How Threat Modeling Can Improve Your IAM Solution

Similar documents
ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

The University of Queensland

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

ForeScout Extended Module for Splunk

locuz.com SOC Services

NEXT GENERATION SECURITY OPERATIONS CENTER

Building a Resilient Security Posture for Effective Breach Prevention

IBM Future of Work Forum

Using and Customizing Microsoft Threat Modeling Tool 2016

A Disciplined Approach to Cyber Security Transformation

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

Emerging Issues: Cybersecurity. Directors College 2015

AKAMAI CLOUD SECURITY SOLUTIONS

Cybersecurity Roadmap: Global Healthcare Security Architecture

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Practical Guide to Securing the SDLC

SIEM Solutions from McAfee

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Software Architectural Risk Analysis (SARA): SSAI Roadmap

Secure Development Lifecycle

PULLING OUR SOCS UP VODAFONE GROUP AT RSAC Emma Smith. Andy Talbot. Group Technology Security Director Vodafone Group Plc

Development*Process*for*Secure* So2ware

Guide to cyber security/cip specifications and requirements for suppliers. September 2016

Security Metrics Framework

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

NCSF Foundation Certification

Security Incident Management in Microsoft Dynamics 365

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

RSA NetWitness Suite Respond in Minutes, Not Months

Application Security Design Principles. What do you need to know?

CSWAE Certified Secure Web Application Engineer

IoT & SCADA Cyber Security Services

How To Make Threat Modeling Work For You

SIEM: Five Requirements that Solve the Bigger Business Issues

Copyright 2016 EMC Corporation. All rights reserved.

FFIEC Cybersecurity Assessment Tool

Designing and Building a Cybersecurity Program

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Converged Security - Protect your Digital Enterprise May 24, Copyright 2016 Vivit Worldwide

IANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

March 6, Dear Electric Industry Vendor Community: Re: Supply Chain Cyber Security Practices

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

Securing Your Digital Transformation

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

CISO as Change Agent: Getting to Yes

*NSTAC Report to the President on the Internet of Things.

Initiative. Copyright Techdemocracy, 2017

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Product Security Program

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cybersecurity. Securely enabling transformation and change

Avanade s Approach to Client Data Protection

Building UAE s cyber security resilience through effective use of technology, processes and the local people.

Vulnerability Assessments and Penetration Testing

Device Discovery for Vulnerability Assessment: Automating the Handoff

Threat Modeling For Secure Software Design

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

Development Authority of the North Country Governance Policies

Evolution of Cyber Attacks

align security instill confidence

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Security Readiness Assessment

Certified Secure Web Application Engineer

Evolving the Security Strategy for Growth. Eric Schlesinger Global Director and CISO Polaris Alpha

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Juniper Vendor Security Requirements

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Run the business. Not the risks.

Cyber Semantic Landscape Ontology and Taxonomy

Application Security at Scale

Cyber Resilience - Protecting your Business 1

Un SOC avanzato per una efficace risposta al cybercrime

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

McAfee Product Security Practices

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Transcription:

How Threat Modeling Can Improve Your IAM Solution John Fehan Senior Consultant OpenSky Corporation October 2 nd, 2015

Agenda Evolution of Identity and Access Management (IAM) Solutions An sample IAM contextual architecture A functional walkthrough Security of the IAM solution Threat Modeling Benefits of Threat Modeling Summary 2

The Evolution of IAM Businesses have evolved to have many different, co ple relatio ships with custo ers, e plo ees, partners and more Businesses must now ask Who do you claim to be? How well can we confirm that? Are you allowed in? Do I know and trust your device? What attributes are associated to your identity? Should you be accessing the system at this time? Are you authorized for that transaction specifically? 3

The Evolution of IAM Todays Identity and Access Management (IAM) solutions consist of several vendor products, numerous interfaces and identity data elements all with significant impact. The fundamental goal is to Provide access per need and policy With security controls that are graduated to match the risk of the moment 4

Sample IAM Architecture Internet Web Server Zone App Server Zone DB Zone Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 5

Sample IAM Architecture Internet Web Server Zone App Server Zone DB Zone X Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 6

Sample IAM Architecture Internet Web Server Zone App Server Zone DB Zone X Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 7

Sample IAM Architecture Internet Web Server Zone App Server Zone DB Zone X Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 8

Sample IAM Architecture Internet Web Server Zone App Server Zone DB Zone X Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 9

Sample IAM Architecture Internet Web Server Zone App Server Zone DB Zone X Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 10

Sample IAM Architecture Internet Web Server Zone App Server Zone DB Zone Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 11

Sample IAM Architecture Internet Web Server Zone App Server Zone DB Zone Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 12

Sample IAM Architecture Internet Web Server Zone App Server Zone DB Zone Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 13

Sample IAM Architecture Internet OK Web Server Zone App Server Zone DB Zone Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 14

Sample IAM Architecture Internet OK Web Server Zone App Server Zone DB Zone Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 15

Sample IAM Architecture Internet Web Server Zone App Server Zone DB Zone Load Balancer/ Session Control Load Balancer Target Resource Web Proxy Authentication Agent Forms Credential Collector Authentication Policy System Credential Store Challenge Question and Response Store Fraud Info Adaptive Risk Agent Adaptive Risk Engine Security Information and Event Mgt (SIEM) 16

Security of the IAM Solution User experience must be appropriate for the particular amount of risk Keep this system working and keep it secure Common to focus on functionality and go light on the nonfunctional security review A threat modeling review for attack vectors and vulnerabilities inherent to the design is required. It must be: objective focused on the threat. 17

Threat Modeling Threat modeling is the exploration of the threats to which your environment is vulnerable in this case, the company s IAM system OCTAVE method Operationally Critical Threat, Asset, and Vulnerability Evaluation is the standard methodology. Reference: " Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process." Richard A. Caralli, James F. Stevens, Lisa R. Young, William R. Wilson. Canegie Mellon Software Engineering Institute. May 2007. 18

Threat Modeling OCTAVE Allegro methodology (image copyright SEI Canegie-Mellon University) 19

Threat Modeling The Threat Modeling approach Capture of the IAM contextual architecture; contextual level of detail is vendor agnostic Define certain environmentals and security controls Identify and resolve differences b/w design and as built Connects the conceptual vision approved by stakeholders to the technical detail typically documented and used by engineers 20

Threat Modeling The Threat Modeling approach Analyze threats Plan mitigations Contextual detail aligns everyone involved in delivery and allows threat modelers and threat modeling tools to assess natural attack vectors Track the status of each threat - not started, needs investigation, not applicable and mitigated - and adjust the priority A traceability matrix of controls to threats is maintained 21

Threat Modeling Threats are organized by Microsoft s Security Development Lifecycle (SDL) STRIDE categories: Spoofing Tampering Repudiation Information Compromise Denial of Service Escalation of Privilege OpenSky recommends and leverages STRIDE in combination with OCTAVE Allegro in our general approach for threat modeling. These methodologies are described on the OWASP site: https://www.owasp.org/index.php/threat_risk_modeling 22

The Evolution of IAM Contextual architecture within the MS Threat Modeling tool. 23

Threat Modeling Setting properties 24

Threat Modeling Each threat can be evaluated and mitigation strategies developed. For example, the Adaptive Risk Agent may be spoofed by an attacker which could lead to information disclosure by the Challenge Question Store. 25

Threat Modeling The mitigation strategy could include the use of authentication between the Adaptive Risk Agent and the data store. 26

Benefits of Threat Modeling Organizations will be shifting from compliance to threat-oriented security programs Demonstrating the priority and value of control investments and maintenance is crucial 27

Benefits of Threat Modeling An independent list of threats that lead to a set of beneficial questions about the security of the IAM solution A mature and reasonable process for analyzing and maintaining the security posture of the IAM solution and controls A process for sound, joint prioritization and decision making related to the most important improvements to make to the security controls An improved understanding of the true as-built state of the IAM solution 28

Summary Threat modeling has emerged as an important tool for security architects Threat modeling provides valuable information to design the critical IAM systems for cyber resilience Straight-forward way to validate the security of your IAM architecture Provides a process for prioritization and sound decision making to enhance the security controls 29

The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) Thank you 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback