Path Maker Security Presentation
description
Transcript of Path Maker Security Presentation
FastPath to Success!
Identity and IT Security ManagementProducts and Sales Plays
April 2010
Keith Squires, President/CEODavid Wagner, VP Sales
© 2008 PathMaker Group
AGENDA
• Introduction to the new and improved PathMaker Group
• Identity and Access Management (IAM) Overview
• IT Security/Compliance Overview
• Product Reviews
• Planning and Implementation Approach
• FastPath offerings for quick sales
• Q&A
Confidentiality Notice: This document contain confidential information intended only for parties directly involved in the proposed solution. If you are not an intended recipient of this material, be advised that any reading, dissemination, forwarding, printing, copying or other use of this message or its attachments is strictly prohibited. If you have received this material in error, please notify PathMaker Group immediately and destroy this material immediately.
© 2008 PathMaker Group
Introduction
Who is PathMaker Group? Specialized IAM, IT Security/Compliance Systems Integrator
Over 20 years delivering IT projects– All consultants have more than 15 years IT experience– Successful track record with long, complex engagements
Solid relationships with IAM/Security Vendors– IBM Business Partner since 2003– Experience with numerous industry leading
products
Active involvement in INFOSEC/Compliance community– Advisor for PCI/DSS Council – CISSP-certified consultants compliant with CBK & GAISP– Members of ISSA & ISC2
Strong project management expertise– PMP-certified consultants compliant with PMBOK
© 2008 PathMaker Group
Why PathMaker Group?
20+ years delivering enterprise IT projects
Seven years in IAM industry working with all major vendors (IBM, CA, Oracle, Novell, RSA, Passlogix)
Known for fixing “broken” implementations
Business model is client driven not vendor driven
History of trusted advisor status with clients
Headquartered regionally (DFW Area)
Introduction
© 2008 PathMaker Group
New Personnel and Capabilities
Ed Higgins-VP Security Services, formerly of ACS (built the practice and worked within Fortune 500) certified, CISSP, CGEIT, CISA, CISM, CHS-III, CHFI, QSA, PI
David Wagner-VP Sales, ITIL WW Director Tivoli, WW Director LogLogic, Tivoli Security Specialist, VP sales 5 times, etc.
PathMaker Group – Specialized IT Security Business Partner offering multiple solutions with a quick and easy sales cycle that lead to larger sales.
Expanded Role as Trusted Advisors for overall IT Security strategy
Security Assessments (HealthCheck), Penetration Tests, Requirements Assessments, Incident Response and Forensic Collections and Analysis
PCI, HIPAA, GLBA, SOX, NERC CIP assessments and remediation assistance
Packaged solutions for Log Management, Identity and Access, Vulnerability Management, Threat Management, and more
Managed Security Solutions (ISS and more)
Introduction
© 2008 PathMaker Group
What Drives Identity and Access Management?
IAM, Security/Compliance Overview
© 2008 PathMaker Group
Managing Silos of Security
HRSystems
BusinessApplications
FinancialSystems
WebPortals
WindowsNetwork
Multiple Login Events / Forgotten Passwords
Manage Identities and Privileges
Manage Identities and Privileges
Manage Identities and Privileges
Manage Identities and Privileges
Manage Identities and Privileges
IAM, Security/Compliance Overview
© 2008 PathMaker Group
Managing Silos of Security
HRSystems
BusinessApplications
FinancialSystems
WebPortals
WindowsNetwork
One Login Event – One Password
Manage Identities and Privileges
Manage Identities and Privileges
Manage Identities and Privileges
Manage Identities and Privileges
Manage Identities and Privileges
Enterprise, Web or Federated Single Sign-On
Self-service reset for forgotten password
IAM, Security/Compliance Overview
© 2008 PathMaker Group
Managing Silos of Security
HRSystems
BusinessApplications
FinancialSystems
WebPortals
WindowsNetwork
One Login Event – One Password
Centralized Management of Identities, Event Auditing and Reporting
Enterprise, Web, or Federated Single Sign-On
User Provisioning
Self-service reset for forgotten password
IAM, Security/Compliance Overview
© 2008 PathMaker Group
What Drives IT Security/Compliance?
IAM, Security/Compliance Overview
© 2008 PathMaker Group
IT Security/Compliance “Before, During and After the BOOM!”
