Top Reasons To Audit An IAM Program Bryan Cook Focal Point Data Risk
Focal Point Data Risk A New Type of Risk Management Firm THE FACTS Born from the merger of three leading security & risk management firms: Sunera, ANRC and APTEC A collaboration of industry-leading expertise in cyber security, identity governance and access management, data privacy and analytics, internal audit, and hands-on training services 17 offices in the US & Canada Over 400 FTEs with more than 30 different industry certifications Largest pure play risk management firm focused exclusively on helping organizations protect and leverage their data We are the next generation of risk
Identity and Access Management (IAM) Automates processes associated with granting employees and third parties access to critical systems. A set of processes and a supporting infrastructure for the creation, maintenance and use of digital identities. Involves people, process and technology Applicable for internal and external users Invokes the principle of least privilege Enables a manageable account life-cycle for every user Access to applications based on role and policy Meets regulatory requirements 3
IAM Overview Directory Services Components that store and manage user identity in a structured format and synchronize identity data and attributes between other systems. LDAP Directory services Virtual Directory services Network Operating System (Active Directory) Access Management Authentication and authorization to applications for users based on roles, rules and policies. Web Single Sign-On (Web SSO) Federated Authentication Role Based Access Control (RBAC) Provisioning Automation of processes to provide users with the necessary resources at the appropriate level of authorization to perform their role in the organization. Work-flow based provisioning and de-provisioning of accounts and entitlements Password Management and Self-Service Auditing and reporting 4
Business Objectives Simplify Administration Increased Security Regulatory Compliance Increased User Satisfaction and Productivity Cost Measurement / Management Infrastructure Responsive to New Business Requirements 5
Why is it Important? Security is crucial Fragmented implementation and operations increases risk Intellectual property is extremely valuable Institutions are popular targets for breaches and data losses Compliance is not optional SOX, HIPAA, FERPA, FISMA, and now GDPR are the law Cost containment is a reality Need to provide high levels of value while managing operations costs Positive user experience is necessary Seamless access to applications and resources across departments, divisions and locations Ease of credential management, move to one ID / one password Extending services means happier affiliates Improved speed of deployments promotes a more productive environment and enhances institutional reputation 6
The Risks 63% of 2,260 confirmed data breaches leveraged weak, default, or stolen passwords. Captured credentials remain the most efficient and undetected technique for compromising an enterprise Source: Verizon DBIR 2016, M-Trends 2016, Cisco 2016 Midyear Security Report 7
Cyber Criminals Compromise Weak Security 8
Top Reasons to Perform IAM Audit Evaluate the current state of your identity and access management (IAM) processes, controls, and supporting technologies Benchmark your current processes and controls against best practices and accepted frameworks Provides documentation and rationale for budget approval Provide Executive Management with assurance of current IAM program Baseline your current environment and track progress over time using repeatable and customizable audits 9
IAM Assurance Domains Risk Assessment IAM Policies & Procedures Exemptions from IAM Policies Technical Standards & Safeguards IAM Strategy Central Authentication System Authentication practices Identity Repository Unique Identity Access Policy User Provisioning User Termination and Transfer Single Sign-On (SSO) Federated IAM (If used) 10
Audit Methodology Audit Programs should be based on best practices and aligned to leading standards and frameworks in the governance and security space. 11
Control Example The organization has defined a trusted source for all identity verification, usually HR and the HR employee database. COBIT 5.0 NIST SP800-53r4 ISO/IEC 27001:2013 DSS05.04 (Manage User Identity and Logical Access) IA-2 (Identification and Authentication) A.9.2 (User Access Management) 12
Maturity Model Deliverable Note: Based on ISO/IEC 15504 process capability assessment model 13
Why a Phased Approach is Helpful Avoid Risk Minimize intrusiveness on end-users and admins Minimize scope creep Provide long testing and certification cycles 14 Early Results Be Pragmatic Contain Costs Deploy updated infrastructure early, stabilize and perform extensive validation testing Acclimate core team members to new / updated technologies asap Limited resources to apply to the initiative, resources are heavily loaded Fit within framework of other projects and existing organizational constraints Knowledge transfer to extended team members throughout the project Recommend extended team take ownership and perform tasks where possible
15 QUESTIONS?
Bryan Cook bcook@focal-point.com 214-226-8410 Contact Us