Access Governance in a Cloudy Environment. Nabeel Nizar VP Worldwide Solutions

Similar documents
SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

News and Updates June 1, 2017

Cloud Customer Architecture for Securing Workloads on Cloud Services

Identity as the core of enterprise mobility

Welcome to IBM Security Guardium Analyzer!

McAfee MVISION Cloud. Data Security for the Cloud Era

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

Liferay Security Features Overview. How Liferay Approaches Security

CLOUD SECURITY CRASH COURSE

Virtual Machine Encryption Security & Compliance in the Cloud

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

Qualys Cloud Platform

Go mobile. Stay in control.

1 Hitachi ID Access Certifier. 2 Agenda. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Securing Your Cloud Introduction Presentation

Managing Microsoft 365 Identity and Access

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

Benefits of Implementing a SaaS Cybersecurity Solution Andras Cser, VP Principal Analyst

Cloud-Security: Show-Stopper or Enabling Technology?

Cybersecurity Roadmap: Global Healthcare Security Architecture

CloudSOC and Security.cloud for Microsoft Office 365

Microsoft Security Management

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Hybrid Identity de paraplu in de cloud

CipherCloud CASB+ Connector for ServiceNow

Five Essential Capabilities for Airtight Cloud Security

McAfee Skyhigh Security Cloud for Amazon Web Services

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Hyperion Application Access Control Governor Blueprint for Oracle GRC Applications

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

1 Introduction to Identity Management. 2 Access needs evolve. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Qualys Cloud Platform

IBM Security Guardium Analyzer

Defining Security for an AWS EKS deployment

Securing Office 365 with SecureCloud

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

Security Readiness Assessment

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

MEETING ISO STANDARDS

SkyFormation for Salesforce. Cloud Connector

SIEMLESS THREAT DETECTION FOR AWS

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Minfy MS Workloads Use Case

Top 5 NetApp Filer Incidents You Need Visibility Into

HOW SNOWFLAKE SETS THE STANDARD WHITEPAPER

Fine-Grained Access Control

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Crash course in Azure Active Directory

Partner Center: Secure application model

Security Camp 2016 Cloud Security. August 18, 2016

with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Best Practices in Securing a Multicloud World

The Old is New Again Engineering Security in the Age of Data Access from Anywhere

Secure & Unified Identity

OptiSol FinTech Platforms

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.

Copyright 2011 EMC Corporation. All rights reserved.

IBM services and technology solutions for supporting GDPR program

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Enterprise & Cloud Security

1 IAM Program Launch. 2 Agenda. 3 Introductions. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

CHEM-E Process Automation and Information Systems: Applications

Privileged Identity Management

Securing Data in the Cloud: Point of View

The erosion of the perimeter in higher education. Why IAM is becoming your first line of defence.

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

Enhanced Threat Detection, Investigation, and Response

Why Choose MS Azure?

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Office 365: Modern Workplace

Oracle Buys Automated Applications Controls Leader LogicalApps

Minfy MS Workloads Use Case

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Transforming IT: From Silos To Services

Service Description VMware Workspace ONE

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

CHARLES DARWIN, CYBERSECURITY VISIONARY

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

Netwrix Auditor. Visibility platform for user behavior analysis and risk mitigation. Mason Takacs Systems Engineer

Governance, Risk, and Compliance: A Practical Guide to Points of Entry

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Azure Active Directory from Zero to Hero

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

How Microsoft s Enterprise Mobility Suite Provides helps with those challenges

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

Datasheet. Only Workspaces delivers the features users want and the control that IT needs.

Office 365 Buyers Guide: Best Practices for Securing Office 365

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

Transcription:

Access Governance in a Cloudy Environment Nabeel Nizar VP Worldwide Solutions Engineering @nabeelnizar Nabeel.Nizar@saviynt.com

How do I manage multiple cloud instances from a single place? Is my sensitive data already on cloud? Keep up with changing IT landscape Who are privileged users on Cloud? Who is doing what on cloud? How do I know if a workload is approved by business?

