Title: Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM).
1Integration of Security Information and Event
Management (SIEM) and Identity and Access
Management (IAM).
Reed HarrisonCTO, Security Compliance
SolutionsReed_at_novell.com
2Compliance Defined
Compliance In management, the actof adhering
to, and demonstrating adherence to laws,
regulations or policies source
www.wikipedia.org
3Sarbanes Oxley Act (SOX)
- Section 404
- Annual Reports are required to contain an
internal control report, which shall - (1) state the responsibility of management for
establishing and maintaining an adequate internal
control structure and procedures for financial
reporting and - (2) contain an assessment ... of the
effectiveness of the internal control structure
and procedures.
4PCI-DSS
Payment Card Industry Data Security Standard
- PCI Executive Committee Amex, Visa, Mastercard,
JCB, Discover - A set of comprehensive requirements for enhancing
payment account data security
5The Organizational Problem Multitude of
Regulations (Extract)
Privacy Act
FERC
HIPAA
SEC Regulation SP
Gramm-Leach-Bliley
Network Advising Initiative
Homeland Security Act
European Data Protection Directive
Children's Internet Protection Act
Family Educational Rights and Privacy Act
Government Information Security Reform Act
Cyber Security Research and Development Act
Insurance Information and Privacy Protection
Model Act
6The Organizational Relief
7Pareto Principle 80 Overlaps, 20 Specific
SOX
PCI-DSS
BASEL II
European Data Protection Directive
EURO-SOX
...
8IT General Controls and Identity Security
Management
- program change
- IT control environment
- access to programs and data
- program development
- computer operations
- by authorized staff only
- monitoring and reporting
- access to productive system
- user provisioning, security administration
- data processing, backup problem management
9IT General Controls and Identity Security
Management
- program development
- program change
- IT control environment
- access to programs and data
- computer operations
- access to productive system
- by authorized staff only
- monitoring and reporting
- user provisioning, security administration
- data processing, backup problem management
10PCI-DSS and Identity Security Management
- Install and maintain a firewall configuration to
protect card-holder data - Do not use vendor-supplied defaults for system
passwords and other security parameters - Protect stored cardholder data
- Encrypt transmission of cardholder data across
open, public networks - Use and regularly update anti-virus software or
programs - Develop and maintain secure systems and
applications - Restrict Access to cardholder data by business
need-to-know - Assign a unique ID to each person with computer
access - Restrict physical access to cardholder data
- Track and monitor all access to network resources
and cardholder data - Regularly test security systems and processes
- Maintain a policy that addresses information
security for employees and contractors
11Top10 Compliance Control Deficiencies 7 are
Identity Management related
- Unidentified or unresolved segregation of duties
issues - Operating System access controls supporting
financial applications or Portal not secure - Database (e.g. Oracle) access controls supporting
financial applications (e.g. SAP, Oracle,
Peoplesoft, JDE) not secure - Development staff can run business transactions
in production - Large number of users with access to super user"
transactions in production - Terminated employees or departed consultants
still have access - Posting periods not restricted within GL
application - Custom programs, tables interfaces are not
secured - Procedures for manual processes do not exist or
are not followed - System documentation does not match actual
process
12The Technology Problem
13Silos of Data, Manual Processes, So Little
Insight
14Automation is Key
Automate IT Controls Monitoring and Reporting
15Aggregation increases Manageability
Action
Reporting
Remediation
Alerting
Knowledge
Incident
Threat Assessment
Situation Assessment
Information
Correlation
Consolidation
Pattern Discovery
Data
Collection
Filtering
Normalization
16Bringing it All Together
17Organisational Framework ISMS (ISO 27001)
Plan Security Policy
Do IT-Security Control Points
Act Continuous Improvement
IT Policy Controls
Check Monitor Control Points
Check Compliance-Reporting
Check Remediation
18Organisational Framework
Plan Security Policy
Do IT-Security Control Points
Act Continuous Improvement
IT Policy Controls
Check Monitor Control Points
Check Compliance-Reporting
Check Remediation
19Enabling Compliance Through Common Policy
User accesses a resource
Relevant events are collected by Sentinel
Policy engine determines if the access was in
compliance with policy
Identity Manager modifies the user's access to
systems to bring the system into compliance with
policy
Policy Engine
If the access was out of compliance with policy
an incident is generated and the remediation
process begins
Remediation process is triggered in Identity
Management System, which consults the policy
engine
20Technology FrameworkCompliance-Aware
Architecture
21Compliance Benefits
22Drivers for Compliance InitiativesUniversity of
Erlangen-Nuremberg
Drivers
Centralisation
Internal Requirements
External Requirements
Cost of Compliance
Processes
Automation
Compliance
Consultants / Auditors
Tools
23Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
of Rev
PWC 6 percent of IT budget for
compliance Forrester 8 of budget for IT
security
- Managers tend to focus on cost instead of
benefits and savings. - Well thought out compliance strategies are less
expensive than assumed.
