Best Practices for Augmenting IDaaS in a Cloud IAM Architecture PAM DINGLE, PING IDENTITY OFFICE OF THE CTO
|
|
- Osborn Terry
- 6 years ago
- Views:
Transcription
1 Best Practices for Augmenting IDaaS in a Cloud IAM Architecture PAM DINGLE, PING IDENTITY OFFICE OF THE CTO W HI T E P A P ER
2 TABLE OF CONTENTS 03 EXECUTIVE OVERVIEW 04 BEST PRACTICE #1: IMPLEMENT ADMINISTRATIVE SINGLE SIGN-ON (SSO) 05 BEST PRACTICE #2: SUPPORT CHANNELING MULTIPLE IDENTITY SOURCES 07 BEST PRACTICE #3: ADD FACTORS TO PASSWORD SIGN-ON 08 CONCLUSION 2
3 EXECUTIVE SUMMARY Enterprises are embracing cloud and mobile technologies. As they do, they re moving beyond traditional network boundaries and the capabilities of their legacy identity and access management (IAM) solutions. As a result, identity as a service (IDaaS) has become a viable technology for many organizations. Basic IDaaS providers typically focus on SSO for software-as-a-service (SaaS) applications. However, most large enterprises have sophisticated environments and must coordinate and secure multiple resource domains, representing a hybrid mix of on-premises, infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and SaaS resources, which belong to your organization, partners and even social networks. This white paper describes how enterprise IDaaS harmonizes all the loosely coupled elements in the digital enterprise to contribute to better security and mitigate risk for the overall platform. It describes the IAM best practices your organization should consider when securing the digital enterprise. THE ROLE OF IAM IN SECURING THE DIGITAL ENTERPRISE IAM plays a vital role in the digital enterprise in coordinating and integrating resource domains. Whether it s creation of an authentication ceremony, definition and enforcement of policy, enforcement of those policies at APIs or code samples for mobile app writers, the requirements necessary to perform true IAM in the cloud still encompass numerous software and service entities, across numerous domains. Most enterprises of any reasonable size are subject to a wide variety of regulations, and have a collection of legacy and modern systems in place, such as applications, business processes and data stores. They don t have the luxury of starting fresh and only using purpose-built Saas applications for everything. Additionally, local and international regulations can pose restrictions and challenges on the type of information being stored and where it can be stored. As opposed to basic IDaaS, enterprise IDaaS takes a more holistic approach to solve this challenge. Enterprise IDaaS enables the preservation of existing IAM investments, a concentric security and policy model and a shared approach to risk. When adopting enterprise IDaaS to secure the digital enterprise, there are some best practices to consider: 1. Implement administrative SSO 2. Support channeling for multiple identity sources 3. Add factors to password sign-on 3
4 BEST PRACTICE #1: IMPLEMENT ADMINISTRATIVE SSO The best benefit of an SSO architecture is that passwords are stored in a single, well-watched and protected space where central policy is applied. Compare this to application silos across multiple domains, which all support different password and authorization policies, and store passwords that may all be the same (for example, end users who reuse passwords rather than choosing unique ones). The same problem exists with administration accounts, but the stakes are higher. An enterprise IDaaS platform should allow you to link administrative accounts to a federated source. Without such a feature, administrative users must separately manage passwords for isolated accounts outside of a common policy domain. These accounts are often unused and unmonitored, and they represent valuable targets for attackers. Given the power of such accounts, this oversight is important to recognize and to plan to mitigate. POLICIES FOR ADMINISTRATOR SSO All administrators should use their normal everyday sign-on credentials to manage the administrative consoles of an enterprise IDaaS. As a result, authorized end users essentially open an application to access administrative consoles. The ability to access an administration console no longer becomes a question of who has a username and password, but who is authorized by policy. This means that organizations no longer need to worry about exiting administrators retaining credentials for remote infrastructure. In addition, it becomes difficult to share administrator accounts, making the accountability of the logged activities of each administrator stronger. A second benefit to using federation to access these administration consoles is redundant audit. For every administrator authentication at the remote site, two separate pieces of infrastructure are writing audit logs: the federation server acting as the identity provider (IdP), and the federation server acting as the relying party (RP). This gives the organization the option to compare the audit trails of both entities, and to detect anomalies that could indicate compromise, such as an administrator sign-on at the RP when no sign-on occurred at the IdP. Enterprises should consider feeding audit output from every domain they interact with into a Security Information Event Management (SIEM) tool, which can help flag inconsistent behavior. PUBLIC IDAAS IDENTITY BRIDGE AUDIT DOMAIN BREAK-GLASS ADMIN ACCOUNT ADMINISTRATOR ACTIVITY AUDIT 4