Cloud Security Concerns Data Platforms Data Platforms Support DAC (Discretionary Access Control Model) -Any user with Read rights to a file can share it with anyone else (Internally or Externally) Files can be setup by end users to be Open to Everyone on the Internet Link for a file can be generated and can be shared anonymously with any number of users with no tracking There is no other Data Exfiltration point (Email or USB) that can be protected like traditional enterprise if people have access to the data, they can log in from anywhere and download it / print it / take a picture Encryption of data can only protect from the provider getting compromised not an authorized account 3

Cloud Security Concerns Infrastructure Platforms Risk is very high of not managing access One mistake or compromised account can bring down the entire data center in seconds!! Infrastructure as a Service has a very complex architecture and associated security models due to the number of services provided Amazon released 200+ capabilities / services in 2015! Infrastructure as a service includes Servers (different types), Databases, Storage space etc. Access Management has to be extended to Entities (servers, DBs etc) not just limited to users for Infrastructure. Also companies have multiple AWS / Azure accounts with no visibility or mgt. across accounts Access to all services is controlled through Policies (in AWS) which are JSON objects!! Security and audit have no real resolution of the policies and what access are they providing unless you read the JSON Objects 4

Cloud Security Concerns Applications as a Service Your most critical data Customer data, HR Data, Financial Data (in some cases), CMDB is on Cloud Applications Logs from Cloud Applications are limited Access is the primary security control! Not easy to tell who really has access to what in Cloud Applications Roles are Profiles are managed by business in most cases No standard structure deployed Most companies are synchronizing access with Active Directory and doing Single Sign on That is not enough! No management of high privileged users for these applications No implementation of segregation of duties for critical data sitting in these applications 5

Cloud Identity Governance Capabilities Who Has Access To What and Who is Doing What Across Cloud Applications, Data and Infrastructure. Import fine grained access permissions and usage activity Continuous Controls Monitoring Out of box controls for all major Cloud applications, collaboration and infrastructure vendors Preventative Access Controls Intercepting Access Grants to files or role, evaluating new instances getting spun up against business policies High Risk Access and Usage Certification Certification of critical data access, Orphan and Critical Infrastructure Components and Fine Grained Application Entitlements Data Classification Content, Identity, Access and Usage based classification of data on the cloud Easy Access Request and Provisioning Standardized and Easy way to request specific access to Cloud Applications Segregation of Duty / Business Policy Implementation Implementation of Business Policies and Segregation of Duties across all Cloud providers User Behavior and Security Analytics Use advanced behavior based models to detect anomalous user and system behavior

Evolution of IGA 2.0 addresses today s and future business requirements CURRENT STATE IGA 1.0 FUTURE STATE IGA 2.0 1 Limited to coarse-grained and flat access management 1 Hierarchical fine-grained entitlement model 2 No support for unstructured data or workloads 2 Managed resources can be data / workloads / transactions / functions 3 No real-time preventive access control 3 Deep integration with Cloud Applications and Infrastructure 4 Cannot easily scale to hundreds of objects, privileges, entitlements 4 Intelligence analytics, risk-based IAM processes 7

Extend IGA to secure critical assets in Cloud IaaS / SaaS / PaaS Manage How do I stay clean Can I stay ahead of new threats? Is this activity suspicious? How can I ensure appropriate access at all times? Can I enforce SOD rules, security policies? How can I secure in real-time access to sensitive data or critical workloads? Protect Visibility Who has access to what? Is there sensitive data? vulnerable workloads? Who are my riskiest users? 8

Step 1 360 0 view of user access, data and activity across Cloud Manage How do I stay clean Can I stay ahead of new threats? Is this activity suspicious? How can I ensure appropriate access at all times? Can I enforce SOD rules, security policies? How can I secure in real-time access to sensitive data or critical workloads? Protect Visibility Who has access to what? Is there sensitive data? vulnerable workloads? Who are my riskiest users? 9

Scalable security warehouse to consolidate user access, data and activity across Cloud and Enterprise PDF, DOC, IP, Code S3 Data Jdoe J.doe JohnD Accounts Security Warehouse Access Site / Lists / Folders IAM Groups, Permissions Opportunities, Permission Sets Activity Audit Cloud Trail Logs Cloud Watch Usage 10

Understanding how final access has been derived is crucial for provisioning 11

Gain better visibility by identifying riskiest users with classification and PCI / PHI / PII Intellectual Property Source Code Custom tags Regex VPC Open Ports Configuration Tags 12

combining with access outlier / User Behavior Analytics (UBA) Cohesiveness: Do people within a peer group have any access in common? 96% JobKey 30003509 64% 80% Division Asset Mgt John Doe Dept. Funds Not only identify who has access to sensitive data, but identify who s access is an outlier Manager Title J.Smith Funds Analyst 86% 92% resulting in prioritized and risk-based approach to remediation 13

Step 2 Actively secure critical assets on IaaS / SaaS / Paas Manage How do I stay clean Can I stay ahead of new threats? Is this activity suspicious? How can I ensure appropriate access at all times? Can I enforce SOD rules, security policies? How can I secure in real-time access to sensitive data or critical workloads? Protect Visibility Who has access to what? Is there sensitive data? vulnerable workloads? Who are my riskiest users? 14

Leverage role and rule mining techniques enhanced with usage analytics Derive enterprise roles and application-level roles Derive common attributes from users with similar entitlements to arrive at rules 15

Combine policies and roles (ABAC and RBAC) to achieve flexible security model and reduce end-user impact with automation Switch determines if access request is auto-submitted OR automatically granted if all conditions are met 16

Extend policies to provision access to data, transactions and workloads Data Access Policies Infrastructure Access Policies 17

and enforce in real-time to protect sensitive assets Saviynt real-time Security Plug-in on Office 365 tenant listens for selective events Saviynt validates and executes data access policy (sends for additional approvals / remediation / encrypt, remove share URL, etc.) User uploads document on Office365 Saviynt performs data classification and risk analysis Releases document to end user based on approval decision or no violation of data access policy User shares document internally or externally / assigns permissions 18

Step 3 Threats evolve, so should security Manage How do I stay clean Can I stay ahead of new threats? Is this activity suspicious? How can I ensure appropriate access at all times? Can I enforce SOD rules, security policies? How can I secure in real-time access to sensitive data or critical workloads? Protect Visibility Who has access to what? Is there sensitive data? vulnerable workloads? Who are my riskiest users? 19

Automate access control with identity event-based provisioning policies and access requests 20

Include sensitive Cloud assets in risk-based outlier access certification processes Certify only 5-10% entitlements and access to obtain > 80% revokes Eliminate rubber stamping Improve end-user experience with access risk decision tools 21

Continuously detect weak points in your Cloud infrastructure and take corrective action with extensive risk signatures 22

Leverage Event Rarity and Behavior analytics on user activity Behavior Profile 23

to quickly isolate risky actions and integrate IGA processes with security incident management processes 24

to quickly isolate risky actions and integrate IGA processes with security incident management processes 25

Easy and Intelligent Access Request Role based modular screen layout Access Request (for self) Access Request (for others) New User Registration (Delegated/Central) Update User Profile Approvals Password Management Infrastructure/Badge Request Service Account Request 26

Intelligent Access Request Dashboard 27

Application as a Service Dashboard 28

Detailed dashboards highlighting risks, events for each application 29

Comprehensive controls to detect weak points in your Cloud infrastructure and take corrective action 30

Centralize extend be smart A holistic security architecture provides better visibility, better detection, optimizes cost ContinuousControls Monitoring IntelligentAccess Request / Review Application SOD Management Role / Privilege / Policy Design & Mgmt. B2E IAM Data Access Governance Privilege Access Governance & Monitoring Infrastructure Access Governance Usage, Peer & Behavior Analytics B2C IAM Cloud Access Governance and Intelligence Cloud On-premise Managed B2B IAM Who has access to what? What does the access secure? What are they doing? 360 O view of Configuration security Identity Access Entitlements Controls Data Usage Audit Risk Events Infrastructure Data Applications Cloud OR Enterprise 31

(Saviynt + Microsoft) provides comprehensive enterprise IAM and cloud access governance for critical applications Cloud IaaS, SaaS Apps AD Azure AD Business Critical Apps Physical Assets Azure, O365, Concur, AWS, Dockers, WebEx, Slack, Ariba, SAP, Oracle EBS, Workday, SFDC Identity Management Security Management Identity Governance IDaaS + IDM Microsoft MIM + ADFS + EMS Federation / SSO / MFA Mobility Management Cloud Identity Warehouse Identity Management / Provisioning REST APIs IGA-aaS Intelligent Access Request SOD Management Compliance Monitoring Saviynt Security Manager Risk-based Certification Identity & Usage Analytics Role / Rule Engineering + Management Fine-grained Provisioning Connectors 32

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback