Identity-Powered Security
Innovation created a very complex environment. z / OS PL / I Public Cloud Private Cloud Internet of Things (IoT) COBOL CICS IMS
Cloud How is leveraging cloud impacting risk and how can I manage it? Mobile Is our use of mobile devices secure? Compliance Are we complying with all applicable mandates? How do we reduce the cost of compliance? Data Breach Are we doing enough to control access to sensitive information? Do we understand our threat landscape? IoT How do we securely take advantage of IoT? Service Delivery Are we doing enough to ensure availability and data security? Network Are we ensuring the security of the network? Third Party Risk Are we doing enough to manage partner, contractor, and customer access?
Identity is More Important Than Ever DEVICES Mobile Browser Desktop ID SOURCES Social Internal Directory WAM Cloud USERS Partners Customers Consumers Employees APLICATIONS ebusiness SaaS Legacy/Custom API
Identity Manager
Evolution of Identity Manager. Auditory and reporting Compliance Roles and resources Roles based Workflows and web forms Rights User self service Correct rights Policies Policy based Synchronization Identity integration 1998 DirXML 1.0 2001 IDM 2 2004 IDM 3 2006 IDM 3.5 2008 IDM 3.6 2010 IDM 4 2014 IDM 4.5 2017 IDM 4.6
Philosophy of Identity Manager.
Identity Manager Real time user provisioning. Delegated administration and user self service. Reduce the complexity with their provisioning based in roles. Out of the box enterprise connectors for local solutions and cloud applications. User life cycle auditory system. User friendly web interface and graphical configuration tools. Design to be interoperable and flexible to integrate easily with standard protocols.
Administrator interface.
Connectors included with the base license. - Identity Manager Standard. o Windows Microsoft Active Directory o Email GroupWise, Microsoft Exchange, and Lotus Notes o Directory NetIQ edirectory and other LDAP v3 directories o Engine Services Manual Task Services (M-Task), Loopback, Null o Others Privileged Identity Management - Identity Manager Advance Edition. o Windows-Microsoft Active Directory o Email-GroupWise, Microsoft Exchange, and Lotus Notes o Directory-NetIQ edirectory and other LDAP v3 directories o Engine Services-Manual Task Services (M-Task), Loopback, Null o Others-Privileged Identity Management o Database JDBC driver (IBM DB2, Informix, Microsoft SQL Server, MySQL, Oracle and Sybase) o Message System JMS o Driver for Salesforce.com o Tools (Delimited Text, SOAP, and REST drivers) Complete list of connector for Identity Manager: https://www.netiq.com/documentation/idm45drivers/
Out of the box enterprise connectors. Applications HP Service Desk Microsoft Sharepoint Oracle E-Business Suite BMC Remedy PeopleSoft RSA ACE SAP Enterprise SAP GRC SAP HR & Portal SAP R/3 4.6 SAP Web Application Server Ellucian Banner SugarCRM Blackboard Data bases Microsoft SQL Server Oracle Database IBM DB2 Universal Database Informix Dynamic Server Sybase Adaptive Server PostgreSQL MySQL JDBC Midrange IBM i (i5/os and OS/400) Directories IBM Directory Server (SecureWay) iplanet Directory Server Microsoft Active Directory Microsoft Windows NT Domain Netscape Directory Server Sun Microsystems NIS+ Sun ONE Directory Server NetIQ edirectory LDAP v.3.0 Operative Systems Microsoft Windows 7, 8 y 10, Microsoft Windows Server 2008 y 2012 SUSE Linux Enterprise Server Debian Linux FreeBSD HP-UX IBM AIX Red Hat AS y ES Red Hat Linux Oracle Solaris UNIX Email servers Microsoft Exchange Novell GroupWise Lotus Notes PBX PBX de Avaya Asterisk VoiceRD Mainframes-z/OS RACF ACF2 Other SOAP DSML SPML Cloud Ready GoogleApps Salesforce.com Microsoft Office 365 Complete list of connector for Identity Manager: https://www.netiq.com/documentation/idm45drivers/
Self-Service Password Reset. Allows users to change and reset passwords according to the security and complexity policies. Provides self service web interface and it is integrated with the Windows Login Gina. Set and respond to challenge questions for forgotten passwords rather than resetting / changing passwords. Protected by secure Tokens OTP, SMS or Google Authenticator, to prevent social engineering attacks. Support help desk panel, to attend the user call safety and compliance.
Integrated with the Windows login. Interfaz web en HTML5 con Responsive Web Design. 13
Helpdesk interface. 14
Initial Login - End User
Request Form
Compare Users
User Catalog Card View
User Catalog
Settings - Branding
Graphical design of workflows.
Identity Manager Approvals App. NetIQ Identity Manager Approvals - Apple Store: https://itunes.apple.com/us/app/netiq-identity-manager-approvals/id599071228 NetIQ Identity Manager Approvals - Google Play: https://play.google.com/store/apps/details?id=com.netiq.idm.mobile.approval
User life cycle auditory and reporting.
Access Review
You now know who has access to what, but should they?
Compliance requirements and penalties. Governance Privacy Mandates HIPAA / HITECH NERC CIP Audits! European Data Protection Regulation SOX User demands! Right to be forgotten ISO 27001/2 PCI DSS European Data Protection Regulation
Certification process based in the users.
Certification process based in applications.
Policies of segregation of duties.
Compliance dashboard to have full visibility.
Manual or automatically remediation.
Proactive detection of orphans accounts.
Identity risk management.
Simple and clear for business approver
Access Manager
Work is an Activity, Not a Place The who, where, and what of access has changed dramatically Delivering convenience without putting the business at risk.
63% of confirmed data breaches involved weak, default or stolen passwords. Source: Verizon Data Breach Investigation Report, 2016
Ensuring the Right Access Employees and Contractors Internal Applications & Services Partners Access Management Customers / Citizens Cloud-Based Services
Access Manager Mobile Applications Web Applications Cloud Applications Access Manager Internal users External users Simplifies access and give more productivity with Single Sign-On. Authentication with advance authentication methods. Advance access controls to the corporative web resources. Full auditory in the access to the web applications and cloud solutions. Create an identity federation relationships with other companies.
Web resources management.
Authentication methods. Authentication with LDAP Login. Active Directory, edirectory y LDAP v.3. Certificates with support of CRL and OCSP (X.509). Authentication with Radius (802.11x). Authentication with Kerberos. Authentication with Identity Federation. Authentication with Active Directory Federation Services Authentication with OAuth & Social Authentication. Authentication with OpenID & SAML v.2.0. Authentication with SmartCard. Authentication with Google Authenticator. Authentication with FreeOTP. Authentication with SMS OTP. Api to integrate third party authentication methods. 41
Easy customization.
User access.
User web authentication.
User application dashboard.
User application administration.
User interface in multiple languages.
Google recaptcha
Integrated with Google recaptcha.
Mobile Access
Delivering Secure Mobile Access Backend Systems Access Management
Access For Various Form Factors
Secure access to corporate applications.
Secure access to corporate applications.
Mobile Access administration.
Mobile Access applications management.
Simplified SSO Apps.
Application Connectors Out of the Box. Micro Focus Application Connector Catalog: https://catalog.netiq.com
Application Connectors Catalog.
Easy application configuration.
Adaptive Authentication.
Security based in the user context Who is attempting access? Where are they located right now? Where are they normally located? What are they trying to access? What is the associated risk? When should I allow access? What else have they accessed lately? Does this reflect past behavior?
Step-up Authentication When Warranted Risk Score 132 PARAMETERS Username, Password HTTP Header IP Address & History Geo Location Known Cookie Device Fingerprint Last Login Cookie User Attributes CURRENT PATTERN ern Entered Inline with Configuration Within Valid Range Standard location Valid Cookie Valid Device Fingerprint Login from last used device present Valid user attributes
Risk Too High for the Business Risk Score 321 PARAMETERS Username, Password HTTP Header IP Address & History Geo Location Known Cookie Device Fingerprint Last Login Cookie User Attributes CURRENT PATTERN Entered Request contains different values in header field Different IP address with no history Suspect location Not sure Not determined No cookie present Valid user attributes
Risk-Based Authentication Contextual information Managing risk to information IP Address Geolocation User Profile External Parameters Risk Engine HTTP Headers User Cookies Device ID Assurance levels Low risk Medium Risk High Risk Allow Access Step-up Authentication Regulated (finance, healthcare, retail) Customer data Financial (internal, customer, partner) Intellectual property Internal emails Partner collaboration, supply chain Classified data User History Deny Access
Definition of risk policy
Advanced Authentication FIDO U2F PIN Code Live Ensure Voice Bio Soft Token Emergency HSM Challenge NFC Face Biometric Hard Token LDAP Password SMS Fingerprint RFID Email OTP Smartphone Voice Call LDAP PKI
Social Identity
Social Networks Will Become Identity Brokers / Providers By end of 2015 30% of all new retail customer identities will be based on social network identities. Today identity is delivered by the enterprise. If you look at business partners and customers, identities may come from somewhere else. In a decade or so depending on the mobility of the social media environment and our ability to build an enterprise-class shell around that identity, they could become the dominant identity providers.
Social identity out of the box.
Analytics Dashboard
Analytics Dashboard.
Analytics Dashboard.
Analytics Dashboard.
Analytics Dashboard.
Analytics Server and Reporting.
Analytics Server and Reporting.
Analytics Server and Reporting.
Report User Login Contract Summary.
Advanced Authentication
Long-term theft and damage the incidents that take the longest to discover were these inside jobs... (these took) months or longer to discover... Time to discover Over 80 % took weeks or more to discover Time to compromise Over 90 % happened in seconds or minutes Source: Verizon Data Breach Investigation Report, 2016
'One billion' affected by Yahoo hack.
Have i been pwned? https://haveibeenpwned.com
The Numbers are Staggering 84
Preventive and Detection Controls are Needed Identity and Access are preventative controls; they always have vulnerabilities Also, people with legitimate access misbehave Insider Threat can t be avoided with preventative controls only Our customers need monitoring to ensure Identity and Access are functioning correctly.
The three pillars of Authentication.
Advanced Authentication. Solution with multiple authentication methods. Authentication chains with multiple factors. Integrated with the login of Microsoft Windows, Linux and Apple MacOS. Software appliance with easy deployment. Designed for high availability environments. Smartcards Biometrics Smartphone Radius protocol Hardware Tokens Question / Answers Voice call and SMS Open API to integrate with third party solutions.
Administration dashboard
Administration dashboard.
User self-service interface
User self-service interface.
Helpdesk dashboard
Helpdesk dashboard.
Responsive Web Design
Interface for Smartphones and Tablets.
Interface for Smartphones and Tablets.
NetIQ Auth App
Smartphone Authentication App.
Interoperability of the solution.
Integration with Microsoft Windows.
Integration with Linux.
Integration with Apple MacOS.
Integration with web applications.
Integration with Radius protocol.
Interoperability of the solution.
Analytics Dashboard
Analytics Dashboard.
Analytics Dashboard.
www.microfocus.com