5 POLICIES FOR ADMINISTRATOR BREAK-GLASS ACCOUNTS Password-protected accounts that can t be replaced with SSO become dangerous liabilities for organizations, and need to be strictly managed by process rather than by technology and policy. The most common account that falls into this category is the primary administration account for a service. Every service must offer a primary administration account outside of SSO it s necessary in case SSO fails. This primary account should not be used for day-to-day administration of the service, but should instead only be used when absolutely necessary. The password associated with this account should be randomly generated and placed into some kind of vault (for example, a Privileged Access Management system) that has strong controls over release of the credential that can t be bypassed by any single administrator. Lastly, any retrieval of credentials to that account or use of that account should result in instant red flags, requiring investigation and justification. For critical infrastructure access where emergency account access is required, a multi-party process may be needed to retrieve break-glass credentials (think of a nuclear launch code that requires multiple keys to be simultaneously turned). THE ROLE OF AUDIT PROCEDURES Immutable audit is an additional consideration for administrator SSO. Often, no account is created for administrators who SSO to cloud administrator consoles. It s critical to monitor and review the list of users who access administrative consoles over time. Real-time notifications that are broadcast to multiple sources at the time of administrator access make it difficult for a single rogue actor to erase actions after the fact. At the end of the day, this best practice is intended to make sure that standalone administrator accounts are never forgotten or abused. BEST PRACTICE #2: SUPPORT CHANNELING FOR MULTIPLE IDENTITY SOURCES Within complex organizations, users come from many places. Some users may be employees, coming from an on-premises or IaaS resource domain such as UnBoundID, Active Directory or Azure AD. Others may be contractors, coming from a PaaS or SaaS identity repository such as the PingOne cloud directory, Salesforce, or Google Apps. Still others might be individual customers, accessing apps by authenticating via Twitter or Facebook. A true Cloud IAM platform must support a myriad of identity sources, and route those sources only to correctly authorized resources. Some simple best practices are listed below to help ensure that assertions from one context are not maliciously manipulated to end up in other contexts. 5
6 SOCIAL NETWORK VERIFIED CHECKING When accepting assertions from social networks, it s critical to understand whether those addresses have been verified. Some social networks include a separate attribute to indicate a verified address. Networks such as Google, that use the OpenID Connect identity standard, offer a boolean attribute that is set to true if the is verified. Others offer different assertions about account verification (for example, Facebook will set a verified attribute for an account only if the user has registered for mobile, confirmed their account via SMS or entered a valid credit card). If your resource is not particularly sensitive, you may choose to accept any assertion. But if your resources are more privileged, rejection of nonverified addresses is an important best practice. FEDERATED PARTNER DOMAIN LIMITS In situations such as supply chain environments or multi-tenant SaaS apps, where your enterprise IDaaS platform is accepting assertions from multiple identity providers, it s important to be sure that one IdP can never make assertions that imitate a user from another. An example of this kind of abuse might be the IdP at partnerb.com attempting to send an assertion to your enterprise IDaaS platform for johnsmith@partnera.com. It s critical for identification of any user in a multi-idp environment to be calculated as a function of both the assertion subject and the IdP. An assertion for johnsmith@partnera.com that comes from Partner B should result in one of two outcomes: A new user is created within the Partner B authorization context that s unrelated to the possibly existing user within a Partner A authorization context. This is common in true multi-tenant environments. The assertion should be rejected. The simplest best practice for enforcing this policy is to set an expected domain for each IdP, and reject all assertions whose subjects are not within that domain. In our example then, all assertions that come from Partner B are compared against the partnerb.com domain, and assertions that arrive from Partner B with a partnera.com domain are automatically rejected. CLOUD IAM - IDENTITY SOURCE ASSERTION CHANNELING EMPLOYEE RESOURCE DOMAIN PUBLIC IDAAS TARGET RESOURCE DOMAINS IDENTITY BRIDGE POLICIES: SUBJECT DOMAIN MATCHES CHANNEL PARTNER A RESOURCE DOMAIN PARTNER B RESOURCE DOMAIN 6
7 CHANNEL TRACKING POLICIES Every federation point in an enterprise IDaaS platform should track not just the subject of a given assertion, but also the channel by which that assertion arrived. When transforming assertions in a federation hub, the hub should populate either the SAML 2.0 Authenticating Authority envelope element, or allow for a SAML attribute to be configured, containing some identification of the originally authenticating IdP. Logging of that element, in conjunction with the federation hub entity ID and the SAML subject, allows for strong forensic and monitoring data and highlights any anomalies. The best practices discussed in this section are all intended to ensure that customers or partners can t manipulate the data in assertions to exceed their originally intended context. Regular review is a necessary part of ensuring that your platform does what you think it does. CHANNELS FOR API-BASED TECHNOLOGIES When using protocols such as OAuth or OpenID Connect for multi-tenant applications, administrators must still always consider the identity in the context of the issuer of the assertion. In the case of OpenID Connect, validation of the issuer is built into the protocol. Using OAuth 2.0 alone for identity purposes is explicitly not a best practice, and should be avoided. For more information, please see to understand the risks. Scopes are additional tools for the administrator when using OAuth 2.0 and OpenID Connect. Some organization choose a oneto-one matching between scopes and clients, so even if Partner B attempted to assert a subject in the Partner A domain, the scopes requested were by definition only applicable to Partner B. Therefore, the client would be denied access to Partner A data regardless of the identity. BEST PRACTICE #3: ADD FACTORS TO PASSWORD SIGN-ON If a stolen password is all an attacker needs to legitimately access your organization s data, you have a big problem. End users tend to register their corporate addresses at all sorts of websites. Sometimes, end users reuse passwords at those sites that they have also used for corporate resources. If any domain is breached where a user has chosen to reuse a corporate /password combination, attackers can simply try those credentials everywhere to see if something works. Even if it doesn t work today, it might the next time, because as users are forced to rotate passwords, old passwords tend to come back into play. Adding at least one additional factor to the authentication ceremony is a critical mitigation to the credential reuse and farming problem. This puts a stop to the opportunistic hacks where attackers blindly try username/password combinations just to see what they can get, and it forces attackers to work harder to get that first foothold in your environment. There are many inexpensive options for second-factor authentication on the market today that also have good usability for users. Specifically smartphone-based solutions offer interesting options for organizations, as they leverage a device that users always have with them. 7
8 From an enterprise IDaaS perspective, authentication services are easy to layer and can be inserted in almost any order. Because the architecture is federated, implementers can change and mature their additional factors without any impact on downstream applications. This gives a lot of flexibility to play with options and find which solution strikes the right balance of usability and security. CLOUD IAM - ADMINISTRATOR ACCOUNT PROTECTION PRIVATE RESOURCE DOMAIN PUBLIC IDAAS TARGET RESOURCE DOMAINS IDENTITY BRIDGE PARTNER B RESOURCE DOMAIN Complex organizations may also use contextual elements to passively detect anomalous situations for example, understanding whether an authentication request has come from a region where the user is known not to be. CONCLUSION A cloud IAM architecture is a combination of services and software that collaborate to mitigate each other s risks. Best practices for cloud IAM platforms include the strong requirement to eliminate the risk of standalone administrator accounts, protect against manipulation of assertion routing by users and partner domains, and add factors to password authentication to protect against opportunistic use of hacked or farmed password credentials. Because cloud IAM is infrastructure, not just SaaS, extra attention to these kinds of best practices is critical. Auditing and monitoring is a common theme across all best practices, as a watched infrastructure gives fewer options to attackers. Attempts to probe defenses are much more likely to be identified when centrally scrutinized. When patterns can be seen across resources, administrators have a much better understanding of the big picture. Ping Identity stands behind all of these best practices. Contact a representative for more information about how our software can be used to implement all of these best practices and more. Ping Identity stands behind all of these best practices. Contact a representative for more information about how our software can be used to implement all of these best practices and more. ABOUT PING IDENTITY: Ping Identity leads a new era of digital enterprise freedom, ensuring seamless, secure access for every user to all applications across the hyper-connected, open digital enterprise. Protecting over one billion identities worldwide, more than half of the Fortune 100, including Boeing, Cisco, Disney, GE, Kraft Foods, TIAA-CREF and Walgreens trust Ping Identity to solve modern enterprise security challenges created by their use of cloud, mobile, APIs and IoT. Visit pingidentity.com. 8 # v00b
THE SECURITY LEADER S GUIDE TO SSO
THE SECURITY LEADER S TO SSO When security leaders think of single sign-on (SSO), they usually think of user convenience and experience. But SSO also plays a critical role in delivering security for data
More informationEXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK
EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS 03 EXECUTIVE OVERVIEW 05 INTRODUCTION 07 MORE CLOUD DEPLOYMENTS MEANS MORE ACCESS 09 IDENTITY FEDERATION IN
More informationFIVE REASONS IT S TIME FOR FEDERATED SINGLE SIGN-ON
FIVE REASONS IT S TIME FOR FEDERATED SINGLE SIGN-ON W HI T E P A P ER TABLE OF CONTENTS 03 04 06 06 07 08 09 10 10 EXECUTIVE OVERVIEW INTRODUCTION IMPROVING CUSTOMER ENGAGEMENT IS ON YOUR CMO S RADAR BYOD
More informationMOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK
E -BOOK MOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK MOBILITY 1 04 INTRODUCTION 06 THREE TECHNOLOGIES THAT SECURELY UNLEASH MOBILE AND BYOD TABLE OF CONTENTS
More informationGoogle Identity Services for work
INTRODUCING Google Identity Services for work One account. All of Google Enter your email Next Online safety made easy We all care about keeping our data safe and private. Google Identity brings a new
More informationOPENID CONNECT 101 WHITE PAPER
OPENID CONNECT 101 TABLE OF CONTENTS 03 04 EXECUTIVE OVERVIEW WHAT IS OPENID CONNECT? Connect Terminology Relationship to OAuth 08 Relationship to SAML CONNECT IN MORE DETAIL Trust Model Discovery Dynamic
More informationPasswords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist
Passwords Are Dead Long Live Multi-Factor Authentication Chris Webber, Security Strategist Copyright 2015 Centrify Corporation. All Rights Reserved. 1 Threat Landscape Breach accomplished Initial attack
More informationTHE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS
THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS TABLE OF CONTENTS 03 03 05 06 07 07 09 11 EXECUTIVE OVERVIEW MOTIVATING USE CASE: TRIPIT TERMINOLOGY INTRODUCTION THE OAUTH 2.0 MODEL
More information1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7
1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7 ORACLE PRODUCT LOGO 20. oktober 2011 Hotel Europa Sarajevo Platform
More informationZero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers
Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere How Okta enables a Zero Trust solution for our customers Okta Inc. 301 Brannan Street, Suite 300 San Francisco, CA 94107 info@okta.com
More informationTHE IDENTITY DEFINED SECURITY ALLIANCE
THE IDENTITY DEFINED SECURITY ALLIANCE A collaborative solution for Identity Defined Security EXECUTIVE OVERVIEW Identity Defined Security is a novel term, but not necessarily a new idea. Applications
More informationFive Reasons It s Time For Secure Single Sign-On
Five Reasons It s Time For Secure Single Sign-On From improved security to increased customer engagement, secure single sign-on is a smart choice. Executive Overview While cloud-based applications provide
More informationMake Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)
Make Cloud the Most Secure Environment for Business Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks) Enterprise cloud apps Consumer cloud apps The average organization now uses
More informationRelated Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)
PRESENTED BY: Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced) One of the main problems that customers face with the adoption of SaaS and cloud-based apps is how to deliver the
More informationEnhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation
Enhancing cloud applications by using external authentication services After you complete this section, you should understand: Terminology such as authentication, identity, and ID token The benefits of
More informationUsing Threat Analytics to Protect Privileged Access and Prevent Breaches
Using Threat Analytics to Protect Privileged Access and Prevent Breaches Under Attack Protecting privileged access and preventing breaches remains an urgent concern for companies of all sizes. Attackers
More informationCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services http://www.cloud-council.org/deliverables/cloud-customer-architecture-for-securing-workloads-on-cloud-services.htm Webinar April 19,
More informationTransforming Security from Defense in Depth to Comprehensive Security Assurance
Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new
More informationInside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1
Inside Symantec O 3 Sergi Isasi Senior Manager, Product Management SR B30 - Inside Symantec O3 1 Agenda 2 Cloud: Opportunity And Challenge Cloud Private Cloud We should embrace the Cloud to respond to
More informationLiferay Security Features Overview. How Liferay Approaches Security
Liferay Security Features Overview How Liferay Approaches Security Table of Contents Executive Summary.......................................... 1 Transport Security............................................