• Specialized Consulting: • PCI QSA• HIPAA, SOX, GLBA • NERC CIP, FERC
• Policy and Procedures Analysis• Security Assessment
• Identity Mgmt Assessment• Vulnerability Assessment• Application Assessment• Site Assessment• PCI Compliance• Advanced Penetration Tests
• Compliance Managed SaaS• Log & Threat Mgmt• Vulnerability Mgmt• PCI Compliance Mgmt
Pro
active
Incid
ent R
espo
nse
• On-Site Response• Situation Management• Stabilization and Containment• Root Cause Determination• Process Improvement• Evidence Handling• Liaison to Federal Authorities• Independent Expert Witness
Reactive
• On-site & Remote Acquisition• Sparse Acquisition Methods• Remote Acquisition• Enterprise Forensics• Fraud Investigation• Forensic Analysis• Binary/Malware Analysis• Electronic Data Discovery• Virus and Malware Remediation• Expert Witness Testimony
Security Services Incident Response Forensic Services
IAM, Security/Compliance Overview
© 2008 PathMaker Group
Product Orientation and Positioning
Product Overviews
© 2008 PathMaker Group
IBM Security Solutions Analysts Market Position
Marketshare: Identity and Access Management
Marketshare: Web Access Management, Worldwide, ( FIM, TAM )
ISS Managed Security Services and Vulnerability Assessment
Ranked #1
Identity Management ( TIM , TAM, FIM, TDI, TDS)
Ranked #1
#1
#1
#1
#1 Ranked #1
Ranked #1
Marketshare: Application Vulnerability Assessment (Rational AppScan) Ranked #1#1
Marketshare : Application Security Vulnerability Scanning,
( Rational AppScan )Ranked #1#1
Intrusion Prevention System Ranked #1#1
LeaderMQ: User Provisioning ( TIM )
LeaderWave: ISS Managed Security Services
LeaderWave: User Account Provisioning and Enterprise Security Information Management
Leader
LeaderMQ: ISS Network Security, Firewalls and Managed Services
MQ: Web Access Management Leader
Product Overviews
© 2008 PathMaker Group
IBM Received Highest Rating by Forrester for Enterprise Single Sign-On
The Forrester Wave™: Identity And Access Management is copyrighted by Forrester and is reused with permission. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. The complete report is available from Forrester at www.forrester.com
The Forrester Wave™: Identity And Access Management, Q4 2009 by Andras Cser, November 3, 2009
The Forrester Wave™: Identity And Access Management, Q4 2009
report rated IBM Enterprise Single Sign-On with the highest possible
score, and ahead of all other competitors
Product Overviews
© 2008 PathMaker Group
IBM Single Sign-On Solution Overview
EnterpriseSSO
EnterpriseSSO
People & IdentityPeople & Identity
Application SecurityApplication Security
FederatedSSO
FederatedSSO
Web SSOWeb SSO
Tivoli Access Manager for
Enterprise SSO
Tivoli Access Manager for eBusiness
Tivoli Federated Identity Manager
Audit & ComplianceAudit & Compliance
Internal Internal/External
External
SSO Overview
© 2008 PathMaker Group
ESSO1. Removing sign-on event
when non-web platform types are required
2. Back-end integration too costly or too complex
3. Usually for employees vs. external partners/customers
Typical Use Cases for Access Management
SSO Overview
TAM e-Bus1. Removing sign-on event for
web-only applications
2. Authorization model needed in addition to SSO
3. Policy engine that can be leveraged by all types of back-end apps
TFIM1. Employee SSO to Business
Partner/Company Apps
2. Customer SSO to Business Partner/Company Apps
3. Business Partner SSO to Business Partner/Company Apps
4. SOA/Web Services Security
5. Federated Provisioning
© 2008 PathMaker Group
TAM E-SSO provides: Enterprise SSO Two-Factor Authentication Access and Security Workflow
Automation Fast user switching User Access Tracking & Audit Centralized Identity & Policy
Managementwith no change to the infrastructure
TAM E-SSO v8 Solution Overview
TAM E-SSO enables visibility into user activity, control over access to business assets, and automation of the sign-on process in order to drive value for our
clients.
17
SSO Overview
© 2008 PathMaker Group
ProfileGeneration
CentralizedAdmin
Support & Self-Service
AuditReporting
DirectoryDB Mgmt
SOAP API
Encentuate Platform
Context Management
UserProvisioning
EnterpriseSSO
SessionManagement
Audit &Compliance
Agents
a b ca b c
Sign on/off
Automation
Directory ServicesIMS Server
AccessAgent
TIM
2nd Factor
Auth.
XyLoc BadgesUser
CCOW Applications
EncentuateIntegrated Management System Server
End userDesktop
Agents
a b ca b c
Sign on/off
Automation
Directory ServicesIMS Server
AccessAgent
TIM
2nd Factor
Auth.
XyLoc BadgesUser
CCOW Applications
EncentuateAccessAgent
End userWeb
Agents
a b ca b c
Sign on/off
Automation
Directory ServicesIMS Server
AccessAgent
TIM
2nd Factor
Auth.
XyLoc BadgesUser
CCOW Applications
EncentuateAccessAgent
End userCitrix – Terminal Services Desktop
Agents
a b ca b c
Sign on/off
Automation
Directory ServicesIMS Server
AccessAgent
TIM
2nd Factor
Auth.
XyLoc BadgesUser
CCOW Applications
EncentuateAccessAgent
StrongAuthentication
WorkflowAutomation
18
IBM Tivoli Access Manager for Enterprise SSO
Key Features
Product Overviews
Encentuate ESSO helps:
Simplify the end user experience and improve time-to-information by eliminating the need to recall multiple user names and passwords
Facilitate compliance reporting by tracking and collating user access
Enhance security by minimizing poor end user password behavior and seamlessly integrating strong authentication form factors
Reduce Help Desk costs by lowering the number of password reset calls
© 2008 PathMaker Group
IBM TAM ESSO Architecture
Database Cluster
Directory ServerApplications
`
Remote User withoutAccessAgent
Remote User withAccessAgent
`
DesktopsShared
Workstations
Terminal Services
Citrix Server
Web Server
Provisioning ServerEncentuate IMS Server Farm
Product Architecture
© 2008 PathMaker Group20
IBM Tivoli Access Manager (TAM) for e-business
Product Overviews
Centralized Authentication & Authorization – for Web-based applications
Single Sign-On– for Web-based applications
Rapid & Scalable Deployment– build Web apps quickly with standards-based support for J2EE
Design Flexibility- supports proxy or direct plug-in configuration- rule or role-based access control- support for leading user registries- Advanced APIs for further customization
Common Criteria certified
Key Features
© 2008 PathMaker Group21
IBM Tivoli Federated Identity Manager (FIM) family
Product Overviews
Most complete federated SSO in the industry
Supports latest federated SSO protocols in the “Hub” including:– Liberty ID-FF 1.x, SAML 1.0, 1.1, 2.0 & WS-Federation
Provisioning for user lifecycle management– Define, modify and remove user/group definitions- z/OS support including RACF Pass Ticket access to CICS and IMS transactions
Web Services & SOA Security Management- supports complex identity mapping & mediation
Provides Security as Services
Key Features
© 2008 PathMaker Group
How Federation Works
WebPortal
Federated Web Application
Authentication Identity Mapping
Product Overviews
© 2008 PathMaker Group
IBM TAM/TFIM Architecture
Product Architecture
© 2008 PathMaker Group
Application Security – Service Oriented Architecture
Goals In an SOA environment, provide secure access
and federate identity across these services
Externalize core security services from the application
Ensure security administrators make changes NOT developers.
Ensure changes to security are auditable
IBM solutions Tivoli Federated Identity Manager
WebSphere Enterprise Service Bus ( ESB)
WebSphere Message Broker
WebSphere DataPower
Identity & Access
IBMCICS
Application
Identity & Access
SAPApplication
Identity & Access
MicrosoftApplication
Identity & Access
IBMWebSphere
App Svr.Application
Identity & Access
BEAWebLogicApplication
Identity & Access
OtherApplication
Identity & Access
OracleApplications
Identity & Access
Identity & Access
Identity & Access
Identity & Access
IBMCICS
Application
Identity & Access
Identity & Access
IBMCICS
Application
Identity & Access
SAPApplication
Identity & Access
SAPApplication
Identity & Access
MicrosoftApplication
Identity & Access
MicrosoftApplication
Identity & Access
IBMWebSphere
App Svr.Application
Identity & Access
Identity & Access
IBMWebSphere
App Svr.Application
Identity & Access
BEAWebLogicApplication
Identity & Access
BEAWebLogicApplication
Identity & Access
OtherApplication
Identity & Access
OtherApplication
Identity & Access
OracleApplications
Identity & Access
Identity & Access
Identity & Access
Identity & Access
Identity & Access
OracleApplications
Identity & Access
Identity & Access
Identity & Access
Identity & Access
Identity & Access
Identity & Access
Requesting Application
Providing Services
IBM TivoliIBM TivoliFederated Identity ManagerFederated Identity Manager
IBM Enterprise Service BusIBM Enterprise Service Bus
Product Overviews
© 2008 PathMaker Group25
IBM Tivoli Identity Manager (TIM)
Product Overviews
Reduces helpdesk load by using Web self service and password reset interfaces
Cuts elapsed turn-on time and automates routine administrative tasks
Assists in addressing compliance issues
Automates business processes related to user identity lifecycle management
Centralized control and local autonomy
Enhances integration via extensive APIs
Choose to manage target systems with agents or agentless
Over 900 customers so far…
Key Features
© 2008 PathMaker Group
IBM ITIM Architecture
Primary App ServerPrimary Adapter
Server
Backup DB Server
Backup Adapter Server
Primary LDAP Server
Secondary LDAP Server
Primary DB Server
Secondary App Server
AIXSolarisLinux
HP-UXLDAP, etc.
