All Contents © 2005 Burton Group. All rights reserved.
Regulatory Compliance and Privacy in Enterprise Security
Smart Card Alliance 2005Trent HenrySenior [email protected]
Thursday – October 13, 2005
2Regulatory Compliance and Privacy
Thesis• Organizations are under ever-increasing scrutiny
• Legal and contractual mandates for privacy, transaction integrity, financial transparency, policy compliance, among many others
• Resultant audits require greater security diligence• Considerable focus on...
• Segregation of duties (SOX)• Customer data protection (GLBA, HIPAA)• “Identity theft” (SB 1386)
• ...Has increased the need for stronger identity assurance• Identity management (IdM)• Identity audit
3Regulatory Compliance and Privacy
Agenda
• Background• Role of identity management• Future directions
4Regulatory Compliance and Privacy
Agenda
• Background• Role of identity management• Future directions
5Background
Information privacy (or ‘data protection’)
• Control over the collection, use, and disclosure of personal information
• Personal information = data relating to an identified or identifiable individual
• Not an issue of ownership but of controls to protect privacy
• . . . Based on promises, legal rights
• Privacy viewed as a human right• Creates obligations for information owners
• (Although “owner” should really be “custodian,” especially in Europe)
6Background
What is identity management?
• A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities
• Involves both technology and process• Involves managing unique IDs, attributes, credentials, entitlements• Must enable enterprises to create manageable life cycles• Must scale from internally facing systems to externally facing
applications and processes
• Goal state: general-purpose infrastructure and authoritative sources, clean integration across people, process, and technology
• Successful IdM provides coverage for security controls
7Background
Identity assurance
• Identity vetting + credentials + lifecycle management
Technology
Assu
ranc
e
SelfSelf--enrollmentenrollment
IT providedIT provided
Strong Strong business business
process: HRprocess: HR
Integrated w/ Integrated w/ relationship relationship
managementmanagement
NoneNone
Managed adManaged ad--hoc by IThoc by IT
AutomaticAutomatic
Workflow Workflow approval approval processprocess
Strong audit Strong audit trail: forms trail: forms and sigsand sigs
PasswordsPasswords
OneOne--time time passwordspasswords
Tokens + Tokens + biometricsbiometrics
Providing Credentials
Provisioning Services
Managing Lifecycle
8Regulatory Compliance and Privacy
Agenda
• Background• Role of identity management• Future directions
9Role of Identity Management
Essential requirements covered by IdM
• Manage user identity, authentication, and access to systems
• Manage user account lifecycle• Review accounts periodically• Log and alert security activities• Manage/monitor third-party access and interfaces• Protect transmission of sensitive information
10Role of Identity Management
Provisioning and meta-directories
Provisioning agents/connectors
Provisioning server(s)
General-purposedirectory
PeopleGroupsRolesRules
Provisioningworkflows
LDAP
APIs
APIs
Repository(log, audit)
SQL/ODBC
Otherresources
Provisioningserver(s) Databases
Applications
Resourcemanagers
Platforms
11Role of Identity Management
Provisioning and meta-directories
• User management, account lifecycle, workflow, automated approvals
• Linchpin for improved IT control• Strong controls for regulatory support
• Password policy enforcement• Segregation of administrative duties• Centralized logging of lifecycle events
• Areas of improvement• Automated review of access rights
12Role of Identity Management
Virtual directories
13Role of Identity Management
Virtual directories
• Integrate non-shared identity data from disparate systems
• Allow restrictions on data views• Enforce confidentiality over private information• Especially sensitive customer personal data
• As proxy, help create security zone separation• Complement what firewalls already do
• Concern: auditors & IT teams have limited experience• Explaining the control characteristics might be tricky
14Role of Identity Management
Authentication and authorization systems
• Core component of access control• Strong authentication improves identity assurance (along
with proper vetting)• Centralized authentication service(s) help with audit and
attestation activities• Provide single location for data analysis and compliance testing
15Role of Identity Management
Other pieces of the puzzle
IdMPolicy
AccountMgmt
Log / Alert
AuthN &AuthZ
AccessControl
IncidentResponse
SecurityAwareness
DisasterRecoveryFirewalls
EncryptionControls
ConfigMgmt
ChangeControl
Backup / Archival
PhysicalFacilities
PersonnelSecurity
16Regulatory Compliance and Privacy
Agenda
• Background• Role of identity management• Future directions
17Future Directions
What's missing?
• Ties between the identity infrastructure and other security components
• Linking compliance mandates with specific operational technologies
• Evidence of privacy controls• Are we being effective?• Regulators/auditor haven't turned their eyes here . . . yet
• Better monitoring and feedback
18Future Directions
“Identity audit” solutions
• Control-based reporting• Tie IT to the control objectives that need to be achieved (e.g. for
regulations)
• Improved audit data gathering• Provide more relevant data to show evidence of compliance• Multiple levels of information granularity (depending on audience)
• Explicit authorization review• New provisioning workflow
• Training and awareness• Sign acceptable use form before access
• Compliance document creationAudit data gathering
19Future Directions
Integration with security event information management (SEIM)
20Regulatory Compliance and Privacy
Conclusion
• Audit and regulation for security/privacy is here—and here to stay
• Few organizations can avoid it, whether financial, compliance, or contractual
• Identity management systems provide automated coverage over important control activities
• Privacy, integrity, workflow (elimination of human error), policy enforcement, and so on to improve identity assurance
• Organizations will require other IT (and non-IT) components to complete their control environment
• IdM is “one piece of the puzzle”
Top Related