More informationKeep the Door Open for Users and Closed to Hackers
Keep the Door Open for Users and Closed to Hackers A Shift in Criminal Your Web site serves as the front door to your enterprise for many customers, but it has also become a back door for fraudsters. According
More informationZero Trust in Healthcare Centrify Corporations. All Rights Reserved.
Zero Trust in Healthcare 1 CYBER OFFENSE REDEFINED: TRANSFORM YOUR SECURITY POSTURE WITH ZERO TRUST 2 What Keeps CIOs Up at Night? How exposed are we, anyway? Who can access what? Can we trust our partners?
More informationPSD2 & OPEN BANKING Transform Challenge into Opportunity with Identity & Access Management E-BOOK
PSD2 & OPEN BANKING Transform Challenge into Opportunity with Identity & Access Management E-BOOK 03 INTRODUCTION 05 THE CHALLENGE 08 A CLOSER LOOK AT THIRD-PARTY ACCESS Access Facilitated By Open APIs
More informationSECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS
WHITE PAPER SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS The Challenges Of Securing AWS Access and How To Address Them In The Modern Enterprise Executive Summary When operating in Amazon Web Services
More information5 OAuth EssEntiAls for APi AccEss control layer7.com
5 OAuth Essentials for API Access Control layer7.com 5 OAuth Essentials for API Access Control P.2 Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the
More informationCentrify for Dropbox Deployment Guide
CENTRIFY DEPLOYMENT GUIDE Centrify for Dropbox Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of
More informationSAP Security in a Hybrid World. Kiran Kola
SAP Security in a Hybrid World Kiran Kola Agenda Cybersecurity SAP Cloud Platform Identity Provisioning service SAP Cloud Platform Identity Authentication service SAP Cloud Connector & how to achieve Principal
More informationTracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory
Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory Presenters: Sander Berkouwer Senior Consultant at SCCT 10-fold Microsoft MVP Active Directory aficionado
More information5 OAuth Essentials for API Access Control
5 OAuth Essentials for API Access Control Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the user in control of delegating access to an API. This allows
More informationAccess Management Handbook
Access Management Handbook Contents An Introduction 3 Glossary of Access Management Terms 4 Identity and Access Management (IAM) 4 Access Management 5 IDaaS 6 Identity Governance and Administration (IGA)
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationToday s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps
Today s workforce is Mobile Most applications are Web-based apps Cloud and SaaSbased applications are being deployed and used faster than ever Hybrid Cloud is the new normal. % plan to migrate >50% of
More informationSailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities
SailPoint IdentityIQ Integration with the BeyondInsight Platform Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 5 BeyondTrust
More informationPrivilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer
Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com Agenda The Next-Gen Threat Landscape o Infomatics, Breaches & the Attack Chain o Securing
More informationCracking the Access Management Code for Your Business
White Paper Security Cracking the Access Management Code for Your Business As the digital transformation expands across your business, delivering secure access to it has made a modern identity and access
More informationBest Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,
Best Practices: Authentication & Authorization Infrastructure Massimo Benini HPCAC - April, 03 2019 Agenda - Common Vocabulary - Keycloak Overview - OAUTH2 and OIDC - Microservices Auth/Authz techniques
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More informationCrash course in Azure Active Directory
Crash course in Azure Active Directory Crash course in Azure Active Directory Competing today requires a focus on digital transformation and empowering everyone to be creative and work together securely.
More informationSOFTWARE DEMONSTRATION
SOFTWARE DEMONSTRATION IDENTITY AND ACCESS MANAGEMENT SOFTWARE AND SERVICES RFP 644456 DEMONSTRATION AGENDA Executive Summary Technical Overview Break User Interfaces and Experience Multi-Campus and Inter-Campus
More informationGo mobile. Stay in control.