DB2OracleSQL,etc.
Managed Resources
IBM Tivoli Identity Manager Application Server Cluster
Directory Server
IBM Tivoli Identity Manager Database Servers
IBM Tivoli Identity Manager Adapter Servers
Load Balancer
IBM HTTP ServerWebsphere App ServerWebsphere MQITIM Application
IBM HTTP ServerWebsphere App ServerWebsphere MQITIM Application
DB2OracleMicrosoft
Windows Server Windows Server
IBMSun
IBMSun
Itim.client.com
HTTPS
HTTPSJDBC(Oracle)
LDAP
JDB
C
Adapter Calls
Adapter Calls
via HTTPS
Nat
ive
Pro
toco
l
LDAP
Remote AdaptersIBM Tivoli Directory Integrator
`
DBReplication
WebSphere load balancing
LDAP Replication(Master – Master)
.CSV, DB, DSML, Web Service, etc.
DB2OracleMicrosoft
Remote AdaptersIBM Tivoli Directory Integrator
Local Adapters
Ada
pter
Cal
ls
RACFSAPPeopleSoft, etc.
ADLotus Notes, etc.
HR/Contractor
Feed
HR DB
AdministratorsEnd Users
SSH (UNIX)
JDBC (DB)
LDAP, etc.
Managed Resources
SSHJDBC
LDAP, etc.
Agentless
HR Server
Windows/UNIX/Linux/z-OS Server
Windows/UNIX/Linux/z-OS Server
Windows/UNIX/Linux/z-OS Server
Product Architecture
© 2008 PathMaker Group
IBM Tivoli Security Information and Event Mgmt (TSIEM)
Enables log collection and monitoring
Provides Privileged User Monitoring and Audit (PUMA)
Provides “out-of-the-box” Compliance Reporting Modules
Supports virtually any platform, db or application
Required by almost every regulation/auditor
Product Overviews
© 2008 PathMaker Group
IBM zSecure Products
Mainframe RACF administration, log collection and audit tools
Includes several components - zAdmin, zAudit, zAlert, Command Verifier, zVisual, CICS Toolkit
Only has one competitive product
Installs in hours
Free POC – Try then buy
Product Overviews
© 2008 PathMaker Group
IBM Security Virtual Server Protection for VMware
Offers integrated threat protection for VMware vSphere™ Provides protection for every layer of the virtual
infrastructure Includes host, network, hypervisor, virtual machine (VM)
and traffic between VMs Helps to accelerate and simplify your Payment Card
Industry Data Security Standard (PCI DSS) audit IPS, Rootkit Detection/Quarantine, Audit (who did what) Auto discovery of entire VMware infrastructure
Product Overviews
© 2008 PathMaker Group
Planning and Implementation
Implementation
© 2008 PathMaker Group
Organizational IAM Maturity Curve
Directory Services
Identity Integration
Web Access Mgmt /SSO/StrongAuthN
Security Monitoring/Compliance
Mgmt
Centralized Provisioning
Automated Provisioning/Physical Security Integration
Password Management
Federated SSO
Time
IdM
Cap
abili
ty
LOW MATURITY
MEDIUM MATURITY
HIGH MATURITY
Implementation Approaches
Role Mgmt/NAC
Automated Policy Framework
© 2008 PathMaker Group
Sample Roadmap Phases
Base Functions• SSO profiles, Windows Reset, AD password sync
• Integrate key apps with base roles
• Advanced manual application requests using custom forms
• Advanced HR integration/ automation with attribute sync
• Departmental/Market rules and notifications
• Attestation for manual applications
• Automated business rule workflows/notifications
• Provide reporting package to support critical audit requirements
Extended Functions • SSO Provisioning Manager for deploying preconfigured profiles
• Integrate all key “out of the box” platforms with base roles
• Advanced roles for key applications
• Integrate additional packaged applications
• External user provisioning
• Fine-grained web authorization using access mgmt, web services
Advanced Functions • Integrate applications requiring custom connectors
• Deploy federated identity manager for vendors, partners, customers
• Integrate provisioning/ deprovisioning of physical security for badge system/building access
• Role life-cycle management
• Privileged user monitoring
Phase 1
Phase 2
Phase 3
Implementation
© 2008 PathMaker Group
How Do You Sell This Stuff?
Selling
© 2008 PathMaker Group
Find the Pain! We are the trusted advisor…
Almost every client (small to large) needs one or more of the following:
Security assessment (or HealthCheck)
Annual Pen test (penetration testing helps keep the bad guys out)
Compliance help (PCI, SOX, HIPAA, GLBA, NERC)
Incident Response / Forensic Collection and Analysis
These are MUST haves NOT nice to haves
Executive office will mandate a security assessment after a security breach (malware, insider abuse, fraud, etc)
Pen tests are required by Payment Card Industry (PCI)
Audit findings require compliance remediation (hard to comply without automation tools)
Selling
© 2008 PathMaker Group
What Questions to Ask / Keys to Finding the Pain
“What keeps you up at night with regard to security or compliance?”
“What issues are you struggling with regarding security and/or compliance?”
“Have you had to respond to audit findings?”
“Has your company had a recent security breach or malware issue, loss of customer data, sensitive data disclosure incident?”
“Has your company had an insider abuse issue or expressed concerns with how to monitor privileged users, system administrators or database administrators?”
“Are you required to do an annual pen test?
“Which compliance regulations impact your organization?”– PCI – companies using credit card data
– SOX – financial reporting protection for any public company
– GLBA – financial institution regulations
– HIPAA – healthcare industry, concerning patient data and electronic health records
– NERC/FERC - any energy/utility or company with critical infrastructure assets
Selling
© 2008 PathMaker Group
Who to approach
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Chief Compliance Officer (CCO)
IT Security Director/Manager
IT Director
IT Security Staff
Network Operations Manager
Internal Audit
Selling
© 2008 PathMaker Group
Fast, affordable services solutions . . .
Security Assessment -- Three days approx $6,000
Pen Testing – One day $2,500
Compliance Assessments – A few days to a few weeks $6,000+
These small, affordable engagements almost always lead to remediation solutions which require hardware/software purchases
and services engagements from IBM/PMG.
Selling
© 2008 PathMaker Group
Security Assessments
Security Posture Assessments with Actionable Remediation Recommendations
Management Interviews and Questionnaire
Diagram and Documentation Review
Technical Assessment
Architecture Reviews Security Policy Reviews Network Scans System Scans Wireless Scans Penetration Tests
Executive Findings Review
Actionable Recommendations
Solution Architecture and Implementations
Findings Prioritized by Risk, Mapped to Best-Practices
Selling
© 2008 PathMaker Group
FastPath to Compliance
Key points
• Low-cost barrier to entry• Fast setup• Fast results• Produces GREAT ROI
• Leads to BIGGER Sales!
Selling
© 2008 PathMaker Group
That Lead to Fast, Affordable Software Solutions . . .
Log Management (SaaS) – $1,500 - $5,000+ monthly lease
Log Management (Buy) – $10,000 - $150,000+
Threat Management (SaaS) – $1,500 - $5,000+ monthly lease
Threat Management (Buy) – $30,000 - $150,000+
Enterprise Single Sign-on (ESSO) - $70k for 1000 users
Selling
© 2008 PathMaker Group
That Lead to the Bigger Deals!
Identity and Access Management
Software - $300k+
Hardware - $100k+
Services - $300k+
Typical deal size $500k to $1M+
Selling
© 2008 PathMaker Group
FastPath to TSIEM (Out-of-Box Reporting, Regulatory Compliance)
Selling
© 2008 PathMaker Group
FastPath to ESSO (Turn-key Single Sign-on for Three Applications)
Selling
© 2008 PathMaker Group
FastPath to ITIM (Identity Management Rapid Deployment )
Selling
© 2008 PathMaker Group
Let’s Get Moving . . .
Free iPad for first five transactions (Min $5k)
Next Steps
© 2008 PathMaker Group
Getting Started
Call or email Dan Smith
Office 817-704-3644 x 104
Cell 214-236-2374
Next Steps