Ongoing studies of the FAU Erlangen-Nuremberg
will investigate the real figures.
24Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
- Reduction of service cost
- Cost reduction of reports
- Early awareness of incidents
- Information and data security
- Reduction of redundancies
- Centralisation of data
- Consistent data update
- Risk assessment of specific business requirements
- Synergies in required staff
- Faster implementation of further tools
Ongoing studies of the FAU Erlangen-Nuremberg
will investigate the real figures.
25Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
Cost of internal and external compliance
Cost of non-compliance
- Labor cost
- Internal communication, training
- Software(licensing maintenance)
- Monitoring (KPIs, audits, risk assessment, )
- External / internal consultants
- Identification and coordination of requirements
- Compliance hot-line
- Communication to public authorities
- Certification (ISO 21000, )
- Cost of reworking measures
- Risk to loose information
- Loss of image gt opportunity costs of lost
profit - Fines, contractual penalties
- Non-compliance causes big-bang-method with high
- Failure frequency and fall-back-scenarios
- Cost of business discontinuity
26Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
General benefits
Benefits by usage of software tools
- Processes optimisation, transparency,
standardisation, process owners clearly defined,
higher maturity level, less redundancies - Competitive advantage (secure use of personal
client data) - Security
- Improvement of internal control
- Risk assessment of specific business
requirements, projects - Continuous improvement
- Higher flexibility
- Reduction of service cost
- Cost reduction of reports
- Early awareness of incidents
- Information and data security
- Reduction of redundancies
- Centralisation of data
- Consistent data update
- Risk assessment of specific business requirements
- Synergies in required staff
- Faster implementation of further tools
27RoI of Compliance
Integrated approach to asses compliance
activities quantitatively (three-year approach)
Shrinking costs of compliance activities
To save cost its important to know the
requirements at an early stage, address and
implement them
28Implementation Complexity
Business Benefit
29 Conclusion
- Compliance needs to be embedded into an
overarching security and risk management system
Continuous monitoring of compliance with policies
and documentation needs to be ensured
ISMS-compatible monitoring and reporting cannot
be done manually at reasonable cost anymore
30(No Transcript)
31- Unpublished Work of Novell, Inc. All Rights
Reserved. - This work is an unpublished work and contains
confidential, proprietary, and trade secret
information of Novell, Inc. Access to this work
is restricted to Novell employees who have a need
to know to perform tasks within the scope of
their assignments. No part of this work may be
practiced, performed, copied, distributed,
revised, modified, translated, abridged,
condensed, expanded, collected, or adapted
without the prior written consent of Novell, Inc.
Any use or exploitation of this work without
authorization could subject the perpetrator to
criminal and civil liability. - General Disclaimer
- This document is not to be construed as a promise
by any participating company to develop, deliver,
or market a product. It is not a commitment to
deliver any material, code, or functionality, and
should not be relied upon in making purchasing
decisions. Novell, Inc. makes no representations
or warranties with respect to the contents of
this document, and specifically disclaims any
express or implied warranties of merchantability
or fitness for any particular purpose. The
development, release, and timing of features or
functionality described for Novell products
remains at the sole discretion of Novell.
Further, Novell, Inc. reserves the right to
revise this document and to make changes to its
content, at any time, without obligation to
notify any person or entity of such revisions or
changes. All Novell marks referenced in this
presentation are trademarks or registered
trademarks of Novell, Inc. in the United States
and other countries. All third-party trademarks
are the property of their respective owners.