Go mobile. Stay in control. Enterprise Mobility + Security Jeff Alexander Sr. Technical Evangelist http://about.me/jeffa36 Mobile-first, cloud-first reality 63% 80% 0.6% Data breaches Shadow IT IT Budget
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationIntegrated Access Management Solutions. Access Televentures
Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1
More informationProtecting your Data in the Cloud. Cyber Security Awareness Month Seminar Series
Protecting your Data in the Cloud Cyber Security Awareness Month Seminar Series October 24, 2012 Agenda Introduction What is the Cloud Types of Clouds Anatomy of a cloud Why we love the cloud Consumer
More informationWHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365
WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365 Airwatch Support for Office 365 One of the most common questions being asked by many customers recently is How does AirWatch support Office 365? Customers often
More informationIBM Future of Work Forum
IBM Cognitive IBM Future of Work Forum The Engaged Enterprise Comes Alive Improving Organizational Collaboration and Efficiency While Enhancing Security on Mobile and Cloud Apps Chris Hockings IBM Master
More informationProtect Yourself Against VPN-Based Attacks: Five Do s and Don ts
White Paper Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts Don t let stolen VPN credentials jeopardize your security March 2015 A TECHTARGET WHITE PAPER Most IT professionals take for
More informationVirtual Machine Encryption Security & Compliance in the Cloud
Virtual Machine Encryption Security & Compliance in the Cloud Pius Graf Director Sales Switzerland 27.September 2017 Agenda Control Your Data In The Cloud Overview Virtual Machine Encryption Architecture
More informationSafelayer's Adaptive Authentication: Increased security through context information
1 Safelayer's Adaptive Authentication: Increased security through context information The password continues to be the most widely used credential, although awareness is growing that it provides insufficient
More information6 Key Use Cases for Securing Your Organization s Cloud Workloads. 6 Key Use Cases for Securing Your Organization s Cloud Workloads
6 Key Use Cases for Securing Your Organization s Cloud Workloads 1 6 Key Use Cases for Securing Your Organization s Cloud Workloads Table of Contents Introduction: The Continuing Rise of Cloud Adoption
More informationENCRYPTION IN USE FACT AND FICTION. White Paper
White Paper Table of Contents The Case for Encryption... Encryption in Use Not Some Kind of Magic... Evaluating Encryption in Use Claims... 3 4 4 The Vaultive Approach... 5 2 Risk-conscious enterprises
More information1 The intersection of IAM and the cloud
1 The intersection of IAM and the cloud Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Theory, practice, pros and cons with a focus on enterprise deployments of IAM and cloud
More informationWHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD
WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD Imagine that you re a CISO in charge of identity and access management for a major global technology and manufacturing company. You
More informationThe Oracle Trust Fabric Securing the Cloud Journey
The Oracle Trust Fabric Securing the Cloud Journey Eric Olden Senior Vice President and General Manager Cloud Security and Identity 05.07.2018 Safe Harbor Statement The following is intended to outline
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationEBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS
EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS HOW SECURE IS YOUR VPN ACCESS? Remote access gateways such as VPNs and firewalls provide critical anywhere-anytime connections to the networks
More informationA Practical Step-by-Step Guide to Managing Cloud Access in your Organization
GUIDE BOOK 4 Steps to Cloud Access Management A Practical Step-by-Step Guide to Managing Cloud Access in your Organization Cloud Access Challenges in the Enterprise Cloud apps in the enterprise have become
More informationSOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK
RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK KEY BENEFITS AT A GLANCE Ensure your journey to the cloud is secure and convenient, without compromising either. Drive business agility
More informationUnlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.
