by looking for a way to assign a trusted value unique to an individual to theiraccount and access control into a site’s services

Account creation was necessary and post validation was required independent of the account set up

But things like fingerprints, voiceprint, and social security numbers were not practical to use as an accesscontrol mechanism

We hit on using the cell phone

People are more attached to their cell phones more than any other thing they carry

Most people under 40 will go home from work to get their cell phones but not their wallets

The cell phone number is not a bad way to assist in identifying a person

The call back validation or an email or a text can be used to confirm the identity and security managementprocess can be tailored for monitoring the owners of the numbers

Cooperation with the service providers is essential

It must be in conjunction with additional factors like E-Mail addresses and other publicly available information

It is not perfect but considering the scale of numbers of users it was deemed viable and several solutions usingthis venue are in the works

The real trick though is wrapping an Access Control process around this particular problem

Mobile devices are becoming very personal to people especially cell phones

Digital certificates and private key systems like PGP are starting to appear for the mobile devices Certificates are not easy to use on mobile devices and the manufacturers have a long way to go

I think it is inevitable


32/33

SOLUTIONS

There are a lot of Identity Management and AccessControl solutions available on the market today. A lot ofthe operating security systems vendors IBM andSUN/Oracle and others have decent products thatcompliment their core security products.

I know that a lot of research and study should go intolooking at a solution before you buy.

Getting a solution that works for you is half the work. Theother half is good security governance and userprovisioning. Without that it is not going to sustain itself

over time. It is a big job and your identity and data depend on it

being done well


33/33

QUESTIONS?

Presentations Access Control for IT Assets NEO Chapter November 2012

Documents