Unlocking Office 365 without a password How to Secure Access to Your Business Information in the Cloud without needing to remember another password. Introduction It is highly likely that if you have downloaded
More informationYubico with Centrify for Mac - Deployment Guide
CENTRIFY DEPLOYMENT GUIDE Yubico with Centrify for Mac - Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component
More informationAzure Active Directory from Zero to Hero
Azure Active Directory from Zero to Hero Azure &.NET Meetup Freiburg, 2018 Esmaeil Sarabadani What we cover today Overview on Azure AD Differences between on-prem AD and Azure AD Azure AD usage scenarios
More informationIntro to the Identity Experience Engine. Kim Cameron, Microsoft Architect of Identity ISSE Paris November 2016
Intro to the Identity Experience Engine Kim Cameron, Microsoft Architect of Identity ISSE Paris November 2016 Intro to the Identity Experience Engine (IEE) Withering away of the enterprise domain boundary
More informationebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS
ebook ADVANCED LOAD BALANCING IN THE CLOUD 5 WAYS TO SIMPLIFY THE CHAOS Introduction Load balancing isn t just about managing traffic anymore. As your infrastructure expands to include applications in
More informationWarm Up to Identity Protocol Soup
Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital
More informationWHITEPAPER. How to secure your Post-perimeter world
How to secure your Post-perimeter world WHAT IS THE POST-PERIMETER WORLD? In an increasingly cloud and mobile focused world, there are three key realities enterprises must consider in order to move forward
More information2017 THALES DATA THREAT REPORT
2017 THALES DATA THREAT REPORT Trends in Encryption and Data Security FINANCIAL SERVICES EDITION www.thales-esecurity.com 2017 THALES DATA THREAT REPORT TRENDS IN ENCRYPTION AND DATA PROTECTION U.S. U.K.
More informationSecurity Readiness Assessment
Security Readiness Assessment Jackson Thomas Senior Manager, Sales Consulting Copyright 2015 Oracle and/or its affiliates. All rights reserved. Cloud Era Requires Identity-Centric Security SaaS PaaS IaaS
More informationBEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE
BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE OUR ORGANISATION AND SPECIALIST SKILLS Focused on delivery, integration and managed services around Identity and Access Management.
More informationChallenges in Authenticationand Identity Management
Sep 05 ISEC INFOSECURITY TOUR 2017 05.09.2017, Buenos Aires, Argentina Challenges in Authenticationand Identity Management CAMINANTE NO HAY CAMINO, SE HACE CAMINO AL ANDAR 2016 SecurIT Who is MerStar?
More informationAUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response
AUTHENTICATION Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response Who we are Eric Scales Mandiant Director IR, Red Team, Strategic Services Scott Koller
More informationTrusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN
Trusted Identities Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN WHAT YOU WILL LEARN TODAY Strong identity verification as a security measure and business enabler Authentication
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationEnhanced OpenID Protocol in Identity Management
Enhanced OpenID Protocol in Identity Management Ronak R. Patel 1, Bhavesh Oza 2 1 PG Student, Department of Computer Engg, L.D.College of Engineering, Gujarat Technological University, Ahmedabad 2 Associate
More informationSecuring Office 365 with MobileIron
Securing Office 365 with MobileIron Introduction Office 365 is Microsoft s cloud-based productivity suite. It includes online versions of Microsoft s most popular solutions, like Exchange and SharePoint,
More informationSecuring Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)
Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF) A Guide to Leveraging Privileged Account Security to Assist with SWIFT CSCF Compliance Table of Contents Executive Summary...
More informationAKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview
AKAMAI WHITE PAPER Enterprise Application Access Architecture Overview Enterprise Application Access Architecture Overview 1 Providing secure remote access is a core requirement for all businesses. Though
More informationO365 Solutions. Three Phase Approach. Page 1 34
O365 Solutions Three Phase Approach msfttechteam@f5.com Page 1 34 Contents Use Cases... 2 Use Case One Advanced Traffic Management for WAP and ADFS farms... 2 Use Case Two BIG-IP with ADFS-PIP... 3 Phase
More informationIBM Security Access Manager
IBM Access Manager Take back control of access management with an integrated platform for web, mobile and cloud Highlights Protect critical assets with risk-based and multi-factor authentication Secure
More informationDissecting NIST Digital Identity Guidelines
Dissecting NIST 800-63 Digital Identity Guidelines KEY CONSIDERATIONS FOR SELECTING THE RIGHT MULTIFACTOR AUTHENTICATION Embracing Compliance More and more business is being conducted digitally whether
More informationWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control SESSION ID: CDS-T11 Sheung-Chi NG Senior Security Consulting Manager, APAC SafeNet, Inc. Cloud and Virtualization Are Change the
More informationBlackBerry Enterprise Identity
Datasheet BlackBerry Enterprise Identity The Challenge: Cloud services are critical in today s enterprises, yet a reliance on the cloud comes with real and growing security risks. Enterprises want a simple,
More informationNext Generation Privilege Identity Management
White Paper Next Generation Privilege Identity Management Nowadays enterprise IT teams are focused on adopting and supporting newer devices, applications and platforms to address business needs and keep
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationHow your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter
How your network can take on the cloud and win Think beyond traditional networking toward a secure digital perimeter Contents Introduction... 3 Reduce risk points with secure, contextualized access...
More informationThe Problem with Privileged Users
Flash Point Paper Enforce Access Control The Problem with Privileged Users Four Steps to Reducing Breach Risk: What You Don t Know CAN Hurt You Today s users need easy anytime, anywhere access to information
More informationAuthlogics for Azure and Office 365
Authlogics for Azure and Office 365 Single Sign-On and Flexible MFA for the Microsoft Cloud Whitepaper Authlogics, 12 th Floor, Ocean House, The Ring, Bracknell, Berkshire, RG12 1AX, United Kingdom UK
More informationAdaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief
Adaptive Authentication Adapter for Citrix XenApp Adaptive Authentication in Citrix XenApp Environments Solution Brief RSA Adaptive Authentication is a comprehensive authentication platform providing costeffective
More informationSecuring Digital Transformation
September 4, 2017 Securing Digital Transformation DXC Security Andreas Wuchner, CTO Security Innovation Risk surface is evolving and increasingly complex The adversary is highly innovative and sophisticated
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationhidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION
HID ActivOne USER FRIENDLY STRONG AUTHENTICATION We understand IT security is one of the TOUGHEST business challenges today. HID Global is your trusted partner in the fight against data breach due to misused
More informationHow to Deliver Privilege Access Management
How to Deliver Privilege Access Management Running a PAM project can be a big challenge for an organization. Many security projects can be largely stand alone, impacting operational teams in the business
More informationStandards-based Secure Signon for Cloud and Native Mobile Agents
Standards-based Secure Signon for Cloud and Native Mobile Agents P. Dingle July 2013 1 Mobile http://www.flickr.com/photos/nataliejohnson/2776045330 2 http://www.flickr.com/photos/soo/5525383948 Mobile
More informationWelcome! Ready To Secure Access to Your Microsoft Applications?
Welcome! Ready To Secure Access to Your Microsoft Applications? During the Webinar Audio In presentation mode until end Control Panel View webinar in full screen mode Feel Free to submit written questions
More informationDocuSign Single Sign On Implementation Guide Published: June 8, 2016
DocuSign Single Sign On Implementation Guide Published: June 8, 2016 Copyright Copyright 2003-2016 DocuSign, Inc. All rights reserved. For information about DocuSign trademarks, copyrights and patents
More informationMaximize your move to Microsoft in the cloud
Citrix and Microsoft 365: Maximize your move to Microsoft in the cloud 3 reasons to manage Office 365 with Citrix Workspace Pg. 2 Pg. 4 Citrix.com e-book Maximize your Citrix Workspace 1 Content Introduction...3
More informationFive Essential Capabilities for Airtight Cloud Security
Five Essential Capabilities for Airtight Cloud Security SECURITY IN THE CLOUD REQUIRES NEW CAPABILITIES It is no secret; security and compliance are at the top of the list of concerns tied to cloud adoption.
More informationIDENTITY: A KEY ELEMENT OF BUSINESS-DRIVEN SECURITY
IDENTITY: A KEY ELEMENT OF BUSINESS-DRIVEN SECURITY Identity is replacing perimeter as the primary defensive frontline OVERVIEW Organizations have been grappling with identity and access management since
More informationAdaptacyjny dostęp do aplikacji wszędzie i z każdego urządzenia
Adaptacyjny dostęp do aplikacji wszędzie i z każdego urządzenia F5 EMEA Webinar Listopad 2014 Andrzej Kroczek Field Systems Engineer Today s Network and App Access: So Many Variables! LOCATIONS USERS DEVICES
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationJim Reavis CEO and Founder Cloud Security Alliance December 2017
CLOUD THREAT HUNTING Jim Reavis CEO and Founder Cloud Security Alliance December 2017 A B O U T T H E BUILDING SECURITY BEST PRACTICES FOR NEXT GENERATION IT C L O U D S E C U R I T Y A L L I A N C E GLOBAL,
More informationTeradata and Protegrity High-Value Protection for High-Value Data
Teradata and Protegrity High-Value Protection for High-Value Data 12.16 EB7178 DATA SECURITY Table of Contents 2 Data Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:
More information